Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 05:04

General

  • Target

    046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe

  • Size

    513KB

  • MD5

    046e9e8a98460e27abfb541b1c6b381e

  • SHA1

    1726b747e18c28e940c0af1f7ba75ed0b0e442fa

  • SHA256

    c1f6785de4e9cfb7b395b23354a873ed23b273c7a53e6891ef84f2a63a9c2c1f

  • SHA512

    617053922fd5033418101cdc41599fdef93bd084e3d6b5eebb93554c1d8fc93dd04b718a19f5947bc95724b564343ad1d26b5d5aa83e93030da65bc3ba600721

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\SysWOW64\qeapzhonct.exe
      qeapzhonct.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Windows\SysWOW64\iwlenyro.exe
        C:\Windows\system32\iwlenyro.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1188
    • C:\Windows\SysWOW64\qbesozshhnxxisr.exe
      qbesozshhnxxisr.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2408
    • C:\Windows\SysWOW64\iwlenyro.exe
      iwlenyro.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1916
    • C:\Windows\SysWOW64\vbjumskruslgr.exe
      vbjumskruslgr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1672
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4376

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    513KB

    MD5

    a9219356d14eb373b3a60b2cfa3efe66

    SHA1

    bf599d3634ba0716a0cab09b816f83926885dc49

    SHA256

    901231c7d04d82a877d0886394f44963efe32ef52dc31ba95912a612ec784404

    SHA512

    67d3a20c4c328abeeb508202876e3660de08829b222200898fe18e450d5545e12ec0af06046972a4e68bcc87cd068f3773dd548c21e1014cf8fd01c059b08921

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    513KB

    MD5

    a1b7d499e642b981a9d4b1c348302087

    SHA1

    2795fe79c5818af774df1cfb3a02ab5ac2096430

    SHA256

    117e6ab824255e6e6e2e08caf2eb55e52e8b97acbfc1fee5cc89fc9dfa2200a8

    SHA512

    04946981ea8976f791605b5c90cc7002d921d929419a28e0dcd8e98fe77ccdad82ea9d22fd685ec0af1a79f694600cc38aa70a0a7b65726f46e34ba759200c5d

  • C:\Users\Admin\AppData\Local\Temp\TCD9832.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    c0458d84c21e6a33d9dd19954db113e2

    SHA1

    ed281badb74c7dc0d4cc42e7bdfb1442c2b7fca2

    SHA256

    9f644dd6e8fd46e1607d736deaae1ef28b2b043d7c1fcf97fda64f4044b047cb

    SHA512

    de0ad401e167d9220d2fd8d08f5f14ca22e68b0e6260ab7b5fdf17e8db8aa442ed9f5326f84f65e4ae93650c182f6e09639d83e8a3798fdb2389ac0422a82f34

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    ab5cfe253696a8889118b6ac23f39fdd

    SHA1

    d1c55583ef21d5a6b080e652df12fa0b8b7eab4b

    SHA256

    6a7bce21869e3b1c37f6c3efda3bba29b89ec0643d24e5a74f9ace068d31bec3

    SHA512

    829e9f85287d9eb35e5952fc4a1f51a6e4ed6cc899094864bd88fb6f9c887fa2732e9a412c9af47ce8ddbec69adc5fc30153870e04f91830beaec18b1268b8e4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    dcf8d89b0757a8c27387084c4c55ea5a

    SHA1

    7ac5dc9619a2d2a2c959c6f320920a854fba45a1

    SHA256

    427c8188f22e4f61f7d08e0fae8dab0896ebd0f47eacf306b7d65eb82989d32a

    SHA512

    17e1a3cd1354ddad6d61008266486d5297b7ad258617ebcdd0a0cde69d9b6f51e0d7830ad0f379548404a8e5a4912abfc4cdb94cf443d301c6a694823ff3f8e8

  • C:\Windows\SysWOW64\iwlenyro.exe
    Filesize

    513KB

    MD5

    3fd7da215eb738ca72a6fa97dc0db050

    SHA1

    3348fadccea7150d97c40bff2ed75163a44d6c0c

    SHA256

    926ce332da1888eb10a3833e7def499fe266dee6d9d6d9a9ea84eae27e117fd6

    SHA512

    4b8889d3d82aee6e6fc6c45f29347ea4f475c689a7ab87b87a57e8736f5e13e9f74bc3ff072be95e19b4fcc7a9055ec73b29426123e1cc505d0b6e9910884c98

  • C:\Windows\SysWOW64\qbesozshhnxxisr.exe
    Filesize

    513KB

    MD5

    ea69af92e04b74547af95e7e1bcb0fdf

    SHA1

    60edff7282359316168643e7711021d211f05b92

    SHA256

    0091f0f100b77f0508fe6bd574bb07b3d05040c34a28bd1f31db0f7441cfb75b

    SHA512

    7b7eeaa91352130f54057d0db80d1a75f83309c7909c25b509f4dc631f2152bccd4c95f989cad74d07f25a41d45bdf4cb6f54d875d4a4d500d4687da99a22c06

  • C:\Windows\SysWOW64\qeapzhonct.exe
    Filesize

    513KB

    MD5

    02fcfe70b031a40bd9ea277582025946

    SHA1

    24d085176635b74c2879b37c9999102447714881

    SHA256

    c039c6576fd4ef6e5f1ff4f52cbf51a52e848c2346f0b0509b5641be3b49c926

    SHA512

    4fe00761cc9ff974d6fe8061c132163895341c0e56cb3631fc83b05ffe47f3bec6ae4de7e64d81b5dc25ebde4cd1e99503f6482feaac10e3d5c927ffb9cdfeec

  • C:\Windows\SysWOW64\vbjumskruslgr.exe
    Filesize

    513KB

    MD5

    e18bc71445c1f3c40a03954fd8d991a0

    SHA1

    ff4bf35f3e2723e44d632601406b1c9402541fee

    SHA256

    4895f99ebdc1642b56e23798a643c2130e32e5a9a4eae0c3d8be3f04aa658dab

    SHA512

    0128787b5c991783e2a3065cad7d92890578d98f81151a8ce854456b25d3455a4010f46a9e354debf20760347e34fcf14dc0b47b507fb84420192a6d545f6722

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    513KB

    MD5

    549380df9ec7e7def27c17419874bbf1

    SHA1

    6ee9f1ca7de634399c5f9cfb05868ee4e5e0ad43

    SHA256

    c84c80f1c24898f879a1aecd7be64c3bc155b725a9690dea201c2c505fbb6218

    SHA512

    942b3b4251df19821e2e60ecd68b4f8fe8739bae8d3cba2ef2699807fb7b8d929f60bbb750cbab67f96120fef53b00296abde61ea61054f50541566be70b220a

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    513KB

    MD5

    4ba5504ad3f30000bf3f8a08cc7b3652

    SHA1

    4cde11568982a0d34ae4da6f8671a74cac1e5c55

    SHA256

    bd150b342421a2bd8e3daf332e3dbd4ce54570bce56ec28d679a5bdf629a49f7

    SHA512

    c1d416b4a9aeb261b8c738fd92b0af992ff285217117d87557f8396a7a33282faf4894c6ca6b94fb1e1ef6036887b8a15d583f50782449a09a2881e25fc11187

  • memory/2460-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

  • memory/4376-39-0x00007FF97A710000-0x00007FF97A720000-memory.dmp
    Filesize

    64KB

  • memory/4376-38-0x00007FF97A710000-0x00007FF97A720000-memory.dmp
    Filesize

    64KB

  • memory/4376-36-0x00007FF97A710000-0x00007FF97A720000-memory.dmp
    Filesize

    64KB

  • memory/4376-37-0x00007FF97A710000-0x00007FF97A720000-memory.dmp
    Filesize

    64KB

  • memory/4376-35-0x00007FF97A710000-0x00007FF97A720000-memory.dmp
    Filesize

    64KB

  • memory/4376-43-0x00007FF978570000-0x00007FF978580000-memory.dmp
    Filesize

    64KB

  • memory/4376-40-0x00007FF978570000-0x00007FF978580000-memory.dmp
    Filesize

    64KB

  • memory/4376-596-0x00007FF97A710000-0x00007FF97A720000-memory.dmp
    Filesize

    64KB

  • memory/4376-597-0x00007FF97A710000-0x00007FF97A720000-memory.dmp
    Filesize

    64KB

  • memory/4376-595-0x00007FF97A710000-0x00007FF97A720000-memory.dmp
    Filesize

    64KB

  • memory/4376-594-0x00007FF97A710000-0x00007FF97A720000-memory.dmp
    Filesize

    64KB