Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
24-05-2024 13:22
General
-
Target
6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe
-
Size
512KB
-
MD5
6ea7489aa08bee41cef6386d5a73435e
-
SHA1
0644d2bbad493521b8122cb7c7942f00d3de7828
-
SHA256
521a832c8004a78a7577237e9b82a558793e0f5ce759a2456b3345430213c0d8
-
SHA512
4fa5049bc4a1eff9d221af11fb7e7a1ecef53c058548df930e9c890ebd66efaa931a0025f7d64a4396ebb77a2627bf37c9753e148a066e055a5dd8ca70f32142
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 9 IoCs
-
Drops file in Program Files directory 28 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rxeisuljtx.exerxeisuljtx.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nloulopc.exeC:\Windows\system32\nloulopc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\bymtmcqrebxfuwa.exebymtmcqrebxfuwa.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c hhqyzbsvikejf.exe3⤵
-
C:\Windows\SysWOW64\nloulopc.exenloulopc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\hhqyzbsvikejf.exehhqyzbsvikejf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD55de60a144e35b0b5f13e6dad42ab1330
SHA135d647f21bc2cc149fff3375c5b38c3e80fea336
SHA256cd0bd412a296f2d492db48917c3746a28a5303c1dff255a451c24554cc100524
SHA51235370b2e3b94f03c11f31a89bcbb69842001e49036aec09b13701288b4f25b6f152287d8f850f6addad4b5636fc43e6d761d4c4f168828d62e013fdf9dcf421d
-
Filesize
512KB
MD5742b4904869356b0a122245e8716a0c6
SHA19d54136b303f7a44fc6ca7344bdcc8395b7f8a1a
SHA25682e0318ab8c3c00a884a4e55e3f4a19c1ee8bfcbea3544b5d7cf1af7471da9af
SHA51239a5e0e216842b52062f75d91c13ca730ab8a5771109cc34a0d588ce31907562ef7b8819ab81068a03a4de20c14565612dde7caa9b0d493dd7a22765faa58c26
-
Filesize
512KB
MD56e9b2c1975a9fd0cc43c6e55fe09b593
SHA16a17554a8eb1dedc223362b6900b1b83cdb188a9
SHA256c7332ea73a57ebbd405b26b7136e455e72ced0741b23bd8456491184fafea3cb
SHA5123e65d55e5821a3721b585e7504f80b77b5d3a08feb82c337dfe0e633ab254bf4c82dccd88edea63d2ab6c1bd17e0afb89e498061b956d7085894054d0e14739a
-
Filesize
20KB
MD5a8e6f8f464a5701897139ea58cf53c9b
SHA1c85028c144e43f7b2bd82f71d51e086e15ebcd9d
SHA2563237580a88ae6140a42c49e68a3d3632fadb24f3684910beee7d241922da418b
SHA51280852cacc77e8d9cc8d43359fd693622cc0c2c685e80ec934665a296d750bbfa3ee4d613c3f2b8e2bffc0a1998668bd2b1d5551d91ed2774e1a06b3190c96e22
-
Filesize
512KB
MD5b983287b80c3a251500afb0cc88b8cfa
SHA111d43bb0a6357aedca0c895648bb2906c101e8ba
SHA2562709e3d81087bac0f95ce96e9729b53c6e6a65afd72cfdd00bc4f232722b7787
SHA5128b8c76f752e385822affa11ea541401bf14fa6227ad53384b3796990a5d74aa0331649d9a6aac5c0e3db8f892b479a58c464f449621b3cf7f4cf6a331a5209fc
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5e05efb696663fe4a1182282120277fef
SHA1a5c1c3753fb2d96d0e67abe4c29612e6a67a7238
SHA25694deab61f6720358d72f775fed84754f4b1849dd7646fa1a066cff2e0799cd1f
SHA5128882f74eb824804dfbe1c4792b82700470630602b08b7a70988924f62d48b5cdf3fb40990ec8163085f42493f089bf39104460b8364c7e14f54c20883f393c41
-
Filesize
512KB
MD533586b00870ee2f4a5c78211b6b4264e
SHA1d4cd0401a4e5d9e680db4765b4e1e1ab1eceb50d
SHA256099495b1356b11d119ff260e989f37ab6dd936b6a421679e766279663724e66b
SHA51274e3b4ef8c1b95a2d329a24847029450188b5ab0b6bb69bf25e937b17c47e3843667d026430b1151914274a0a2441a039cef7114d8b64ed421ea7fbdb3d89e7f
-
Filesize
512KB
MD589cf67aad2d4c099b88fc60c710095a3
SHA17b8b8a7844b5d3632075a3f37c64f201ac30d8d1
SHA256bcc90893ab77588c3fd2f03c27d7db068153597006939b72889da7d8f4369ce5
SHA5128dcc97ff911d6628b96682b9a2f541d4975a8ea587f456722edacbd33d82c33d638be4514a2ee7f3844a5a97c282dd54c90107a9f2e2d5fb57d7a4a10e8276ad
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
600KB