Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-04-2024 02:16

General

  • Target

    fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    fbb4aac8ca9cb008dcaa29ea04cfaac0

  • SHA1

    227f11bfa01e05bdc242e0195845604e75d17da9

  • SHA256

    8a1e58fab0d97559ba2242c6a9834de9659e996bd12344258c1c655d01069723

  • SHA512

    f519c170d011da50f63933fdb2fee45614292c9c33ae7bed6700aaa37cb476f31656ffebc91a6c18022a788b55e5d48fd947d2aec606b4ce242efa66399977ea

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6O:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5v

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3588
    • C:\Windows\SysWOW64\miyftmsaqg.exe
      miyftmsaqg.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3300
      • C:\Windows\SysWOW64\xcfoizjv.exe
        C:\Windows\system32\xcfoizjv.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5036
    • C:\Windows\SysWOW64\xuvszvvolqlntpw.exe
      xuvszvvolqlntpw.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:760
    • C:\Windows\SysWOW64\xcfoizjv.exe
      xcfoizjv.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3448
    • C:\Windows\SysWOW64\fqicinswrxtmz.exe
      fqicinswrxtmz.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1624
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    b1da075031a32fb94b8792d9aae2b213

    SHA1

    f1ce79503221b58c669cf33bf5801f6a30a028bc

    SHA256

    951048962a6d8fd6ca3ec6ff847d35af14ec692aa5b5f0ed470de886c47002e6

    SHA512

    116a65bf802498f42332c9525fc788a55db9615b97ce991cd11402a2812373bba9ad9981a644f307e7077e82e43b3e331bcecadedf6d4ccb6261d52e19708561

  • C:\Users\Admin\AppData\Local\Temp\TCDC3C6.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    36bfdac921f64a8bb2e01fa67f1e679b

    SHA1

    61e6f563e4466670fadded63353c8fbd16a54e89

    SHA256

    5128f0eae9bb5b0864c6d3c4ba5f3f311a055fc46e3e2786b7ad35f264d58f6c

    SHA512

    171c9fca77fc3ee2c0b24eb7978c05db44c71ca859f93e43bdc25e0517f1bb921ea4c8e9fb1b04987f4191d05c2001ad5c148de0e496a5e05b3f9187d692df11

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    df1cd38ab55bad4d4606d9ec07af999d

    SHA1

    9a81cf7f1828dc7acabcb300dc8526a0a3fc1d06

    SHA256

    e59f9fa5cef18aa1d10bcd0fb4615d40250a9420cab5087706c5f12f2c5e2237

    SHA512

    e4d5e5102ebc59aec7f2b045efceb68d8eccab4c8e0d37408d5aa354a10c7ce8143700312fbc52db4754aa1d3c9568fb72274d82a19a28596e844a6c8fb41404

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    410ca2e19f0ddc09934d5bb4b2138c83

    SHA1

    2db7a4f46a08d9ff8d122838def976f0caa3b33a

    SHA256

    5ebfb86941c1ea6850e8dd7fcdbafacd3cb8f104a79a36eec19de14f3605e2ef

    SHA512

    43f3753d9073e18f32da390f1ba2c59fe7fc2186ad33b750122403c2bb4037523859ede407f3ff342f7b94ef1f75a7eed901e51062e4deb583d58cfdc2425534

  • C:\Windows\SysWOW64\fqicinswrxtmz.exe
    Filesize

    512KB

    MD5

    85a9bd6bd3c9abd68bc645f6d0eca183

    SHA1

    7aa9f8ebeee08d86bd5a17f172f8b023a7a0ac36

    SHA256

    49773de17baf8fbd0e9e8ebd5c2db9ee067a540355d40e0bcd60c40c96305629

    SHA512

    a44c78155fb245d3058d8051404a661ccb33384af452363a95ab3600862f03d762b9ea9dafe0b4a6ecdfbc190c539154a99cafd54a767fa1998781d72a8666bd

  • C:\Windows\SysWOW64\miyftmsaqg.exe
    Filesize

    512KB

    MD5

    e7092ab88acecc7f4831cbe6aeb86b13

    SHA1

    4db1c32fd88e7ce82faf15bb2d54e43a961a9749

    SHA256

    f5c58a37411de0093e46a29ac1aa14a4c4b8fe025919fcb4b67971130684430d

    SHA512

    1c682ef6543478e3b24ecc2c8a33c87d941e8a3931d48825303eb0c59f35e0e1845f6dbc842e5fc744292ed7278e4749c3d50642262420f685af750b6cdb522d

  • C:\Windows\SysWOW64\xcfoizjv.exe
    Filesize

    512KB

    MD5

    905a36c6edb25809a6eab1f8b0b95d25

    SHA1

    0595f583f42dcb760fcb530a58fca71adb485edb

    SHA256

    d173fd7b32b4dbe9a4a5a7aff7ddcace92cd0d3b43eadbf5d880e9d4ff00a244

    SHA512

    5d62b6fe62b713cc030002652e47f209f352ccc4849db073abb35f5c619426088441053abc58b4b8f4a868854f1ebd18ab2be9ea726805d0d20955f38cd2d15e

  • C:\Windows\SysWOW64\xuvszvvolqlntpw.exe
    Filesize

    512KB

    MD5

    df2cd1da550cbe26643c784efba185d5

    SHA1

    063f3d84099020ff5f2604b897091aa5ecd2a7f6

    SHA256

    de98fc0d53e75fea8abca9232fb72db25bc06e3053902b2daf934fa659908ee3

    SHA512

    716435f23170937957346ae705a969655308835d4c7367842e2ab71d56ebb398156aa92d801ff5bd0d8977033fef4504a1caba0c7cc444fd3b654b9d4d4767c1

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    0064f8913456c732340725bf09106c86

    SHA1

    bb3fa6445aa2938b49fb758be07017a7d98652db

    SHA256

    28350873be9ab3eac79944e1d47238ca128a62dceaee326b476f2d380c3580eb

    SHA512

    70b668642f1375cee7cc92511a2e5a1e47c3bfbcbbff746d8c545d581f6bab7aa82954d4594ff70232feb92c3fee969ceec4d078da053958dc5e9419817cd2ad

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    b8bf85ce4c072960436615864cf1cf13

    SHA1

    c6a0d24c1959779e670dbd9088a9a10a34d852af

    SHA256

    55027e40cf7f370069e76611918fb33f81658fbad822f26cc0f91d418de8eee0

    SHA512

    15573572c0fdd686a1a6e465f60e6e2cf35c942512609c7d21c4796df18aa8f5fb3eaa29645e24a1cc0efd321935d728c63164e00febbc680fdbd201d097fd80

  • memory/1980-41-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp
    Filesize

    64KB

  • memory/1980-39-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp
    Filesize

    64KB

  • memory/1980-46-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp
    Filesize

    2.0MB

  • memory/1980-47-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp
    Filesize

    2.0MB

  • memory/1980-48-0x00007FFCB72F0000-0x00007FFCB7300000-memory.dmp
    Filesize

    64KB

  • memory/1980-49-0x00007FFCB72F0000-0x00007FFCB7300000-memory.dmp
    Filesize

    64KB

  • memory/1980-44-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp
    Filesize

    2.0MB

  • memory/1980-43-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp
    Filesize

    64KB

  • memory/1980-42-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp
    Filesize

    2.0MB

  • memory/1980-40-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp
    Filesize

    2.0MB

  • memory/1980-611-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp
    Filesize

    2.0MB

  • memory/1980-45-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp
    Filesize

    64KB

  • memory/1980-38-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp
    Filesize

    2.0MB

  • memory/1980-104-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp
    Filesize

    2.0MB

  • memory/1980-37-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp
    Filesize

    64KB

  • memory/1980-528-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp
    Filesize

    2.0MB

  • memory/1980-583-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp
    Filesize

    2.0MB

  • memory/1980-606-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp
    Filesize

    64KB

  • memory/1980-607-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp
    Filesize

    64KB

  • memory/1980-608-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp
    Filesize

    64KB

  • memory/1980-609-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp
    Filesize

    64KB

  • memory/1980-610-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp
    Filesize

    2.0MB

  • memory/3588-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB