Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 03:52

General

  • Target

    743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    743eff7ff42d1cf8bb783735577868a7

  • SHA1

    1d2f37382b24080b3af19e0a0b7decb0b04dbdab

  • SHA256

    06507fdc6deba0ca9301fbe30ce8d9c450215a1cac9e4f0817e1fdc47000be06

  • SHA512

    a454da802db3e3145b9bfcd9f9858d653ffb2d6c91e3f809b28aaae1793a009e3928ac48b606e81d978ff613c3b7010aea66d15a036ae303fe01d9fff6e3e85b

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj67:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5s

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Windows\SysWOW64\yykvwtqmpm.exe
      yykvwtqmpm.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\jqgqpltb.exe
        C:\Windows\system32\jqgqpltb.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2840
    • C:\Windows\SysWOW64\ldugrbbpleokuvb.exe
      ldugrbbpleokuvb.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2368
    • C:\Windows\SysWOW64\jqgqpltb.exe
      jqgqpltb.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2708
    • C:\Windows\SysWOW64\bmpcqrdsbrrff.exe
      bmpcqrdsbrrff.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2744
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2304
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1684

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

            Filesize

            512KB

            MD5

            f77cdeebd708c029af0eb847a87497fd

            SHA1

            2629306063b7f9cb290cace36687d863d024da96

            SHA256

            f022a70bfc17d0a69a60cd8cc6a040fe1e916ea23d9b094f02da42cbf1ba138f

            SHA512

            37242958bc76ecf46ee8491bc65cd8e6b58073ddb6e3b95fea687e4ce886fbc99c877b9be821520e0d8e8a4781c22d8538c3aa640f2129c25e4682cc2c070487

          • C:\Program Files\CompareHide.doc.exe

            Filesize

            512KB

            MD5

            37c30d46194ff7c0f5deb026b4c3350f

            SHA1

            f6f22bc3409ad12941b9614afac7ec8fd9509b28

            SHA256

            9fff469c201bb4565a8fa72bc15ab71133ff06d83f673bee6c9af87ca9d8e128

            SHA512

            77aea98d543717cd52851d87cf2646fdb15c0cc05e5b5e01e6ed70667f748da8a555169e66af411901d2062182daffeb399ca4cbef1cc616d5f9c8fee39b8f4e

          • C:\Program Files\ExitRequest.doc.exe

            Filesize

            512KB

            MD5

            43935bf0c1876f53c29f52191dc52c50

            SHA1

            2d626979dfba245093fb6032f4e72ca0be53eb06

            SHA256

            ad262a9e6cd9b7f17ea90dd26c812603bf8b99cd803a6f23c8b7c502958c3570

            SHA512

            d757081a845af82695466a08b6504aaf36fe5604defdc2e97230db51cc49d33ef700fd541f9b74c8531f110d40bbd57457a9bc27d495c033db1122299ce8bae5

          • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

            Filesize

            68B

            MD5

            b831a0d16c9c0b1700967e6727756a24

            SHA1

            7b698f7ffb91210ee3c52dd809f54355fa9d4bf3

            SHA256

            92067afeef70ee667d711e41fabe6c0e8ff5a10d042768e4dd9893cd623f13d1

            SHA512

            7ec6993e6cb2ca1afe203eb51149de8fa0e623dab7896931e1949bc1c0aea64894bdb319af8d731e4f355552f280d870d6513b23cb69ccc55ccfaa13d0a23b5d

          • C:\Windows\SysWOW64\ldugrbbpleokuvb.exe

            Filesize

            512KB

            MD5

            933724af37659b994e491c64fcb85008

            SHA1

            9122cc856f535a74cfb17758f50214746c4c5e78

            SHA256

            bc76f39c538afaf76b2bd60c62bdab26ceaca25a2ce923a23e893e199e2bc73e

            SHA512

            058ffcb3de3cbe087cc6ef5197e46cb7e2c326742effd22f0ef4f7fa04975623257c2f0a4b027d788a20b70ddcf8aa4369687a6f8b19c1fff649ace4019afc42

          • C:\Windows\mydoc.rtf

            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          • \Windows\SysWOW64\bmpcqrdsbrrff.exe

            Filesize

            512KB

            MD5

            76e9b082ec3b54765811c4bd8e041fe4

            SHA1

            13e05990a1e67dc41115aa54390288ffe9146fd5

            SHA256

            a8f60c4494039569cb9e1b9dd9ca4158a72d8208223a8310472e80ce6f901dea

            SHA512

            4898172b2a61a68a350a520f507528530445f528746e5ad5e7737cf9912c4580f0c7723015d30befa50b90fd83555caa176da1fe2a3323309354bbe0a940cf24

          • \Windows\SysWOW64\jqgqpltb.exe

            Filesize

            512KB

            MD5

            c60b6ca198c9d1ca5bc9be50dfbcb26f

            SHA1

            347277b9fbaefd6607ac05d51c3fb14fa7754ab2

            SHA256

            4313895a0ca72bb0f8e6eed5ee4e41adf749d130224b1b587af3ee7ffe1fb09b

            SHA512

            40d2c93b590fad40a434015ca22453be628201cc505c1d10e7c41e2ae661a1668115beac4c019e0a3d22095488b6059e62a579d8e6b5303d8380062d6d8a63b8

          • \Windows\SysWOW64\yykvwtqmpm.exe

            Filesize

            512KB

            MD5

            aab838709981285a4f60afc3efc5e027

            SHA1

            2e372f0d83ff6f344a891350bfb76f2c3b4c470a

            SHA256

            14b4b50e762007a45746477f6ee7f5e071981540fc42f411d7dfe3c8452b4aab

            SHA512

            dfe320a4c04c0f52159b2d2f3119a596dd549e65cb0d7020075672050a010ad54a688fefc1bea9e02f02d37c54cf7108e34ad913adc66083d2d89a09f36d8e49

          • memory/1684-92-0x0000000003D50000-0x0000000003D60000-memory.dmp

            Filesize

            64KB

          • memory/2684-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2916-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB