Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2024, 03:46

General

  • Target

    743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    743c9bcf0c971d3b1e49722f4a480db3

  • SHA1

    635b158b0e3d20cb8a245ab64f14fed4be12a799

  • SHA256

    18e9dd695e33d41907346fd83c01f1d35c75c23e5acc28c95d2fec9a8644a85d

  • SHA512

    a6462e18435ee67acc20a5de5229f80760f2c79d6310a0b987a898b79dcd4d58ffed8c886f62ee86b44c3e3d53e1d910f2bd6918380eee94c53ef90b2736cef3

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6U:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5H

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Windows\SysWOW64\hdinxmdohh.exe
      hdinxmdohh.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3492
      • C:\Windows\SysWOW64\wpwxnrmz.exe
        C:\Windows\system32\wpwxnrmz.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2504
    • C:\Windows\SysWOW64\edyejqdoyfazrbz.exe
      edyejqdoyfazrbz.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2296
    • C:\Windows\SysWOW64\wpwxnrmz.exe
      wpwxnrmz.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4800
    • C:\Windows\SysWOW64\oyeyuelcfique.exe
      oyeyuelcfique.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4760
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1512

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

          Filesize

          512KB

          MD5

          2cf3f5dfa93ddd90d76f2252aaefaabc

          SHA1

          ab95df071c10ff07b93de169fa4231723990593e

          SHA256

          05dabc4cabcaaeeeca514c7a6fc2e0b63c3e5ea6bea3c703150f140e0743abe1

          SHA512

          c8eeabf0d981bcdef2c7c9c17236c1d32819f5d6fe5f0bb1d781d1d381aef3c1c5bd788c6939cb7bc38e2ef7f8ce6f0641b01dbfdcabbf6de922f2b215f2c189

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

          Filesize

          512KB

          MD5

          b9c44b16965738107c229aa2afd15170

          SHA1

          94aeb79df853db6f401b5de7cbcfddbac94f6b6b

          SHA256

          f3f37cb6d9f5447ea4fff36d60ffe6d026a560045e1053dde12f21d1b0620746

          SHA512

          5deea658ac4ade4b316f24032254b062f912ea3a078d05929be1f11ad6a5679b3d2b759b8fae6aa37a97d1e460346b66579128e70fa18b60f05d29e8a18f062c

        • C:\Users\Admin\AppData\Local\Temp\TCD96CD.tmp\sist02.xsl

          Filesize

          245KB

          MD5

          f883b260a8d67082ea895c14bf56dd56

          SHA1

          7954565c1f243d46ad3b1e2f1baf3281451fc14b

          SHA256

          ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

          SHA512

          d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

          Filesize

          239B

          MD5

          0c59a5f4b604bdb95d678de25e7be485

          SHA1

          b2f63dc74e24096cfaec01add4039bb6b4221650

          SHA256

          4f67992a112a96b5f8fee2357028d149d02be8c07cfff8b729fc33ad27ab5561

          SHA512

          9e31d6948d8d5d1ad4b8ec7ee4910eebda596ca73fd23dd72401e400c661b993b04ce907aa796597773feb9ef6f598b0c852b091996ec03d6bf69b74d5054e4b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

          Filesize

          3KB

          MD5

          109c2954898c146ee9ad4856a911788c

          SHA1

          4f1b688a96d0c8f6f618d9ee2b871e21bec79566

          SHA256

          6b9b1b70773daf7b54c4feb37296d2110a093a2e862bfe5ed5791d45ff21b5a3

          SHA512

          e415daf01c307abf2ff40a716f0995310a18e1e2706ad976e1ab102fceca750d21e151dd7135f61d2fee7d5f5a7b5fa76bbf0453fd0e6ee1247bb58505dcd18c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

          Filesize

          3KB

          MD5

          0247d2c925a4cc31f455ac388785d81d

          SHA1

          c9156e4965a564225511522606544ad426a5a549

          SHA256

          76e04812db3090fad63fa2098a1666975fab65dfecff4d7d65ff0a045f601520

          SHA512

          717f179fb0fc8a836c5ac5f94f56ceb4eeee9abb3932bf3367cd3d802104ffa82be5b2f45d84be683e1c0aacbcf1ffb71ec6bf29e1f81a3ba8e132978c0daf22

        • C:\Windows\SysWOW64\edyejqdoyfazrbz.exe

          Filesize

          512KB

          MD5

          f732ecdc4740b33e583d8a6e3e6c0269

          SHA1

          4583fed866330671db208f56a67f33f37637c1aa

          SHA256

          c5a8974870ec1ff4400065bf2be698bdbae0c14b24e7812d2a7c428d9750f801

          SHA512

          8b460b6e517887d70102434475e7c07b47bb4cddc53c19709e3223502faad14571ad85924f0d604762c0a3b9da51fe4c4bf434e9284683ee16cb6176bddcb26a

        • C:\Windows\SysWOW64\hdinxmdohh.exe

          Filesize

          512KB

          MD5

          16ea97b23c34ff5bad828022f55750d6

          SHA1

          044c07a6244540f2c35dc240bc7fa5ccc15b6e64

          SHA256

          7ec236335674673a85828a6c7d891df46d536aab4536432a0293feb5d1141426

          SHA512

          5286daa6e04ec807e5990f945450aeba28965e802eadc1829ddee734c158950a8cec5f01ea0d3f6277aad836e8367bf01488d8e49730104009cdae1a0f6cc5ab

        • C:\Windows\SysWOW64\oyeyuelcfique.exe

          Filesize

          512KB

          MD5

          8be7fb46b8bfffbaefab32967cc01804

          SHA1

          bc78a365121866e0fbf1f2fe1d9a5d1d39164a29

          SHA256

          0a06a1091ad11c91e388fa4f1260df734c8471b42a55232ba6ef5ec6c8a60e76

          SHA512

          4058d949cb90345ec0de5a768286b4b0d33af02056e7fd613c50d0a2aeb21b198311dbc145944a0a1bbdf8d892013c4b14ce777c499310e7679111689b3761fc

        • C:\Windows\SysWOW64\wpwxnrmz.exe

          Filesize

          512KB

          MD5

          c0c87106d453bb129a9fc343e28c5fe8

          SHA1

          811fefb5b8f2b5d3dd796188f57c2fa7ab5c4491

          SHA256

          c141ada6bba84bf83dc02346fba0a62069485d9cb785233fd105b2b98d31e191

          SHA512

          be5fb13fbefcf242dfe820b7a4f6921d92c36be875ece68aff502b3d735b819c3afbeef285584dab6b7de6b41b10dacdbfbc9765dfb75015883602844c1328ab

        • C:\Windows\mydoc.rtf

          Filesize

          223B

          MD5

          06604e5941c126e2e7be02c5cd9f62ec

          SHA1

          4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

          SHA256

          85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

          SHA512

          803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

          Filesize

          512KB

          MD5

          ad726d742c1f4fcf7cb5c7e83c255ba3

          SHA1

          4ba5031dc33b09a13b3792d9b044622d2752ef36

          SHA256

          3b70aa2839d042bd337e82713c7aa34028deb1ef36bb21ae75ca4c1fbc359771

          SHA512

          cfecf0d8986b2c15355463c3fae256cc0c363b9ed57dc04d2881f9e3d0c07d9ffcbc40af173c488157e7d607cd5d0f08891402bdc4b3c5afec44a1e3a23c7c93

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

          Filesize

          512KB

          MD5

          0b327ae2eb98c75cd01fb6b00700511e

          SHA1

          55ee7866cdd3ddebc745ce8a9fb294c6b6111004

          SHA256

          4c27d1cfa8fb3dddcdb551f2f9711e7c57cba72b98cf32d085894862b0de85fd

          SHA512

          e2e2df645a6ee5bc02a939c2a9bda349e0b91127091347c5050dfa203fe48a65b76d59afc806d97a55ce0e65317a36e9974afb7acfb92e5dc027389ff2b3cad2

        • memory/432-0-0x0000000000400000-0x0000000000496000-memory.dmp

          Filesize

          600KB

        • memory/1512-43-0x00007FFA2F510000-0x00007FFA2F520000-memory.dmp

          Filesize

          64KB

        • memory/1512-42-0x00007FFA2F510000-0x00007FFA2F520000-memory.dmp

          Filesize

          64KB

        • memory/1512-41-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

          Filesize

          64KB

        • memory/1512-40-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

          Filesize

          64KB

        • memory/1512-38-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

          Filesize

          64KB

        • memory/1512-39-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

          Filesize

          64KB

        • memory/1512-37-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

          Filesize

          64KB

        • memory/1512-600-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

          Filesize

          64KB

        • memory/1512-599-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

          Filesize

          64KB

        • memory/1512-598-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

          Filesize

          64KB

        • memory/1512-597-0x00007FFA31E70000-0x00007FFA31E80000-memory.dmp

          Filesize

          64KB