Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 23:36

General

  • Target

    3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    3d0a8983d1c76b9ac2c80e058138b16b

  • SHA1

    a4a38c96475bd49cb078c041011ccec3296915f6

  • SHA256

    e6bd8ad2ab36739fd045c556548d7af136e419669c8a2a9872a6c286ed30ac82

  • SHA512

    63330948e15c5c33c3761551515eb291aa709939b777fd531bfd6ff530832c2402d1270ab509b8a45a20878ef7646db55ed0fdc28a4bdba6d8d911d7987df65f

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6e:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Windows\SysWOW64\qwtwrbrrud.exe
      qwtwrbrrud.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\cnynvzvu.exe
        C:\Windows\system32\cnynvzvu.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2896
    • C:\Windows\SysWOW64\euyacrrhuzufljb.exe
      euyacrrhuzufljb.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ixeimxnewumia.exe
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2504
        • C:\Windows\SysWOW64\ixeimxnewumia.exe
          ixeimxnewumia.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          PID:2460
    • C:\Windows\SysWOW64\cnynvzvu.exe
      cnynvzvu.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2712
    • C:\Windows\SysWOW64\ixeimxnewumia.exe
      ixeimxnewumia.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2600
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2544
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    be05a67560b6cae184a812ccfb3bfcb2

    SHA1

    7cca70f7b5d13e633fe5846a4c2a3804326f3e6a

    SHA256

    0081bd42ca7a09d566f6726ac73756aea49b21da8964c84bfb903ec0f19cfa74

    SHA512

    dd574246eba31212a6fa8471cc34c2f21df3a290409d1d0ae10b9c22d8938dd1ec819de8b5cca49ba139f489bf0b385593a11f7be822ae81840ab90485a54753

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    7fa57de12035ea2548d38ce1e464478d

    SHA1

    a66d23480e2faf2cad0a57fb25e02d492a38fc3a

    SHA256

    46be325afae509cf4afc40d33af6d4a07c4bf47eba687be11e76aea42c8d9e10

    SHA512

    0e51886ca0ed87a43ad10671a2ee42becb79bbc1ba56eb6d55b09f9834dd0e3d33e379035ffd0a7004d1cb5c046ab0b9ae08ebaf5674deb31ba530fb575292a1

  • C:\Windows\SysWOW64\cnynvzvu.exe

    Filesize

    512KB

    MD5

    54c259ac8ddc727f87eb1adc3f6a8c90

    SHA1

    8b8488b321034d917cddf82a048f696d4cc6c352

    SHA256

    c9680bd02331e2743533d67d01287df251bda28bec35f6fe89fc53cc62a17849

    SHA512

    66e78f2f265fb2cef391a8b14a365192dabbb5fa4514d2d53184fe49eacf23f27a6724769def592438652e2894233c5b13bb2b018ada37a7e7c090ffca76e65e

  • C:\Windows\SysWOW64\euyacrrhuzufljb.exe

    Filesize

    512KB

    MD5

    91b6d17fede12da8a81a246c77a7c697

    SHA1

    305e00601cd34cd9df07521f3006ab4d3da0b390

    SHA256

    ced62b8d7895ab4c4c8147661114d160f522845d2ed44c65c373f237c6994241

    SHA512

    7caca17057a511a98b61bdc10e2b083690335c04c656f38dfef9505d7f49100218318ae2915b8b773ff059dee6f1db05fe69a8458107b15dc1c2fec266fc4a87

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \Windows\SysWOW64\ixeimxnewumia.exe

    Filesize

    512KB

    MD5

    db4d0847b2833c8bc8bae8b37d0a96db

    SHA1

    a93510b9289ae2029bddcdc9ae49e6ea71bdd115

    SHA256

    c342330a2be43e43ea1416f688e79aa22d2e328f77a094bbaa378d6d69b4c90e

    SHA512

    d75a7dfa4e9450b1345edeee8b8dddde334ac34f1bedd874e6c25b0c958102b7ad812ee39aba6786b57ed66ad5145ce1f610aeeb5271347a5595edc76d89f4cf

  • \Windows\SysWOW64\qwtwrbrrud.exe

    Filesize

    512KB

    MD5

    7cbfebe5685ec6d4b12a2abdf5452635

    SHA1

    6dadf86c5079d3db13d862c55a9aaed95e8e4f34

    SHA256

    11e1c64cea662cf8789100e792c72226282a48884e00cd8889d72cbf3a0055ed

    SHA512

    43ac0294a83c1430d4da19dc86664787aa524120c0b905a9e3c9744c48b4361ade373b1e5f70492b412b106aa246a73f480713dcf33396475e9e1c8a6a8bea00

  • memory/2404-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2544-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2772-83-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

    Filesize

    64KB