Analysis

  • max time kernel
    150s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2024, 11:44

General

  • Target

    4606ac894da9657c311fe457556622e9_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    4606ac894da9657c311fe457556622e9

  • SHA1

    2bea8b70cf15ef00d4615481fd231658b5726a4c

  • SHA256

    1d28a74a7ebf34d131a32f0f3b6d6158019b51c3c0d5943ea629102473517611

  • SHA512

    48c2e95f62f948f00c353c08c197b791457edfc66be152d91b48a64716e9aee3899607569bd745523a94541b88b6230f2189ba5e528fbcb280dc678aafa30b94

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6p:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5W

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 22 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\SysWOW64\wmoqqqraza.exe
      wmoqqqraza.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:560
      • C:\Windows\SysWOW64\smitplyk.exe
        C:\Windows\system32\smitplyk.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:764
    • C:\Windows\SysWOW64\bcigaigdwutbxju.exe
      bcigaigdwutbxju.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2192
    • C:\Windows\SysWOW64\smitplyk.exe
      smitplyk.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4728
    • C:\Windows\SysWOW64\iedasumrajdhd.exe
      iedasumrajdhd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2704
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:5080
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4056,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:8
    1⤵
      PID:2944

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\LockRequest.doc.exe

            Filesize

            512KB

            MD5

            09724375a2b6edad98356e56239492ce

            SHA1

            93d2abcd00dba309883c8d27f11779c967aa8f40

            SHA256

            817f6d7bc839389799d3680ff18ead35f52a4083d21357121894d6838762d6a4

            SHA512

            7653cb8f2ba6109f458a6286275f257a39b5b7705e9df2bc55193a314ce5554e4b9d51af00294676125eed63c64e17fb5a24134beff5021751fb32d68df30e86

          • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

            Filesize

            512KB

            MD5

            4af55b563cbd98ef625c1babd4894cf0

            SHA1

            76346c0794f4b455fb276077e74209ce49eafd31

            SHA256

            cc60e1e0a50c4359405a86e36e78ec0bfb81ab3b8511f3808502425c01305b85

            SHA512

            a7e0ae440c8f24d9064e21263bbb80d00204928af89c8325b55cc365c37076af08ba457a029ceaf6226b5094eb95ecefc3a0924d1bed66c044eeebf7c20f26ff

          • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

            Filesize

            512KB

            MD5

            7356002b450de3757ab1778c148e65c7

            SHA1

            65017fc9be41983207b98d0c91ff714a57d9d534

            SHA256

            d709d7da5bd1355bf3afb65fb15a2d10e252ae3ef67c260604a5ec2ab7361271

            SHA512

            b18a9c45e4014ea73a15afd224e9b7501c197a13aa494817dc3e0376c6aa1c00bf566bef93896022678019b0fb7f07936ae800979c2850ab04693277e2e36dd6

          • C:\Users\Admin\AppData\Local\Temp\TCD1E90.tmp\sist02.xsl

            Filesize

            245KB

            MD5

            f883b260a8d67082ea895c14bf56dd56

            SHA1

            7954565c1f243d46ad3b1e2f1baf3281451fc14b

            SHA256

            ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

            SHA512

            d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

          • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

            Filesize

            239B

            MD5

            602dad6ee0e60cde6698692534ef100b

            SHA1

            c3e20be4cf62746964ff865964f4f354d412bfac

            SHA256

            596069f7c5d4c9cea8266af60fcc730fbaec42eb5dd0c6f4203e463b742fb598

            SHA512

            bc1fdcc479d9d46977847557985ca1744f1d4f135da27d82dd2f131419c16fbc70968eb27458a1769e59a9a166847be39aa81b82936e39e753d578ee13df8669

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

            Filesize

            3KB

            MD5

            f045a1d869187ea90c9de155ab37a649

            SHA1

            8e246c0c52320ad9c8e66302e91686b1e6062e5b

            SHA256

            9dc705b1b8534c87356b10005b873a02496ba47b5930b3849fcdb08a27dd51fc

            SHA512

            686d94b4d4046864886cef0667db2839bb3b72a4648e1e38d28a51828442930db9da12cea4c942aadcddb714dcce4eccae82f16c82dd2e205e43235449b7832a

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

            Filesize

            3KB

            MD5

            987bf79e70bdac320a6b0e429485c4ff

            SHA1

            0470157f25036abdc90c1c753f56a2f68f680a4b

            SHA256

            a547318c432f60d534c24d44583776495b01d5677d6311218c88a0e51df57f69

            SHA512

            3fdf695e5ab5d28e5994cbe8c91861e1979b5ab70117131a40e9c42c614aeabe4ffbb9c139398d50f612ec6f31806cf2f93b8a2a9f2bc9029b1d917b209acc94

          • C:\Windows\SysWOW64\bcigaigdwutbxju.exe

            Filesize

            512KB

            MD5

            2f30cd1d218847a0c0943de945838d73

            SHA1

            f508334deecba7769714ae8972e67c374fd06532

            SHA256

            7146cae97d178173ce1929d7d11b304bb727ffc0e93f810df2e1db2c60238195

            SHA512

            109574539329ea56d3f3b3714566523f5373464dc8046558e87f5dd56aa309045aba6d3a47779afb74a5e9a7544c2907178bf5cd7647eb6c28feba16ba41ff80

          • C:\Windows\SysWOW64\iedasumrajdhd.exe

            Filesize

            512KB

            MD5

            337234b7600cd3f028cd435c5d5624f9

            SHA1

            2b7aa8221d83bf5d32c8e966eaa0a5b032f18087

            SHA256

            1383aba901d09420cd61790a11c7ce56f1bf9b533b99b65734d6e923e5d58bab

            SHA512

            e414604a71eb19402527c4c50072c33feef666b99060c70c91528a671567d5fa588a99b13b47fb7ded4cfcf7d91e4cd4f1e9a8b079189708ac892eaa87aa43c0

          • C:\Windows\SysWOW64\smitplyk.exe

            Filesize

            512KB

            MD5

            f1b62cb251734aad7d67babfe36f2b5e

            SHA1

            ae504b8b55bb51397bae839bed75442a69316caf

            SHA256

            ac56ddc45402015d8b7ebe3629cb9d7e94d4a741ed7a9578bc20e3e69dd25f40

            SHA512

            e84b4ce151620cd73ce8a0e91d7f6d8ade74b0cec78d14beddcd3f4f649e54182175b31f66c3604a2d77f0d834c4508b49c0f1a05a13a3853f758370cfd987b2

          • C:\Windows\SysWOW64\wmoqqqraza.exe

            Filesize

            512KB

            MD5

            18062813339e9555ff5d1c7d3debfd7c

            SHA1

            489b98354148600c208bf5c3bb03485116887c6b

            SHA256

            03707fd7666c36629cdd4ded1d26032f053a8c15dcb1d66b0f75fd8d5614e990

            SHA512

            862e17548cc22e985e755fd39351963676b54344b3b4a1b99ec6a8738e6d6d9da9015ec3b4f7c0da353a40a83003c31178ac874ec9dea87ea30cc45cc8a9fdb4

          • C:\Windows\mydoc.rtf

            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

            Filesize

            512KB

            MD5

            2091f384cdbfa2a655796d4e6d41a88f

            SHA1

            2e17084bc6e429aa048d85da56ba138a590fe491

            SHA256

            d00e1561a8179082f626eac856f489a0c71fd108d57c7f3f25882b5021a638bd

            SHA512

            fcd46ee83a7ce75c8507e968403afe64d4e88ae1c20deaaf20aff90d42d0c7b9977e82765da59ac2ff051cf271d2e790bbe574746daf2128b271a3c57d092d57

          • memory/2168-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB

          • memory/5080-36-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

            Filesize

            64KB

          • memory/5080-39-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

            Filesize

            64KB

          • memory/5080-38-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

            Filesize

            64KB

          • memory/5080-37-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

            Filesize

            64KB

          • memory/5080-40-0x00007FFEDCBE0000-0x00007FFEDCBF0000-memory.dmp

            Filesize

            64KB

          • memory/5080-35-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

            Filesize

            64KB

          • memory/5080-41-0x00007FFEDCBE0000-0x00007FFEDCBF0000-memory.dmp

            Filesize

            64KB

          • memory/5080-600-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

            Filesize

            64KB

          • memory/5080-601-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

            Filesize

            64KB

          • memory/5080-602-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

            Filesize

            64KB

          • memory/5080-599-0x00007FFEDEEB0000-0x00007FFEDEEC0000-memory.dmp

            Filesize

            64KB