Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 05:57

General

  • Target

    69f5d47856a236e062f07142c98fe7fe_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    69f5d47856a236e062f07142c98fe7fe

  • SHA1

    05f68d26f87700fe6d205be181d9419bacf1d5d1

  • SHA256

    914dd25472fe32554ed5147eeee0930b2ee42750257cffee9fdc72d0387c622f

  • SHA512

    51ca4db9b7be7ae841a58b4304aa06610521e3dd15428013852bdc36f6679a85f925fbd0cc11885691b72c84fbb6c3632e2680746aadb90becbf2990795187d7

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69f5d47856a236e062f07142c98fe7fe_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\69f5d47856a236e062f07142c98fe7fe_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4732
    • C:\Windows\SysWOW64\wbjnpbkwsz.exe
      wbjnpbkwsz.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Windows\SysWOW64\pycbfnqb.exe
        C:\Windows\system32\pycbfnqb.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4984
    • C:\Windows\SysWOW64\vadempkljdydayn.exe
      vadempkljdydayn.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4844
    • C:\Windows\SysWOW64\pycbfnqb.exe
      pycbfnqb.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2564
    • C:\Windows\SysWOW64\raecrplrcfwwl.exe
      raecrplrcfwwl.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2972
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    6351f28236b53d5a5e74921c0774bd30

    SHA1

    8568d340ea8ef73aae47191263a0710b5ba98b35

    SHA256

    b21dfe22f8c1dfb2e5dcdd71a4737d385bd8efc1dd392134c364783cdd3f13d5

    SHA512

    eee0a070c380cd88446eccfee99375547da0219a3e2ed2b94351c4d1c20ad3d61e4a6ffffbe00bd482b59a0ae8c8a7e80436c2d78c44bf9bccc2036f931c5f86

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    6b88bb8ec6ebd4fe081a954ab5cf67e7

    SHA1

    12ef73ed230314b6793e4a5bb5b1dd78926975a6

    SHA256

    d3f93e428bb798f8f21b92ee2b60753bba9fe3f775862cc2e006eb54e6226843

    SHA512

    1888503016383911d2d5fb3d0b1b825db2c35c98a70cdf82b116d0ed69ee1d83ea1c0b6c11eb0d7e823daa943348f9bc194ee3f02a24bcd553ae05a3480cd77c

  • C:\Users\Admin\AppData\Local\Temp\TCD7AF3.tmp\gb.xsl

    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

  • C:\Users\Admin\AppData\Roaming\DenyInitialize.doc.exe

    Filesize

    512KB

    MD5

    3746799a25e15f17907d4ecf08cb131d

    SHA1

    841ed300a758b3fd7a24c7af373199ebe27d9c50

    SHA256

    34d70658c4a4523fccd8105b8d47c89256c8b10e24212eb661cc47d09a5147fe

    SHA512

    b6a1071efd376aa02f94cd448013c59d57c8eaefcc7f735dbc9738dc5384e8fb94842695fe26a35ef6bdaccfab3d2664ebb398c12c03e038fa58e612af3d8783

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    a0fc932d3145a00d8aed277f5a24a4b0

    SHA1

    c0494a817a41ee74d648195010fc3017ca92d1b2

    SHA256

    dd1a46a5bff5cd42dd83883c50636360fafd5f77412cff94e836650aca6bd9a4

    SHA512

    e85a94ab9e4e05219a436faa1cc03e0bfb208625ac1aaa5e7e6a3da98257a9cbcf7ab4c60d9461ee484427868075905c83824d4341415bd89aa3eeaaed95d02e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    9d7a1830d299302a248009def905d8a9

    SHA1

    7bb8c79f42d41936e14af5d44ad7d85c044a36ba

    SHA256

    707a3e672b8364330af3f3406456428ca1154be785f77b41075eafa167e9e57b

    SHA512

    475ded5063434aeae1c2296ba36e1fa89e79b5a539a8c720a3d4a560fcc33829c14c86faca5a9a8954a92d3e408dea827cbf2997f5f9c92e897f00fe8b0b56c4

  • C:\Users\Admin\AppData\Roaming\ReceiveCompare.doc.exe

    Filesize

    512KB

    MD5

    bfd8cee5af3fc59b90a5d557b00183b4

    SHA1

    12c64fae4223a01d64b60dcc914979c9de8d232e

    SHA256

    a8c92abeabb4d980bdf8dfa935be16521f62ba8dc90618f288a61740017537cc

    SHA512

    1a56ee10c76c8a76f5dcee331323d5a4a1fe5405c80d56037f60e4cd604423da76aedeac373660de9bfab0d36ae52f111b87502360006d866db5b1e51aab4081

  • C:\Windows\SysWOW64\pycbfnqb.exe

    Filesize

    512KB

    MD5

    82e06f9c4674c7e3df15fb2a64042bdc

    SHA1

    d5d078fe06f250cc2dca72ed2442d5ff03724d5d

    SHA256

    f4ef7140c572be857c2885896f2d403bf12061265fd7f7ec4b73a5d4e8e93d43

    SHA512

    2efd6e49120878a07f9259452e9c805ea1a7b4e6d001bd3e9cd91409e43f0a86b3ba2cd4ae10b963a80afcaca4aabd73b2803ca7dfc8b7260a96fc95ad14d46b

  • C:\Windows\SysWOW64\raecrplrcfwwl.exe

    Filesize

    512KB

    MD5

    3f8440896c9f122b134f28a1289b75c7

    SHA1

    c93e07c52aff34e22cac07ca4705136a0f9e6199

    SHA256

    998a95eecf63efa6ddb1fdc082fbc69fe66ff983a6650af0e4b84af61b3bb74d

    SHA512

    3a2ca8d92f1f10ea84633591cff378eb415d7a97e69872c122cf83b153431db199927f92c29ea0e442d98a951ca95fdb75aec8e9de5f018bfa9099ff2dad6c8c

  • C:\Windows\SysWOW64\vadempkljdydayn.exe

    Filesize

    512KB

    MD5

    14bf9327e7999a48f4e0be4f4eea69a0

    SHA1

    9accbbc69dc63d18724e93402a5231af55e55033

    SHA256

    71b9730fbc3c0f72e20a2318f55f1136e28c5194fa9626efd63690c5a2a83b88

    SHA512

    d41c7b238d4ae7fbe13aaa2b2a6b378cb678276dc040ee31a099d322df8845964bb2b0a315953506c5174f002cb3fbaef962c1f72e71a8f024905cb8418f2dd4

  • C:\Windows\SysWOW64\wbjnpbkwsz.exe

    Filesize

    512KB

    MD5

    5f935e64f9a5d9f4aa6bfb668be8d789

    SHA1

    b1506278aaeb2c88caaecdeac07449ed7a8add27

    SHA256

    73b9e14aa74bc9ef43b86c88de4153f5ac4758eb553db82ea6396fd60a55d96c

    SHA512

    684a40afe87fd025c15af595e9ec4ad7e2a72d65438bf1176c34bdfd45434bf75580f855784d32aff148afb3ef8758a88f5d08f74cb109e1aee7b721bf335e46

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    0d1b3e889d441c81e415c17d8eadb626

    SHA1

    3972197a2e5c1a8b1cff5532ee0e013209adb04e

    SHA256

    2ed4d129dce8c9b8772705d5b9948489d740c54d2f1f44acf6cc41747e542999

    SHA512

    de031d5a37bdb75970a38c8187c37936f5155748fd4ef55e907f5286623249fc85c97226b5b9a90b6dd705ed5feda2f75f9acb70d7c8e82ec7891f52a4ab0de2

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    a6378e3d6ab1bcd2e3ee88c02b1f19f1

    SHA1

    2db24461e63e9b2df0d8bf8fe223348f7e805f77

    SHA256

    ba2e53faf8db0c4ccf016fbfafdce7173f9106dea3d5083d9f523a22ec11d1ee

    SHA512

    53fad2b411117a074323986a446fc12b39f01ed10284c581fb18101f2a8a04110bf25965ee58d9b56752189ad993b39e42af97466b3aa26f1cf4cf6cb24d6cbc

  • memory/760-37-0x00007FFB7B550000-0x00007FFB7B560000-memory.dmp

    Filesize

    64KB

  • memory/760-39-0x00007FFB7B550000-0x00007FFB7B560000-memory.dmp

    Filesize

    64KB

  • memory/760-38-0x00007FFB7B550000-0x00007FFB7B560000-memory.dmp

    Filesize

    64KB

  • memory/760-36-0x00007FFB7B550000-0x00007FFB7B560000-memory.dmp

    Filesize

    64KB

  • memory/760-40-0x00007FFB790B0000-0x00007FFB790C0000-memory.dmp

    Filesize

    64KB

  • memory/760-41-0x00007FFB790B0000-0x00007FFB790C0000-memory.dmp

    Filesize

    64KB

  • memory/760-35-0x00007FFB7B550000-0x00007FFB7B560000-memory.dmp

    Filesize

    64KB

  • memory/760-608-0x00007FFB7B550000-0x00007FFB7B560000-memory.dmp

    Filesize

    64KB

  • memory/760-610-0x00007FFB7B550000-0x00007FFB7B560000-memory.dmp

    Filesize

    64KB

  • memory/760-611-0x00007FFB7B550000-0x00007FFB7B560000-memory.dmp

    Filesize

    64KB

  • memory/760-609-0x00007FFB7B550000-0x00007FFB7B560000-memory.dmp

    Filesize

    64KB

  • memory/4732-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB