Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 19:36

General

  • Target

    05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    05ebbd956c5c919e011aa103cae3ccf6

  • SHA1

    b4f19cadc024e6add58b0994a0f0bccc9a68327f

  • SHA256

    fb2ef2d480da85296a27c8d7f9f6d6f62245a6525b152c9310a478f0a027cfcd

  • SHA512

    a87bf49bd2781009fc7c1b01460b493dc0102371fa66ffd90298884c010f15a85fac608234feba913c18f8190d3a13da50738577710ddb8f07be18eac4eb6c79

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5f

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\SysWOW64\rcuytqczbp.exe
      rcuytqczbp.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Windows\SysWOW64\bscapwno.exe
        C:\Windows\system32\bscapwno.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4264
    • C:\Windows\SysWOW64\zkniynvisqomlhb.exe
      zkniynvisqomlhb.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3080
    • C:\Windows\SysWOW64\bscapwno.exe
      bscapwno.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3868
    • C:\Windows\SysWOW64\cizrmnalnkeko.exe
      cizrmnalnkeko.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4468
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    8e539a70a01e880084016495c44dc0c8

    SHA1

    7375f17a1c94926b97dc47f4c453580adafb7ff1

    SHA256

    8ea9880b5ec4ac80ce9a7aae51e1c26fd15bd3a4613b311b5db80311cd470187

    SHA512

    7e8cc386f8ace02a188964f7e4760d45a26ab46b803c087b5dd365e8a4a9e6becd52c611a204976f7b27365b60c338fe8c47a73e55e03a4b86a2b16879453688

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    2fc7c4f4a466879dea268352d2b22972

    SHA1

    67b9ddcbc0fb348cbedb9a439f20c7ae8ac6f14b

    SHA256

    d5d5e767cb27a1acd8a4ba52f13bb889ddbdf7acdb8499090f782e611f12c07e

    SHA512

    1e945fb0deaab428489d94835a20db4f07d4f4abccf26dc72a72ee8d851f9dc1cf1ccc28d31da93bc50c0afdc6655c35e2fb8888cf393fdf01796cc1463fa445

  • C:\Users\Admin\AppData\Local\Temp\TCD8A8B.tmp\sist02.xsl

    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    361ba5cdfe246f4303b0a1638e0daf43

    SHA1

    eced7199b1af3c8e92209a68cb9a925ff3f369a3

    SHA256

    507143acb38e64408d03a0dd98e16bd34ca557294c466ae8ec9c7c763eb3a2a5

    SHA512

    81b9d124396d138717aea4dc71cec59426a3b65b47eaa0d13523adf030c5e3df9fa670ed48f7634d0301812d4b546dd43bc5bf863b58112570a2ab049bc7ab54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    642474998070c319bd5d933c4d31ad1c

    SHA1

    2e92d8eeb1e9accda63e36d530c2495b6d8f2ef9

    SHA256

    45ba901b21d8d04f7f27b1e66c6fe20cd36514715398f425c522f4fe2d7dcf17

    SHA512

    ee5b4779dea7d2f3f5a9645a08e7107f757dd7374c5a5ae696390cb4846ebf98f258488289451c11a6cf4d367c47b996098c460e4ba42afe91565246478fdfca

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    a695c4c0da1e81d37b653b626bde5889

    SHA1

    4ff0a63ec97d3e3de8693ed53857aa1f714eb333

    SHA256

    163469495e326f83ffb17baf1a358497b04d9cb931fdbf40c60b897ba4514503

    SHA512

    cb3feb8a1016a34bf6f3f176bbbce55e665ca05933bf6ec21e28828a3b273afd658c4c333d0b0902d97a95e1cd0fb6742cfe636ad83a807f3e064bfaa49f9993

  • C:\Windows\SysWOW64\bscapwno.exe

    Filesize

    512KB

    MD5

    1f6d9abba5f9062b0920b355b9daa34e

    SHA1

    5dcb510c16216f771516af001f9e42324de0201b

    SHA256

    c028071823bb0e86f3c86ca1d5173aab09450cf912c85094180d2ceac45398ef

    SHA512

    aa901f5de6613979053150aea15d6315095c5e6439071f6817179c36e65bd1c9b39053fd84aa8d01e73edf7dae255a5dd4988e5df2d23abd950220f070ba08f7

  • C:\Windows\SysWOW64\cizrmnalnkeko.exe

    Filesize

    512KB

    MD5

    d6f82db568dbf49ee1ca79796ee957b1

    SHA1

    dabffbc47c70fd1c39fdd3e845348ec4b143ad0f

    SHA256

    257eb48664ea1eb39f0ceb7ce1c16ada92eb977144f86f63e13151aa34d2a163

    SHA512

    0417e0276bae314359f215a8457894c713960cedea27c1c94128c540a81c7c29c92e08353471393718606c4e29700d3f34a944232a3fb7bef7790418a32665e8

  • C:\Windows\SysWOW64\rcuytqczbp.exe

    Filesize

    512KB

    MD5

    415035177951db8e88f2116fe9a1d560

    SHA1

    32158efd96d468657da2cc8152bceb8d1f0a63e3

    SHA256

    dcea785bd87b86e1e32bd80dbc1ec490f8ba5cc882b15c09c70512bd83c1d78d

    SHA512

    30e805c831ff7fbe9fef1665777f765750957c3d779a2de96deaa042dc52da02753f4586514e5cb709bdfd864e1d5f7ee2cf4d7f174e0069529b8ea0fdae006a

  • C:\Windows\SysWOW64\zkniynvisqomlhb.exe

    Filesize

    512KB

    MD5

    d78bda5d9ed780d1c1f20f871460a790

    SHA1

    bd0a7c4498be370c166b944c57619a697a7ab502

    SHA256

    afbfc759b0b1dcdb9224e1f29a303987b2a627230824f1510df3c2e0e2920a3b

    SHA512

    c8a4c10f94492563c0aa6bbc29c290ee640c5ecd7b7d76cc7690acc747ae6decf9a24bf5d16e0ac8c1bbeb12442246a48f59ec004e57018482989c7a32b484db

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    02cec240a180152c37f48e40819fa56d

    SHA1

    c0159d5fd092cc02a555e825f50ab0201cc95524

    SHA256

    b4c678a56b1cf6e9b61fb9060abfa7516107e98c6628eae7a3264d92ff2ff86e

    SHA512

    40dc51f5fcc24166d0d814e70fd15d3609e50704b5291435e2442fa0c5c726fd59a30d9252b01d57ecebdd23272b4015dc317dfd79aee9ae6af3f18bcd0644ec

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    9890efecc9aba73b8c6f7a74397a5711

    SHA1

    c4e284e13c5d916c7ced77fbef6f735bef67090b

    SHA256

    d5d33f6247920c6b87fe50938326df545560cfc1d17f33f3e76b33b4bf87d1c6

    SHA512

    736d69c84c17919c64e7dac065987ee5afa5465123c3c38285560500d2cd40c13e1117f865ebf27d9b9deee77d6c29e352c8e00b10e1adce62c2ebbb8230d833

  • memory/2320-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2988-38-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

    Filesize

    64KB

  • memory/2988-42-0x00007FF7CB1E0000-0x00007FF7CB1F0000-memory.dmp

    Filesize

    64KB

  • memory/2988-36-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

    Filesize

    64KB

  • memory/2988-37-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

    Filesize

    64KB

  • memory/2988-39-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

    Filesize

    64KB

  • memory/2988-40-0x00007FF7CB1E0000-0x00007FF7CB1F0000-memory.dmp

    Filesize

    64KB

  • memory/2988-35-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

    Filesize

    64KB

  • memory/2988-598-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

    Filesize

    64KB

  • memory/2988-597-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

    Filesize

    64KB

  • memory/2988-599-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

    Filesize

    64KB

  • memory/2988-600-0x00007FF7CD3F0000-0x00007FF7CD400000-memory.dmp

    Filesize

    64KB