Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    15/05/2024, 11:10

General

  • Target

    45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    45e4eee014788a7efcf398d896a0af64

  • SHA1

    fc05b1f3a989308e498450c12f9b49fb71bb8354

  • SHA256

    e52ffa52b7f8d71bfd0250e4b0ae56fbbdeb81b1747e9ed2061478bab51719b9

  • SHA512

    6cec19d0469c3f18575d3efedc24640b63785d3c42e8219d0bc471e4d13f8ef4d50898f83d35b583e945fc2ff9940509d7e4d6bcba1ca7a2b309ae821e992d0c

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6m:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\pdncfngzuk.exe
      pdncfngzuk.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\SysWOW64\qnetsssu.exe
        C:\Windows\system32\qnetsssu.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2712
    • C:\Windows\SysWOW64\nwtnncypazvqnnc.exe
      nwtnncypazvqnnc.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2340
    • C:\Windows\SysWOW64\qnetsssu.exe
      qnetsssu.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2672
    • C:\Windows\SysWOW64\unokmxqauobll.exe
      unokmxqauobll.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2868
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2840

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            20KB

            MD5

            7acd23daa908c7273473150c5a0da8ca

            SHA1

            40359263bf07c822377d2568993ba84191f34145

            SHA256

            dfcb4eb980cf06425938b09a9c5342ffe490da13993ef7ea0bb931e1d9967d39

            SHA512

            5b5996243f987c456a8f8aaa06f4cb53c4dae94890175650f37bdff7cc6280abb40d95e055d471f6b157a9457a1f939bdc063c610e0ea48ad79947a9f442342c

          • C:\Windows\SysWOW64\nwtnncypazvqnnc.exe

            Filesize

            512KB

            MD5

            7cd709e5b187175c631d18b4d9337cac

            SHA1

            4f6a77cbf9108324342260e38728e62de0cbc736

            SHA256

            f6273404e865b796c8f9fd73221a21efd2f1613c6fc7e536497b42c7c3d3fc82

            SHA512

            80ef6378bed4de1ec0cd5c716ec85ff7c7318247f7525f2015e9fb11509e256bf389211aa98edb2d52fd5f79544e09b9e0da00ce299e4cb903145507c28eeae2

          • C:\Windows\mydoc.rtf

            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          • \Windows\SysWOW64\pdncfngzuk.exe

            Filesize

            512KB

            MD5

            ea267fc8aea97f867d3e8148f1ff61a2

            SHA1

            cac20f7028d68432345d77ee28191f51e0a230c3

            SHA256

            e30f168935c1406d21bddf1b0e5ef01d4db901a26914c496d8e8e21c4dc9234f

            SHA512

            8c7db536d3b653942b933a4a104eb28f7d932c0913e7297f58bde5ed93774b555151ef7be24f026c0ff767121fb234a041482acb590c8441e934fc79b94acf0d

          • \Windows\SysWOW64\qnetsssu.exe

            Filesize

            512KB

            MD5

            f01faf628642931bbdb59308f241e04c

            SHA1

            09624cb7f2864f7acc730b4d548032ed453c74f5

            SHA256

            628a3a7cb19c63b653671642eab56c8f6df9468c86055edadd3b4b8e210546db

            SHA512

            37ac928a977f286df72f0d1deb3bb7ca6002c5f9827ce438fcca0c24383b632979a7b0f13f682f2a9624b639ddbb776f5a72487a8cd97cad4b850b96169d1f63

          • \Windows\SysWOW64\unokmxqauobll.exe

            Filesize

            512KB

            MD5

            9e9439dbd6f8d0eb817d9640116b82b1

            SHA1

            f7db97ea2b07e184b708f1028b2de4b7b0881c20

            SHA256

            d6d820179fe160397b5af083abedac964682f5928035e52f671a104738dccdee

            SHA512

            79245c2dd1234e7e15eacfc4b21abb27b07c1e6d9fc3e7b8012cae9a6d2b8883ed04b0c1fc78b594d07bc8f13016bd9101f6e7ece4644367bc7a1598fb0b262f

          • memory/2024-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB

          • memory/2632-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2632-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB