Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
16-05-2024 10:41
General
-
Target
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe
-
Size
512KB
-
MD5
4aabb8cf3e1c596f9948b6da31989213
-
SHA1
5e9c5d7ecef0692af7789b4aab6a0af89c5322f9
-
SHA256
7214770870e8f3a372e48a8c3d89d35c685e65d9be4f0bc8a7adb7ff010ad246
-
SHA512
3b097e31fb59c4e52cb338b19e6c3acb7796c8745c74a8f55cd899fbfb0d544bbfecab7ccd90183a84e588f83474f027b6fee785c47a4318aa309e6712d4e05d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5h
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 9 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tzjajdzxsu.exetzjajdzxsu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sqyconul.exeC:\Windows\system32\sqyconul.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Windows\SysWOW64\essmrpihhafingu.exeessmrpihhafingu.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\sqyconul.exesqyconul.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\hiiabtxgfauka.exehiiabtxgfauka.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD555e02394a4d611a7ea6f3cb2ce8d5218
SHA11b1a72ddf02ba96dd89447996189b9b59bc89c1e
SHA2563119bc76e6d00a80fb5671b03f084b4490980b20c9f1511b8ac47579dd662cb6
SHA512fef252980045721ee357a17588062bcd91dbc8af8d72b003b343df263d143bfc895ebc60feef73597ea94857e1604f54c604f994e337f7c55a90089511b75595
-
Filesize
512KB
MD56da9527d9ebd4dcc86695fd7f5b8491f
SHA157eb97d64e832ed98ccbd0845e15886f56f0bfe5
SHA256ffd04ebaf37648184eb647ad489b441bacf1263ff695dcfa23372bf0e1754ac5
SHA5123e261f0674061ef4e1d74a6aa68d181d723e1b03410d956a702711bc08766a0a39c4a7d21c7083deb6faeae72f77cf46d61edb5b8e9a39207185cfa091a2df1b
-
Filesize
20KB
MD5e3cabf925999f02e77e981dc62bac0c6
SHA1142913e88c355b2cfdbf5d313cb3600990b97a59
SHA2569c8d3ad51c1b63a27fd4adf15791d03b006f400b84f6cd3dab3f333007a0ceea
SHA512afa1d3a96c77749b9ae00855da0734c519370d7e1d9c22e79a8c84f74575d6e3ad99a4c422c07452d4b7d2ced84a444b2fd040ee28b3cdfa3f6699da2b6b0191
-
Filesize
512KB
MD58591bc4827299f35aa766813c7148882
SHA13eff2b1b33fb25f5a465153d343c05a67873a7fd
SHA25662336a2009bc55164b886ec18bb9d378f7f49f86f211ebcb34bf39202f084206
SHA51200e9b9a58ff5011d4002f05af9e940c09083a719dc9a0ad29de824cb4f56129724bdf6757e29093df843056a92c7955a0047c3b00d0af3226e65c782765e743d
-
Filesize
512KB
MD54aabb8cf3e1c596f9948b6da31989213
SHA15e9c5d7ecef0692af7789b4aab6a0af89c5322f9
SHA2567214770870e8f3a372e48a8c3d89d35c685e65d9be4f0bc8a7adb7ff010ad246
SHA5123b097e31fb59c4e52cb338b19e6c3acb7796c8745c74a8f55cd899fbfb0d544bbfecab7ccd90183a84e588f83474f027b6fee785c47a4318aa309e6712d4e05d
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5f304679324f51d93d6fc3d3ec175e67e
SHA143ef87a21dbc4cdb47e97fc7689131652a66bcd0
SHA2569f8b10428218d0720477f2bc90c76b13456e6455337283dfe6f47729822f0787
SHA512bd83de1d98f5dea3b9ba171fa97c1a79009f7cc0aa128052624e252718296c923f89983cc18d1c31252c352748b3f484627087c03c1b6994f7bf4ea1847c5762
-
Filesize
512KB
MD57d56c11c78a413b973aaba6ec124b54d
SHA134318911c116cf2351ec81bcc83324f40910201a
SHA256829b20a3afae05fc6f9ba7d3cd5f95f6cb477caef727f5a57ddd27c1e3c17fba
SHA51271732ccc6d6c36cf9f722b9b83c16687fd812f1f52f150597133a1bb8134e52a5a34ef574c8f3c6cb2789e67ea467c0c25961b88bdf928ae31503601df7ee71e
-
Filesize
512KB
MD5f7e75bf41fc6b01ce38fca593184c20e
SHA1b3bcb64bc1d84070778aa0c47c327b6932ceedd1
SHA256453b0324f21dedf53715d2e0534d3a8c4156f8af6a9771db51127cc106fb03b8
SHA51211d015dde8a6ea2a7a9df140fccc4fa6a444b70bdd62b38b4be9bd949af283aed347e0dfe0227b81352716ed240615f805adcb6916f394a56c343a04235785b6
-
Filesize
512KB
MD5709842db14904f25820c294d9994e467
SHA1135140b42f32887fd9958d17444d742fb7e582d5
SHA256eb8000a67e5a688475ee129f9d9178415c4d29a5e1df780e3fbaea97574b32f1
SHA512e9ee71eec1f0591d9ebea7741e6a893a1a473cc487d051b3f73467479557f9a5e43a47dd9cc0fbea44cdbf1c7b4cf97a1b4ece296dc4c3e56de2a7f7acf9ff86
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
600KB