Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-04-2024 01:25

General

  • Target

    e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    e6506b12acef569b3e62b8ff428c0e80

  • SHA1

    06b2719a3bfadf6b12801a0561e2ab63f11852ee

  • SHA256

    74fd931ee56c8032739350bc1811e034ce4aee2997b50b4583a98127446c6270

  • SHA512

    2a8c9b238db3007668590b0b1ab3181372adbb44d975be0a9b3ad62c806266942447255bb711ab501521deb06218c87421e1e73fba61987526caeb8ed5f7a8d2

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5v

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 22 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\prmrhtjqoa.exe
      prmrhtjqoa.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:944
      • C:\Windows\SysWOW64\qjyddmof.exe
        C:\Windows\system32\qjyddmof.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:596
    • C:\Windows\SysWOW64\inaywyhzidajcwq.exe
      inaywyhzidajcwq.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1396
    • C:\Windows\SysWOW64\qjyddmof.exe
      qjyddmof.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1568
    • C:\Windows\SysWOW64\scebbdaqpuqat.exe
      scebbdaqpuqat.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1956
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2024
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    160c7df01ea779bd3a796185923f317b

    SHA1

    86b0a583a025e6ed8ab9c5e7b29b147a774f7b60

    SHA256

    044b61580a0fdf5675eef520cd3149bc7b002e8dedbd82b4e9621409b5b557d8

    SHA512

    723361c428e8f71d1c0b4e13d2488377c5242ded7375f506dac8eb3dcf01931f5a1828f05a4a0ba1893a53e7ac1007935d8df01bfae623456ecd41a9e48dcbc2

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    1b6aaabc6c13139a7b68a52bfb6cfcaa

    SHA1

    c1fca62d89f2b20c1bf555ab1767e72ce8803851

    SHA256

    2cbe728e8651a87ab1a0ab48a70e2845648579ad5f481819dc8a8ad6853b392b

    SHA512

    39392d8acab0ae1ab1be8ffd24f986dadfb7a793f58259b3876a05a8d738e37073b91bd8c3e9a261d6eb0500911f71908fd6fba3c1c1707b87cba9e81469877c

  • C:\Users\Admin\Downloads\SelectSkip.doc.exe

    Filesize

    512KB

    MD5

    67dc2fd7e885a5d778fb9a8544450a54

    SHA1

    ab9e66e1ffde412b7aaf1c7c8e8803fc995cc704

    SHA256

    6dedaa890a5fe2605dde7273ed8be43797bbdef2f7e54ff682987ff75094e158

    SHA512

    dff8898ac266796d05c7b86acfacc0f428cd5e1a20a30fee72a5c90c3df654ffd41d38f69d65f0f55b5cb25c404d55aaac2fdcf229228b1310e63fb6cf354b6a

  • C:\Windows\SysWOW64\inaywyhzidajcwq.exe

    Filesize

    512KB

    MD5

    2b2ce10d525d225362117606da037a6b

    SHA1

    147fef4099419279f10d1cc5b57a00dde3aaa1a4

    SHA256

    7dfadf9ea140d1b6efc842955e3d059bd210a4751001beaf3e1af748a3f97f28

    SHA512

    d56b64fdb5eb016eb6cdede1f589393ddc97d9f779417567cf0d2a752d6e1f77df2a0489fa1a6ba8fc9cf57b01e92776998c92619fb8a7c8c109ba090067d6f4

  • C:\Windows\SysWOW64\qjyddmof.exe

    Filesize

    512KB

    MD5

    c936aebf8f90265787dc341fdedc67d7

    SHA1

    60cb5275362d6a4da154f06b4f8dc558f3684e86

    SHA256

    9d2f7aac0bbeb6d23f201489903936e31e48d8c5c599c8883c25a654e2f20b7d

    SHA512

    a1501859bace1c01973c3fcb8ad3f7faa35771753093e1e0070972c13cbf1766c6e5d030e5b4f113485a5d7901848de9808f22fce2df61238f0f691d911624a0

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Program Files\ExitSync.doc.exe

    Filesize

    512KB

    MD5

    da7cbd537325bde0b3e956d26598d4dc

    SHA1

    e10c7fdd8cd0b0811fbaacb536a6a7a080b8f4ce

    SHA256

    b223b09c7458ea65652e81138bbc0d9a0adedde23f12cfe4cd0d0544f217002b

    SHA512

    5116d0247b772885d61e448cbd4a7a968afc84fbab96200aa718a35e94b156d9f7c5a6211691eb1ecd616fa51fb31e8bf9d1a309bea27cb02b0c756dcfc67c44

  • \Windows\SysWOW64\prmrhtjqoa.exe

    Filesize

    512KB

    MD5

    a88140312ef938c698f91effe670288e

    SHA1

    a464ce2b48812fa3ca0330413af2e3e98e966b51

    SHA256

    33a5d30d745e62dd30e47ed57c502b4ad0d02c4e103c77af475138fefa67fbd5

    SHA512

    8f0ab7033a961fd99b73f31cd4361fdbe14f4c94cc14a77ee72abfbf888e2a79f76eaf588a1c9299e619f8eeac74ebc12e5325521406c70c6b615799244a96cf

  • \Windows\SysWOW64\scebbdaqpuqat.exe

    Filesize

    512KB

    MD5

    0d4fa131cbcb113f94aea7bfc1352430

    SHA1

    5ee297fac3c49efc83fd354b3d02e9865c7262c0

    SHA256

    e169f74510a57b6c2a569703c7455109c636f4c061c16000420b68c3cb70a839

    SHA512

    9bd09505d8e7e30bc85a5af4c03d6c4c0bf00bd70c9f00210af28c47977e95f10b716dd9bee0cd14a9ae2a928f14ddb84f3e3890dd5bd388eeb13b9f60cf859c

  • memory/2024-47-0x0000000071B2D000-0x0000000071B38000-memory.dmp

    Filesize

    44KB

  • memory/2024-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2024-42-0x000000002FE01000-0x000000002FE02000-memory.dmp

    Filesize

    4KB

  • memory/2024-81-0x0000000071B2D000-0x0000000071B38000-memory.dmp

    Filesize

    44KB

  • memory/2236-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2664-80-0x0000000004030000-0x0000000004031000-memory.dmp

    Filesize

    4KB

  • memory/2664-83-0x0000000004030000-0x0000000004031000-memory.dmp

    Filesize

    4KB

  • memory/2664-88-0x0000000002670000-0x0000000002680000-memory.dmp

    Filesize

    64KB