Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
23-05-2024 03:35
General
-
Target
699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe
-
Size
512KB
-
MD5
699abc287d13163b8bb3026aa713dcb6
-
SHA1
899554a9cb47a686b99a5c69786eed376c726f13
-
SHA256
b697b55106ac91d268527ca90b0a3dde60039262b864f21466255d4187f616cf
-
SHA512
26480aef7573c4a100ef1389caa9fdf31126068eec19ef7d5273590e56bac7448c28f2ce3c22e79600f6d9fc967cd3122b7141a7679fd5725d721fda8045c282
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm50
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 13 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\uvywaaxarf.exeuvywaaxarf.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\gbltsvoa.exeC:\Windows\system32\gbltsvoa.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\zktrykabgkghozx.exezktrykabgkghozx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\gbltsvoa.exegbltsvoa.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\vszklabncszea.exevszklabncszea.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5362afaa1aa9fcb983c06aa0764a6e8bb
SHA1ee2e5d54c96ebf6924e4eb7f2fb37956e8f0917f
SHA25687a9c7eabcb6271c0e96fcf85b321b1dc4e15a66aaa52111b764441e47020f74
SHA5121548481f8d2db98f4e147877edf1229a0cced823f2ead0062e54238341f91635efcefc789ad100ec273f996ceeb02cb3904e569fc175d570921ca5bc89441ce4
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5eac9a463eb995d57517ee0f172082c4d
SHA1e8216a679c27af36cfc61076521491a17594251f
SHA25660e851f7951e44ffedc46dfd8965aa81c6abe28e9d4eb1c6b220da268bd7bc2a
SHA5128922b6b2a94093b1191e569c05e280b610a4a9295938b19bc04618c4d71f9ddaf87f691366a6fec0be4379a4a8d331add4a396a9efe2943298b331993445881f
-
C:\Users\Admin\AppData\Local\Temp\TCD7EB1.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5a4a63e301d64329d1b85c13e33a2ea31
SHA1f2a9fb1d91106c311b7a944fc948ba1db8325ad7
SHA2560fba9c2d8fd205cfc016b5fd15f7bc85955647e0d51f7094d890f1674eb66956
SHA51260ecb205501bcdfec50d95d7f5895e87ce9e6992a89fc587b64816c7c0177a9f447e3195c5a771910d76b47d620fb699e7037dec946a45d54b4d76180823b07e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5812e3317af7ce3ac5ab620b74680de5a
SHA13623dde349c7e44d1fe6cb0209a12c015ccc0ee2
SHA2561b8edcb7c436b052a20c5fdd0d3cab45d7014514e8a5351c52a09b70adc5a9a7
SHA512108e7ed73307e6c7880c76cc14fe41dbd231f49b1ab8f1160bc08edb78e95b59ca1f223113de391f61da1453087136cec5633937a788658d0d283e4bf0ad2835
-
C:\Users\Admin\Desktop\GetConfirm.doc.exeFilesize
512KB
MD52ae84b23ab436d59f47945b84c5db790
SHA1c37d9aea25bec6d3a5da36ced68e1e4775fcf88d
SHA25658aef471f474efd67d6bd3128ecbb56ff6d72837b65c7259b324cd18b595647b
SHA5128ed53ab1547aa258f0ce1c3949887df7553e719fe7985926733a63cf59efcc1220ddf1d812c62f28d58c2eb08e7f71c16a53d97205bf20ebb93c94cb3c308732
-
C:\Users\Admin\Documents\ResizeReset.doc.exeFilesize
512KB
MD5974584b48fd5116575f4b376f902a0cc
SHA14c3793482f049e149673791e256eef9113334877
SHA256a0ca4039db5f7ccb66e830952792be3edb8983ab1159600f353fe40acba2ab8f
SHA5124e98c4a3ddd37ec9d5b17c1f0d689080de9bf9692747b62a2af0e333ac78f03b02ad8d214fceb9df1693b64c27bf42b9bd879f77e115435eef30993e83ac6b53
-
C:\Windows\SysWOW64\gbltsvoa.exeFilesize
512KB
MD5b49ffc11f561b34e3339b3a895f46a25
SHA1bb5c514cdee98dc27ffaa93caf5d5d09a66ec374
SHA2567508035141569cd5e644502c1bd9c7c5eda3b493b2e8f39b44344fc08d612447
SHA5129e4c8e7871582221007291ee17fb48c2963166f4c9b4b46085e9b8421a40e6825a2d9bde0b6b6a42d40ba27366e180b590227a5c99926fe4c0745c5a6d6485c9
-
C:\Windows\SysWOW64\uvywaaxarf.exeFilesize
512KB
MD5e2e0357186dbbb24de547317401a00f1
SHA1c3969430a71a7076305306908a146e02ee8ee749
SHA256a5550b83649629eb0c213fcb03dc354f1d91df1c8e7f79e8b6554d73305d4158
SHA51213479a4a195a651794375a6b9f96aa3c740a867a73491b7625992aea50a57088b5e646e8f52a3a0e0337924ce9ed7daa4a11d67575b697ed9d342aeeb579752b
-
C:\Windows\SysWOW64\vszklabncszea.exeFilesize
512KB
MD5649893d669f71ae9e5f1acc6d5bdbdbf
SHA17d67eb22e4c0964b4cc1b66473818cfe96aa2e46
SHA256c3e6f73b5eaab79c242f1622a32f4958c824494a24acee22dcdfac5785055440
SHA51260c054410ecfa19be080c4d3e44c0a49b152fc98eaa4befed9a12642dfb652e217a71b6c66c209a4a18825edb89e4e53ae27d2f22645e8fbcfc718c456d65896
-
C:\Windows\SysWOW64\zktrykabgkghozx.exeFilesize
512KB
MD5392fa65758f5375279b0e71eaabfea23
SHA124dd982cccf03e210f434196fb0ef677ee6cef69
SHA256fdaa6ad6a1e9e051e70b941db3883083ce3f5bc249ea55e4c7f7ef14e6ad5d7e
SHA512281305420b123442a5018e460ee38f41f86512f59a3526e77f4def071991f26d1a3c122fc4f2a45eb4206c9892ceee197f2a53df853b8f597e8ca88dd69470f4
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD50f39e737470f99a218a8527dc4f3e8ab
SHA166bb47ab778bfd569eacb7454ab066ea5b85ac82
SHA256104a43839867cdd50e7f22ac99f5976d16da9cc8b391bb8bfd61f3e9251372f5
SHA512fa4713083cd1717974762991dbcfd60cba35674de6ea32fcab8509b3a9f9822d8f4932af2beb37d82152add6bace3a9dd42025e608fea81d266152e472b15f8c
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD564f2ad0bd887e11a5c3cba68a4281aab
SHA1b89aa9ddbcf88b82447710d47cd6fd91b23ed472
SHA2564f77c474200c3337cbcd0ee757da3c20f2513c732a205232c0a9bb658c512787
SHA512ebada38f15072711e3f23dcee66dc0eff309fb237ebe5248e206286a603a2b69a38848b656ce37c117fc203f502610b2154f4a04511db88be753489221c40ffb
-
memory/2552-38-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2552-39-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2552-36-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2552-37-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2552-35-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2552-40-0x00007FFA30290000-0x00007FFA302A0000-memory.dmpFilesize
64KB
-
memory/2552-41-0x00007FFA30290000-0x00007FFA302A0000-memory.dmpFilesize
64KB
-
memory/2552-612-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2552-613-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2552-615-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2552-614-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2984-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB