Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
24-05-2024 17:19
General
-
Target
6f41d8ef7082c677c6cc3d4e658273cc_JaffaCakes118.exe
-
Size
512KB
-
MD5
6f41d8ef7082c677c6cc3d4e658273cc
-
SHA1
eab2ca4c98586b8ce492e79cb3ade1a2bd83498c
-
SHA256
7a5a08e9c85b62c60af508b030b71dbd957a774a35b9d7dd90a1d7fbe51e8017
-
SHA512
ed481a81f8ef3461bd65a2e7b3ec88f3019bf2f912b0c4599816f50de19e353ed7d5b15e8e6f680372975bf9aaa101eee54de37be469ef0f0d984a688c68df63
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5b
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 12 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f41d8ef7082c677c6cc3d4e658273cc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f41d8ef7082c677c6cc3d4e658273cc_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\hixvrgzaye.exehixvrgzaye.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\yskxcrbr.exeC:\Windows\system32\yskxcrbr.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\bjzuzdhblncmoti.exebjzuzdhblncmoti.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\yskxcrbr.exeyskxcrbr.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\pxqskitmnqaou.exepxqskitmnqaou.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD57c15481f8d2d105ceb569fb1f322e3f6
SHA17b8b16db3326672b61c5e4fcc001790799fbe854
SHA256d3f0238c873e787410f92047b4a0c42a7389a82c70ac826aafcffa65b1c18520
SHA512375f0ec3da5742c099c3fb30cb505747ee02c0362ffe904ef7744de62e1387f59439ff3f3445c31e7cf949baf87fff4cbf4ed2c2dc48dae8b97144c4be903a1c
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD544defce2cc6d8a786c8addc163629fb8
SHA1ac323184b3b215daabfba64af575ec29648c085f
SHA2566e256dd9d75d5913947f3ab577662a4625c51e4a4763068feac0be26c73f47ff
SHA512190b360707b237b7146ac64306250a9b53bc671c9826ddf9ef13c158ad1a1c2ad2eb25e278965187b38e884a62970d3fd15433272499d177c5db2778404f3072
-
C:\Users\Admin\AppData\Local\Temp\TCD89E3.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD585065575a2e0a8736706879f603fd633
SHA1eb7ab0c45d522646eaa1a318b72f2f493bd57466
SHA256c3c189f402d312b12ed9a869d75180971382f49617de0fe651fbc5d3ed7bdb06
SHA5123027155d54fbfb2b028e2302a6300c503e3fe0c8c543d1dd1760b9aab6d42bd1133efafc0c3a53632d4a404ffa57d7306a348314e5ddfe9801c7bb74190be73a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD56bccfed71676f39f102b8b0e91fae3c3
SHA160dfd62ed28eddd1e4bbe70f943870f6b6e3ffc6
SHA256e8cc5d2108c0fc52262e660934dd0e3b50d0862795adb7ef08b14ea05b267aa2
SHA5124e2572f94a4c096fc0e4f474537ea20c8711fab46c0219fe3304c06c05bc6de1c13e93d8d8ca9f295a815f5dc494649ca86d57dddbd938d1c1a2dfaffdf20135
-
C:\Users\Admin\Documents\PingRestart.doc.exeFilesize
512KB
MD574ae56e679e2eb90829b8471b5c5c325
SHA1f9028c3ffa358e5a250f8b089999c9ace57b4d49
SHA256436916be78f144a7549cfd16177f61e78c9df33908e63c012f85e4c91f447fc9
SHA512cc846d7104077bb3de47494eea26d5bb3a3ba57257f54493199b3d386746f554c8d5ca04c96e87675a174cf1f06445749870d37e5661cd410d087017b4df4103
-
C:\Users\Admin\Documents\ProtectBlock.doc.exeFilesize
512KB
MD58ca4874639ac2877ec3628e272b84e2d
SHA1bca615d633a5a284ae592fdfc88bf7c624aaff64
SHA256cf77380e3d873679af0eca3f73659e15dc3bd6c36d29bf4196815ea564b05508
SHA512fb3b1b070afed0b22e7711204ffe84c9e4aadc9d4e70d59791029876dd4ddb848d640f8031497d6a4c4eaca9ea5f75fab934375a7d39e0ea78b95ac0a55949ca
-
C:\Windows\SysWOW64\bjzuzdhblncmoti.exeFilesize
512KB
MD5b35409f9f973eab016d7129e02833d58
SHA119f81b98d303243310fc0a5238dbe9a0e778a701
SHA25648a3fe4b33d6888b9beb344d3075b3363ea0dc454e32b887faf02a82e3f41d54
SHA512297b3716d9e207d23b7861f28ec1b3588450238ecc8e80f7e263378d56d97b50803e7af4064e03a803bd657e9fa2f87a98f946c2fd99dcbb81c359b2f6016786
-
C:\Windows\SysWOW64\hixvrgzaye.exeFilesize
512KB
MD55d42fa71163d1fefd0ecc8b096c76209
SHA1fc01ff13ac980f7a02bf46c343c16222955f92ad
SHA25684e5e56f465bc351911d58c34bf234433517e9cebdf60f26e82cb16fcff85bf6
SHA512b5ee8ff0fc26b366467e17d9d2f4fd75d7e3ceea735169310ec7f748f483b25919f1808dbc8533827481ed1341bba8c5c7f35bc33f9d937d9ae1751839142d5c
-
C:\Windows\SysWOW64\pxqskitmnqaou.exeFilesize
512KB
MD5a88b02267f6243a1b50c0fc3255b8584
SHA1a92798e9c8d9a0fa7b47cce5dc90d3467d1d0c2a
SHA256a3150c7cb297839e80efe22c99048975576b4305f831ef9e6dcc2489b09cff21
SHA51209e13770218e12263e2147b045eec6fd4a94babd8fc50b8099ab86a51ddfd52dee77691f5576058d581b7e5abb0f344088cc845ba913b9b2dff9be412a7b22e0
-
C:\Windows\SysWOW64\yskxcrbr.exeFilesize
512KB
MD578b68d6b66538b8d0a4c06df47888d76
SHA1a7526a209b11e294df5d16e832bce3834eb9aad1
SHA256e8f9a10891141745ba29614d7ef77f6d10b58988d3bdff3163d843e1a3c9b493
SHA5120eb625d1feee9536721ff593b2e61234aad3bc25e0d280c75168088c8b43d1ace84435b9c5c08c0cc8f85e8e8bd5d64a57392e9793e7de5c486ab51ed20b3b3e
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5b2e27e51e90246d20db7b9397dd34bc6
SHA1e35debf2abf33f00134edf14ed120d78ca0fddd3
SHA2562c5388b77916ab561b1e64e5eb1ce0c23a7ff46bf04ae2f4d656dd6257c5cbfd
SHA5125e90c6cb433966f72b219c18e13bdabdd52c0bcb4479863bbcb7ed7af146e1140747ae2f0cc8d6fcfc9ec37ffa46d49a4d73132b623ff6f9b86ee227cf91e32f
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5202948796c1b9d05b1f0e56c24f883af
SHA11aaaea0166a1f61c251d7f6a93da6298c7232997
SHA256def8376f70a0fa0b0cd5915a1417600b3e36152a0e7a6f056afef75a9dd1ddce
SHA512b4d4502dcc10ed306e60bc8617f4a9b6386e5c5d145c3ff882f21473496286cc087ec41703327710329546c0f5f6bf9592e82e8b7ccde76c607fe282ac8c2f1a
-
memory/2104-39-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmpFilesize
64KB
-
memory/2104-38-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmpFilesize
64KB
-
memory/2104-36-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmpFilesize
64KB
-
memory/2104-37-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmpFilesize
64KB
-
memory/2104-35-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmpFilesize
64KB
-
memory/2104-40-0x00007FFEDFBC0000-0x00007FFEDFBD0000-memory.dmpFilesize
64KB
-
memory/2104-41-0x00007FFEDFBC0000-0x00007FFEDFBD0000-memory.dmpFilesize
64KB
-
memory/2104-612-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmpFilesize
64KB
-
memory/2104-613-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmpFilesize
64KB
-
memory/2104-614-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmpFilesize
64KB
-
memory/2104-611-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmpFilesize
64KB
-
memory/2524-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB