Analysis

  • max time kernel
    150s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 16:49

General

  • Target

    05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    05a37a23d825f72a3f83a031a21d928f

  • SHA1

    6e7dc18228906cf9077c56e5b6938cb55131aef6

  • SHA256

    6ee1815fb67ed5f8f91e26937332f4388fb37e6b8c5cc51b54b89ba607362216

  • SHA512

    9c546ee4b495abccce5cb9368a40783d1cc47618795d16ef7b6dfb6df0829432b26a2bacf39c83f1e4aeb421f71864a47dfde8c688e8ea58ef6ef27b4ee19b09

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Windows\SysWOW64\qaqxdwvzbq.exe
      qaqxdwvzbq.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3412
      • C:\Windows\SysWOW64\ctinkkst.exe
        C:\Windows\system32\ctinkkst.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4080
    • C:\Windows\SysWOW64\lekxzpggdbikmjv.exe
      lekxzpggdbikmjv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3652
    • C:\Windows\SysWOW64\ctinkkst.exe
      ctinkkst.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1032
    • C:\Windows\SysWOW64\bffwodjelawvk.exe
      bffwodjelawvk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1088
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3792

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    3ccbc29b72542ae297e1db58a7ff365f

    SHA1

    ec8dae76237258b59dcfa7b30a0b5189d737978c

    SHA256

    e17d526f479edf7117812f9c6405b4bab984b903bd684393ef5c1d9bccc5cd8b

    SHA512

    b17d9f07341f761dffb661ff4f8551db4ff51bf14db50a0cff9a5e07ab73553f748e7d443f902d058767c1de6b0e7c5c6461971c17cde04d7015be4947d0a3a9

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    247B

    MD5

    1b529425a37b1334b8b33ebd890269a4

    SHA1

    84768e6475b45e3431d5dd62968dde9b92bcb799

    SHA256

    774609fb895e024729e533b8420e732453a0f7ad9cc4599a871157b4f2ca0440

    SHA512

    8d82cb100fb6e979061a2a86aedf2f77de9bb5abf4431ed7add5c75d04988a3cd747119ade26856e8c2fdf7fe75e6aedf0025f2015e525b6835c80cfa2eff295

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    334b9f2ac4e7dbded97cfc6a0491d309

    SHA1

    bde2c1f66e62f831ced12b4b55a47c7076381462

    SHA256

    c98201e4a79c07f42b02537599aa52ba816ce21bdac1fa9946ac035e7015307d

    SHA512

    edb859647f97385f47e9e943ce22e212043d6e9fe3f2492e374ea3bc0e7ab3950dbfb972becbf4f5e61b38b9b9e3f0086e0000c29329181cdb1e639f9a0e954d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    6eddc6f7e3d97f5865ca68a9ab90d2a9

    SHA1

    c143687a44dbfa01e9c1d3defdc5a83cba485f05

    SHA256

    96c5b0688f7ae088810851bf97d5b695f0dcc55113d393f1adfc23e0542aa9fb

    SHA512

    1d4b3d068709ecb1c13ae22f9356306b3c6d3d859e5a901d92baadf1d4d25f09b824fe3acff0b0a244ea176898ee45d6122060630f6c580884b8ccf1f41563f4

  • C:\Windows\SysWOW64\bffwodjelawvk.exe
    Filesize

    512KB

    MD5

    495349aeb25095417e2e5ffac48eb3c4

    SHA1

    43925dc8ac43cade186d6fa75face8e0b8457218

    SHA256

    81ed9beb68be28aa564c64d845f56d039b7b3f989f9b289e0e43a998c66511df

    SHA512

    8a8122c35bad01db42b52c3e9fc2d41c0a1e5db394b8eb9b566e2a8151ec2bdc13564484bc3bc800b21f3ad9cc895933ac4f3bd7b4d8ab07f9e5e631a437ee62

  • C:\Windows\SysWOW64\ctinkkst.exe
    Filesize

    512KB

    MD5

    443d5a5bdd8b09277438eb7d725e165e

    SHA1

    7a4d5a94553ec3f957b11e0c9821471f7fa97a1f

    SHA256

    d5d53534c7b9c9cdf28aac5fe72d435c1128bb1825e6675ebc729d0cbbe60bc5

    SHA512

    6a0782d67080311fa395c5cabf8aacf2333a8dd288b2586ee81d17763182863ff1da5822c93080c497fc801d806359d2db2865aaa576283857c5fe16563aa665

  • C:\Windows\SysWOW64\lekxzpggdbikmjv.exe
    Filesize

    512KB

    MD5

    065072af8397bccf6eb472ba9e1fba71

    SHA1

    c7ca294817d54ebdaa2cd35283ed24f5c4d54f79

    SHA256

    8e73ed298da22e648b8486bc81664a1ddf5fbba072fc605e9df356c6d358c4ab

    SHA512

    9283facf825157af0633e1c569945f0cd4a7a35bf099f560b10c0d1df8e5659efa0f3378c2ffe3a275d9c89971777b5131d5bed583a96f4a260368652e7f5a79

  • C:\Windows\SysWOW64\qaqxdwvzbq.exe
    Filesize

    512KB

    MD5

    bc43383fdf11c886a45eb3f1e3bf9e9e

    SHA1

    5d446d9708350eab07ec2bc745ccd5247b247b38

    SHA256

    267fe73757e97c9123e2507724cdea6ffe57e99e91d9d39c55ed0f9f4079a620

    SHA512

    5c3dd98d73036f66f0303c82bb630a37a743d3a07711c5a93d1dd0f9530f8706c6e250378d58557595780908ffbeadf85b6aeb789a6c28fdeb00836a0555cdd0

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    93782972f831335dfbdec53f109b3cb6

    SHA1

    a175cd7bbf7f639a63f64adbb14ea07a0cc648df

    SHA256

    bc0a5e1cf67d36ae706331a5c2370f52303b6d3799eca482fc550cbd7d32b020

    SHA512

    a352e7edf53a649e71ecb743c763f232793e8b53ac11d06b365c1e611da4fd4680babf2c8e081350130f5e25fbc812994740213b581bf5c204ea99f81dcc9175

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    188e1c3ae1f3b4b319b3654093204620

    SHA1

    17f6253db3dc8695dc0809b0fdba107462821007

    SHA256

    de925b86dea5950a552ce8cd56bbe928ab22c44164bfb32d5f4a95f6beb3fd07

    SHA512

    9f39f12d12941d606083d50cf0a36d78873114102c705960a92d49d8d40cc056df8c5f378b856f730ba835e703c50f62b9541e48e8d5f01b0f69e3364fd6a507

  • memory/2964-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

  • memory/3792-37-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmp
    Filesize

    64KB

  • memory/3792-41-0x00007FFDD0AF0000-0x00007FFDD0B00000-memory.dmp
    Filesize

    64KB

  • memory/3792-40-0x00007FFDD0AF0000-0x00007FFDD0B00000-memory.dmp
    Filesize

    64KB

  • memory/3792-35-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmp
    Filesize

    64KB

  • memory/3792-39-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmp
    Filesize

    64KB

  • memory/3792-36-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmp
    Filesize

    64KB

  • memory/3792-38-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmp
    Filesize

    64KB

  • memory/3792-113-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmp
    Filesize

    64KB

  • memory/3792-114-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmp
    Filesize

    64KB

  • memory/3792-115-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmp
    Filesize

    64KB

  • memory/3792-112-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmp
    Filesize

    64KB