Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 03:20

General

  • Target

    742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    742d588d22ea42abbd53193a222b8dd0

  • SHA1

    9b815abbb75384a2852cf5190a6138eec7db53f8

  • SHA256

    3da141fdf33f54ef540f20ee3597c0381ec572f0e61140e5441244b124a0422c

  • SHA512

    6a48ba800860512c2d906fae4ee9fd801508c1ba2a9934e8dab8e44babb8ea217c9d922260c905e8375de103aebb1e2ec98c946ad3eb28bf9a25e796132a2556

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5n

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\SysWOW64\vfblejvmkz.exe
      vfblejvmkz.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\SysWOW64\iozdavne.exe
        C:\Windows\system32\iozdavne.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2536
    • C:\Windows\SysWOW64\bzktouiylyunkrj.exe
      bzktouiylyunkrj.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2148
    • C:\Windows\SysWOW64\iozdavne.exe
      iozdavne.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2796
    • C:\Windows\SysWOW64\hactrbztscczi.exe
      hactrbztscczi.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2480
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2732

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

            Filesize

            512KB

            MD5

            ea9d5c58adaebe4b3008ae863766e491

            SHA1

            1cdb0c6ea6477df0222448eed7d72bfd9e054dd5

            SHA256

            44f7e54f539142ce21a0a8193a42cf20d092c9e40c42ff30dd9f1ad4d359ac16

            SHA512

            b46b9c262e12849a8db5ea58b29e4796ef1046a8f3b4ffbafdbeaf47e5d15081b3f68ff773291d1a48d46e51f8580e75b539cb6df271fc92ab953def4b61aa8b

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

            Filesize

            512KB

            MD5

            52a5125c3902aafa896aac3d0cbbbd0a

            SHA1

            33eee2102471dd281a0e1895fc6aae2ff5862c0c

            SHA256

            62e5e4b0e3e8c39ca8a8b70285cb8d0b9044ce7a57949061e43bd5e3f572b483

            SHA512

            9c92084f00cc2bfefbce8c8cf5d201207feb2e0f57c1cdd8cdaf9130dbb06e9fedfb3615e0aef6aec607a8e5d58e3969eaac2b1d10b6a712bc4522da0e24e05b

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            20KB

            MD5

            6a56573c1ef361d20a1f606e31f17276

            SHA1

            f0a6349e606a8d189baf04266a20d2386bff1c2a

            SHA256

            c528575cb5312d7d38a3e568a56b635d60c466d70f576a17c67df4ea4dfd5c29

            SHA512

            9338e347f2762e403cefdede1f8f545e103582bc78bccdeb021d06c5d7f3266d39aa25f804a8fdd5d08462f535c423a5a5eeae9195f50936304c33ca289532f2

          • C:\Windows\SysWOW64\iozdavne.exe

            Filesize

            512KB

            MD5

            855f1d5753c6dfa0bfb6a19d9771fdc4

            SHA1

            619759a9ec54c2ac4b223b704c8510b63c292edb

            SHA256

            b36bfae9d515c3beebb7f844f0b4bd3ad33cad5b0477d226a2257f5a29e2cffe

            SHA512

            15764b4c902009a422b3dfde836242c849a59e51640bfbbc1b885d588e915da1fd8adae4e0bd2187769faf7314bd76d1463e0a0005e96eaaf1f6b6e11626c219

          • C:\Windows\mydoc.rtf

            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          • \Windows\SysWOW64\bzktouiylyunkrj.exe

            Filesize

            512KB

            MD5

            3a4123588cf0d692837c1788ad62631c

            SHA1

            7b92bed03dd0d7b3f858a2a2fe59df91b32dcdb8

            SHA256

            a27a60218cedf076b7659c046b3a6504bf75fb3e5beae87d82f2779dd3661da9

            SHA512

            bcd89c2d83aa6f6ddacc1fceda7196adbb31335efd1da51e2c0f6c4a6362e289eba12c6d6edf53a40672260458266efb72507fd582420274ea6fd89b784e128e

          • \Windows\SysWOW64\hactrbztscczi.exe

            Filesize

            512KB

            MD5

            9ce545b4b580a216de9aa812583627f1

            SHA1

            b2c0d8b7cb75ee151bd8b09afb0e4cb77ab6fca3

            SHA256

            b5033fd233cfd4aa639fa9f570a8f1c3fc92a757e5a18eecb305581da615e170

            SHA512

            315227ac3f09203c90f177d80212294fb131853db7cd15c1735890db338ccff0edfe988e6a07e3dc8d35a9f2556cafea82d786886d83f8894b7777595e4c7e52

          • \Windows\SysWOW64\vfblejvmkz.exe

            Filesize

            512KB

            MD5

            e49f358a5837f6475e28304288a802ab

            SHA1

            2aae425c3e4ebf89cb4e2ccdafdab27711d8f049

            SHA256

            7b5cbcb6cd9ed3c3e324afbe5b95ddaa435369ef38e0ab57676d0a145ac5f77f

            SHA512

            2e45c713b6daffd509cf20e8796e00d8130f271bc1099ff093f3f8f32a1cfa32f7ebc3ae55c7c555b89e405bd839a82d0a998a4430ee1c2a12ac58fd5e01e5bc

          • memory/2376-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2376-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2888-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB