Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
27-05-2024 06:00
General
-
Target
7822ab79c42b8084d8e1ea3b498d6828_JaffaCakes118.exe
-
Size
512KB
-
MD5
7822ab79c42b8084d8e1ea3b498d6828
-
SHA1
4ba32b1fe142cc8fcffb4fd5d3947ad78920e016
-
SHA256
0db52b09c8c7c64c51c8923c1c7580e2f27b70e91172b00b20ccdceab99dfb33
-
SHA512
d4fa69712661dd9c5125d770a8944f9a06f09d325c6393d4177f1c94fc246f5bd00a451dc24702bbd7875ffa719eea5c0d2ecf6b2ff3fd22b3d743cc4f8e7a85
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6N:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5E
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 12 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7822ab79c42b8084d8e1ea3b498d6828_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7822ab79c42b8084d8e1ea3b498d6828_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\npqjwnxtdv.exenpqjwnxtdv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lviiczll.exeC:\Windows\system32\lviiczll.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cpnlpbxemqondlv.execpnlpbxemqondlv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\lviiczll.exelviiczll.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\dhqgrayvsglwx.exedhqgrayvsglwx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5e4a1a85a6f11f5cab66908a3660cb01c
SHA152bfc7ed20a79b07b92a6ac033511e7b4c8c498b
SHA256ce68741cba528d1721d470b7607ac01954d22478df4c0d5ace55e2250e8526cd
SHA512ad53dccd68878df61064ab72feb1063f22207c5fd611bd4239965f64187c78e01abf42af8b8601af8a7aa7c2217834baf93bc7fd9b63bd36484b4d4a1b50cc76
-
Filesize
512KB
MD5661e7826bd4e1557fd8670058e15f238
SHA1f3820963e61df58153aebf67f91d83cb6a054770
SHA256db82f924a4e99af4f8f5fed83363a286f67a03df5b468760ac9b77ca894d8a9e
SHA512ec4e763355c6777543cc363eed9b28bfd31ff81497ff2f62fbf222398d864ee7e648c56c1bf47ce35271e93abfc723bd2fd4fef8d519fed391d7cc6e944b3782
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
3KB
MD514fad22b9a49a2c3303105f604b6b6fb
SHA1ed78870b1e5213bae3d7c30e18621a02ce4571c5
SHA256b9e3108303718ba094ae6078378be22027bba881044877d07cd34cc1eba299ee
SHA512a8b5120435b4eb0ab2c3aa1ccedeb9b3edcfa787323a9a6e77071a0f93e589719c6aae7b70c820f0efab2cd3c696e74f259e509f28b4d88a386342da8c7022d4
-
Filesize
3KB
MD5a696800875c954ffb47a2089c2c22970
SHA183e3a55da1328f050513d6e62db11746ab0c1d64
SHA25621ef9729a6c28497b8b8f1651c3058766f43071726a9f6ad7b88bbf9db6e5dd4
SHA5129f97e5e72d9d2be701578a024f98159ef75162bbe3b6f0ca15359738b5987e6cee30a91889db41fd38d20ac37d18c05622897a940ec9cb3d36cd9d10e6e11cc2
-
Filesize
512KB
MD529d13c6cfa66676cbe80f11e8592c5a7
SHA1a5e1108ecea60260bf0297dec1d18f0224c8d5eb
SHA2566fec382d2fcc341531c5235613c2c5e8971c6d5f0a11c4bb958aa5a9dd19d7ff
SHA5125e9b0e5259dd14b2cb4d984bbef5afcfbc8ccdb859cba0cf471163c6090004469d335c57628cada31d9cef47360dad26208b4ac77ec68f42ebdc061bcc85ae09
-
Filesize
512KB
MD59bc0bf70c5864ea2dd3a3a0b89179ce3
SHA150c0033a286254b315f09ab7ed7d1ce33f865861
SHA25685b6cc2c247ac527270284aa0ad26ba076d018990e9f8fbcb3c32d3dbb2f31b8
SHA512cfaecef32069218ece9828470c65dc9183f8a467627c582c2fd25adc56776a07aae9c56529b8718e0d893d32b809a791ff2e20bd81c5a0f264df65f4fc1da65b
-
Filesize
512KB
MD585d9da4754a40ebdd509bbd46b84efde
SHA16bce51775c5c5add719bcba8a282ea5c4c5bb555
SHA25690b0df85cc25c868bb900e96240c4a68278bc421e79495aa282a33a9598fbd2f
SHA5123e72997f635b8a4e0bd34ec4196f017652c0009aa0aaff89e3e38409d03f9cc3e8248c3decfe38e720637c38924a8da0da7883102f0f62b5afff96256244be47
-
Filesize
512KB
MD527d02a469cae3be0f57a8c393960f066
SHA1ce1f1a9aeae3740b5ed2296accf0a8c2017a9eaa
SHA256812728312a198c35b83cdead660771c5e08b8b7e8d3e7e94943c521a6f49d024
SHA512955128081c67536721171c2231f7f2426774cb242591d76a2978d19cf58047fb7491f364c6713c05bef8b09acdef7425933112e3cec85541216227c32515bd29
-
Filesize
512KB
MD5997eafbd257b15f47759b2fac2235aaa
SHA1f2e56c59943f9e3ab52f87199154394e263f816f
SHA256ee8f73233a1f7441f8997b6bda2fb336b270157d55556880c8cceca60fcfc838
SHA512d5d1801781daa3eae48fbb8678f24a460a8c44ad83df8150f16aa05c4fa2f646a027bdc13694bf709bd7b90bbca205dd6f3a067fd03729961dfa5bc924aa3f0e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD57a4b0e8c530328a98dea9aa0de7ecc30
SHA170652002fb8822918cdc4569e924ff6eac8c55af
SHA256289c9f71dcdd7eb55a4fce05157c21f149bcfc53a870f6551be42882c8e586d0
SHA512210523d1c30cb2caf9b2edda822d6ea6e30631a18e1ee9cff6e9f186cc437458ca6c0274cc679fc97467a4699b5cf12192ed15cebc910dfe3036629187bd93d9
-
Filesize
512KB
MD5585100d695730f262759ff951c87e5bb
SHA13b23536f2cec1e9ab2409885b4dac51f46965bf0
SHA25668987c22a800fd5e001f72d3a16b8c901b2b375822f63bbf2e3c096804bdfe87
SHA512766e95ea5d18e18d8d0f9e027ae703c9d944d3e2a8f376196d15a3d97b02bfbc84158fb4209128245f108fbeb3c245df3d1e3936562942c9ce0b5164b4a63924
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
600KB