Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2024, 11:10

General

  • Target

    45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    45e4eee014788a7efcf398d896a0af64

  • SHA1

    fc05b1f3a989308e498450c12f9b49fb71bb8354

  • SHA256

    e52ffa52b7f8d71bfd0250e4b0ae56fbbdeb81b1747e9ed2061478bab51719b9

  • SHA512

    6cec19d0469c3f18575d3efedc24640b63785d3c42e8219d0bc471e4d13f8ef4d50898f83d35b583e945fc2ff9940509d7e4d6bcba1ca7a2b309ae821e992d0c

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6m:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Windows\SysWOW64\bbyadyhaeq.exe
      bbyadyhaeq.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\SysWOW64\ufkkztec.exe
        C:\Windows\system32\ufkkztec.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:740
    • C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe
      xrjqxxycnhnihgw.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1964
    • C:\Windows\SysWOW64\ufkkztec.exe
      ufkkztec.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1628
    • C:\Windows\SysWOW64\outejfrvabuow.exe
      outejfrvabuow.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1836
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2020

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

          Filesize

          512KB

          MD5

          786e8eef5ae896fb874e5815ad705aaa

          SHA1

          daf0d475fdc8b4d5f123844a4e60d5d3ed69c5af

          SHA256

          a2b82047368966157a25f3f9abfdfae35c20726c36ceb5481e002fe615ba915d

          SHA512

          e1c090ac9b942cae99fc234106ea0e4c3da535f2c32253e8577961056824d3f243759e2f93fa7bbcc484341e5a6d8a8ec21572ab73844dfcf8aca1943541575f

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

          Filesize

          512KB

          MD5

          ea633d1de8fc1f16482f77813867dae7

          SHA1

          1d845aeaae65a7d08d6337f9e388c68c08d8416d

          SHA256

          a21ecca2d0d8293faf28fb0cecd0d65db74f1f3b40bb87256352b7b10a876e4e

          SHA512

          eb6f772c9af3db34407ac1f34e1a37a84c4e3be10d87756eeb9425e0c83d3fdda12d05c14fd75a999bc300c776edc6c9b33898e3b9b17eaf02861e0de4d5add2

        • C:\Program Files\MountUnpublish.doc.exe

          Filesize

          512KB

          MD5

          fe42592edf7231dcedad3d5c8630721c

          SHA1

          a94410f7247190cfbb86c641ac5a08216d12feca

          SHA256

          5f987a7999c7090187712ea5213672f3fe0b1cf0a7757dfe682db623d4389ba1

          SHA512

          9ca205169bf4c6afc148e87f0422f427a84e4795392fe29736eba5f7e6e59937d5aeb3c95f77074d7aa03819275d2fffbc4f0ca102ee7583ba1431dc8c0ff543

        • C:\Program Files\TestDebug.doc.exe

          Filesize

          512KB

          MD5

          3c128a06f4b67b844d2c3642e8b2d32b

          SHA1

          d9ac8c4b342057b87f5dadcd513d3d1b77bcab28

          SHA256

          1fec05fac01d28d0a5d04bb488f0bea448e1a59924c75c178d442d62ce29bd20

          SHA512

          0a3d02e87945bb7d7cf934f577c2e05e36d37159e27bc069123b5cc6ae7d008a846ad58e4f3c293462eacb1986c19b29a1dd4a65ccf6499f303791fb1a1936cb

        • C:\Users\Admin\AppData\Local\Temp\TCD8DD6.tmp\iso690.xsl

          Filesize

          263KB

          MD5

          ff0e07eff1333cdf9fc2523d323dd654

          SHA1

          77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

          SHA256

          3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

          SHA512

          b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

          Filesize

          239B

          MD5

          12b138a5a40ffb88d1850866bf2959cd

          SHA1

          57001ba2de61329118440de3e9f8a81074cb28a2

          SHA256

          9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

          SHA512

          9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

          Filesize

          3KB

          MD5

          60832a6f47f16e2cf1771d847cf0fe54

          SHA1

          ca1aef2c3b246c100b1b8a7a2ea2cd250ce0acbd

          SHA256

          cf7cf19a1b5805ec4b0686199f41817b059a618b09331d440fa2f9606867cbbb

          SHA512

          f5112f00ce40d5441ba294bbb28566407991f59ab06ce77443cb0a9aef3f89ee97133e3ccbdc397fb0bc74a92338058f431b46d2e696e38a6a6604c7bcf1ef73

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

          Filesize

          3KB

          MD5

          2afaa0755abf506991c0d908adaea083

          SHA1

          4551563b85795c6c86e48e6c3f1e3daa8a8146c2

          SHA256

          090bb2bdd916ad2e9964667b47ecac321a4d73009e82b5dd1ff5910c3668ee59

          SHA512

          3e3dc7683cf8bf05b5266af818bd4d8ced89c72e4f446876cf333f6b53bd65587913bc85caa950064ea38e19e0bf9b881f137cb68019b21b5169eb717ab039a8

        • C:\Windows\SysWOW64\bbyadyhaeq.exe

          Filesize

          512KB

          MD5

          8b3b630e06ba7998c7e273ad93023c95

          SHA1

          d474c437429278b8e010096a32da244ba75f4700

          SHA256

          8b496bae970ca6d3995d56dc17b7caaae49f4ab15b2e41ba38e524f0a838aafd

          SHA512

          77869c91cbb1acc34d11016a177fdc3a1b92a7f15733d58b4a8e373d7d8e99467c078ac00b2307c98327f66ddaf7baa1985200765b474094c040aef1bbbb97ce

        • C:\Windows\SysWOW64\outejfrvabuow.exe

          Filesize

          512KB

          MD5

          e8ed41959c85da8344ff3f3621ad2c9b

          SHA1

          070a523628a85aaba6244da4dd84e531b4f1dee7

          SHA256

          22d61946a4530106170e49b190d7231872b570fd527d0061f392e3cd518108fd

          SHA512

          b9cb389b0bfe13f7aa7eae199f831acb15fdda2497237a015443d31c4ae6469a42d896174bfea75f8b252a6c9ce3cc2e4b0429ce2358600fef20f263a683241b

        • C:\Windows\SysWOW64\ufkkztec.exe

          Filesize

          512KB

          MD5

          a560edbaf9b346600834457d07bc5347

          SHA1

          ae33e11a86e360de9cf690334f63a3abb9e62dca

          SHA256

          231e2bf1132fbc597e86476bcf5ac1c8f11dd53aa6f5d3cae96a5a919640b727

          SHA512

          3b06399edd0f4b8116cbb233dd4cd958b306d7a73e0a5996f04e7d25749670b4d042ea955043dbeabdd1a66e1dd8eda20d7abae5c76c365ad5b971b027feb8b3

        • C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe

          Filesize

          512KB

          MD5

          acae3016c17163b16355ea68758d18ab

          SHA1

          4d7b0db06c11df2b7127921aecaf8117d4571a2c

          SHA256

          9eb95e237a789f3de32a44222d1c598bf0d664c5b12f916708f1376964b62238

          SHA512

          ece435f7d124c7c01a0183caa2191b70cf16f73c224a4eb6da6207a3d03660b7abea1b317e531b5bcf36fbd2fd3338fe591e9ee1dfbe4da80f270297d96aeb3f

        • C:\Windows\mydoc.rtf

          Filesize

          223B

          MD5

          06604e5941c126e2e7be02c5cd9f62ec

          SHA1

          4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

          SHA256

          85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

          SHA512

          803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

          Filesize

          512KB

          MD5

          996b9ce90b9ad79535bc82220e2d2948

          SHA1

          a8f529505ca2bdf85b1fcc541e0322f9709b0549

          SHA256

          8d665e77f4ebd7d0c6edd376b774d5a38f92e6f2fa59a6265f5468d2ae793c01

          SHA512

          e620d559643194f5ec1cbe68942487c463378b61e551cb06db76af4b86943de8fa02e1d1428814fba85036602312e34b25b586b6d091717fb42bb1d3965293e0

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

          Filesize

          512KB

          MD5

          9bd4e83dcf3edba5221ca066402ec0c5

          SHA1

          1ad425e275cdd2fedee0a7a582960623f8432b22

          SHA256

          f84b02e315e61455f40a9aa5fe3b9ed4172fa3128697edc393ef2698a1a1bf1d

          SHA512

          732a128d15ef7bf92a4f0c3bf229067b9617e3f7827e528d23c82c0a0a99efd1c16cac8a8109826e79e55431da054774319ff2b9bb220be71e5edca8606d9668

        • memory/2020-38-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

          Filesize

          64KB

        • memory/2020-41-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

          Filesize

          64KB

        • memory/2020-40-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

          Filesize

          64KB

        • memory/2020-39-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

          Filesize

          64KB

        • memory/2020-42-0x00007FF95C9A0000-0x00007FF95C9B0000-memory.dmp

          Filesize

          64KB

        • memory/2020-43-0x00007FF95C9A0000-0x00007FF95C9B0000-memory.dmp

          Filesize

          64KB

        • memory/2020-37-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

          Filesize

          64KB

        • memory/2020-607-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

          Filesize

          64KB

        • memory/2020-608-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

          Filesize

          64KB

        • memory/2020-609-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

          Filesize

          64KB

        • memory/2020-606-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

          Filesize

          64KB

        • memory/4996-0-0x0000000000400000-0x0000000000496000-memory.dmp

          Filesize

          600KB