Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 09:09

General

  • Target

    04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    04d94caa6a97084b6b204a3e81070c5a

  • SHA1

    abd419bb1fabfde4cd8cc5c8558ad8db73a14508

  • SHA256

    9866404f1c221e476925793f6023f38bf0ddbab112316315239c98af6647e9e9

  • SHA512

    713df4b771ef148893091c5fd7f84073b832d41b6408c6c2dcae3761faf8c80bd17393943fda848092ec5df671ff56e85fdb9bc385873680943e14d402497d6d

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6g:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5J

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\04d94caa6a97084b6b204a3e81070c5a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\SysWOW64\ienbljagqe.exe
      ienbljagqe.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\SysWOW64\ydawfiva.exe
        C:\Windows\system32\ydawfiva.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2608
    • C:\Windows\SysWOW64\tzcbzvypefsjmmj.exe
      tzcbzvypefsjmmj.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c uuimtppakfysv.exe
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2412
        • C:\Windows\SysWOW64\uuimtppakfysv.exe
          uuimtppakfysv.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2844
    • C:\Windows\SysWOW64\ydawfiva.exe
      ydawfiva.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2624
    • C:\Windows\SysWOW64\uuimtppakfysv.exe
      uuimtppakfysv.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2572
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1116

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Modify Registry

    7
    T1112

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Collection

    Data from Local System

    1
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      c196a12198f2a0038c52f0be2b7243ff

      SHA1

      72d6f747d6e46d987ae41584e94060dd382ed480

      SHA256

      e04da2d4f4527bdb6ec480caf971021d23440bf9c9f39ef17eee41fa7a9d0256

      SHA512

      837ea629f6c878723976d640d4037ef249d73b9e1b38df177d91f3a6da3fa3af1839ecb72c33f567b887c1b80b8882a35b0b5c59399850f2e983d367e379681e

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      811f2927ed31a901b8db494174bb192e

      SHA1

      cc51adee52f07fcd55b7c01525a105bbcb73d84d

      SHA256

      e1f20659cd66776c20049765f3cd88f7abf64f7e9c4649e630f0796ea0bcde2b

      SHA512

      2592c6f8df0161a41965950f41d5f6a02b7b48b90bc784dec15fd48cb4e98dd84bb1ba812f9847f5346ce56eee0787126135761e774faf462b5aaf41fc6ec25f

    • C:\Windows\SysWOW64\tzcbzvypefsjmmj.exe
      Filesize

      512KB

      MD5

      947ce7d661caf15d6713c67e3374afa2

      SHA1

      dcf2d5936dd14f20c7a95ea29b295a42d74b9869

      SHA256

      4903e27ffef6abd78da3fb5fa808357a1733fde11984e7cecd3cf7de29347588

      SHA512

      178be1e91a61a7e19a37ab521490383ff8d67ccc699bd096628a1a04061cc23c663693c5d8d99e1c5ffc85d06a76c65f07d9b4799d29b65c28a9cb9a7aa18686

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      7d479404878a1f6480db245dd85a96f7

      SHA1

      cdfc7832aa33ae6ffbef202a1d241455a5970695

      SHA256

      267265805ad10224a52676dd1ab1670919a62ef6ef41665793c85b6ad0478af4

      SHA512

      881d724cc718b975f24620ef3b6af7cadae406579e942505d54a5be84cd15d89a7b9f69897ceb266e1fdd9a02b614e97e79786a5456446b7e9e34d8f9847803c

    • \Windows\SysWOW64\ienbljagqe.exe
      Filesize

      512KB

      MD5

      d17a65384779c883acf5cbb98ac658da

      SHA1

      1125e3b7eba902740a980495d2d7aa99df063435

      SHA256

      fe0d19ee8657513030180648da8371244dabb70cab68059aa4179982103a300e

      SHA512

      ceca3beec5ae2316da43e42b8346fb0fa85db490e32bc87e4c5757562e2df2899f4cd4cd0e2c502df7c4d646c2712970a0d3378eaa24f97eb52bf8c5245a0b9f

    • \Windows\SysWOW64\uuimtppakfysv.exe
      Filesize

      512KB

      MD5

      c2c2723a26cf58350f5ded6beb3777c4

      SHA1

      6046d1f2ff03545cb84587be5f147a04f4f4e785

      SHA256

      9fe347c20870cc1578cbb9c33461b6039075160454a574f5fd1e4ab68c792038

      SHA512

      85266f334eab8a83a1e2923a1ab278d96f34cdc360f5e8837d4bb50e13928b1039c4792766a167bc49fd82e3f7e96e48c325da40bb6e646b11f9b2ebbbd81b4c

    • \Windows\SysWOW64\ydawfiva.exe
      Filesize

      512KB

      MD5

      851b6efe913b48c6accf7fa8e3d98a04

      SHA1

      67baf154815f9f90859416c178740be62e13299c

      SHA256

      09564ad071cf7ff96a045dc882acbad8ace7d73bb14aca48a1523143fa261ae6

      SHA512

      a63f20eb41bf1bd1e8c4d97d430d8d852f837b7bcb523eeff1f1a863817c9a415bc9204c09ecf023fb0466e412121b5b856fcf87ee91f923c073026aa806a98e

    • memory/1992-48-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1992-106-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/2656-0-0x0000000000400000-0x0000000000496000-memory.dmp
      Filesize

      600KB