Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-05-2024 06:34

General

  • Target

    7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    7836bcdffc0d71f1fe7b31d42ec7ef6d

  • SHA1

    8c7c3b603465b9b9b1e935686ab44591887ec29a

  • SHA256

    6ed931b2d4f9899668844533f9965107b2ac3981d7a3ac9523f63c97c2b756f6

  • SHA512

    6ad4ff8dd53583e0fa76fa00d5ec605aad0da80d0fc5275910fb00532128fb0ae8c4e5faaf83b796a179e3ba97faa4f316b317d4cc80cd42387d3a68e6cd6870

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6L:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Windows\SysWOW64\mwueaptlro.exe
      mwueaptlro.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\SysWOW64\tamhgepe.exe
        C:\Windows\system32\tamhgepe.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4896
    • C:\Windows\SysWOW64\bzsclykilrnlsjh.exe
      bzsclykilrnlsjh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1220
    • C:\Windows\SysWOW64\tamhgepe.exe
      tamhgepe.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2448
    • C:\Windows\SysWOW64\avbonchageruj.exe
      avbonchageruj.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3520
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4920

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    477df099183f3491da83126e2b29cb28

    SHA1

    3dedd7269db9b67e3d509b6405efde3cf9c6d1d3

    SHA256

    487c4d388d6592ffbd540f61e745c5f9a1bf886fd639da39e806a1e917b71c86

    SHA512

    2a60c1d197d0781645cf2c1cc05f5fbc176ecb1c28f36344c169eea2fc0714ee7e6094914cd2af588bd84b3d893dbd88bd890981da6f3c753d92f2837b778bdc

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    fcce29efc71d364cdd64e1b80393bc56

    SHA1

    e7fdf4fd984c189a3df99aa0b7580ca430da653a

    SHA256

    10381207fb5e6f53c48321fbc846c30ff923bb89442e422f9fe8b3be6ab24a1e

    SHA512

    dd8225e8aa6688d8ea609f5c7ab9ba623255a0acc0cae84a7da9436e34d34aeb6c5b93cf89b34ccc9882d71f468ccc3779bbd836520900a711ab14525c290e40

  • C:\Users\Admin\AppData\Local\Temp\TCD8C15.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    54ee007e5f8bec51ff19bc98b29525be

    SHA1

    4d7f302ef562a913baf813d674ffc79d016fff9b

    SHA256

    03987c0d249c78ed208ae3fc8ac13e286e37084df02597d57fa5045ca7889f6f

    SHA512

    5a58493bdeb445218eff7661790601b258c3f8af9d98c89ee8afb25ca212fafd279503fabf608595d5a5b1dce3f880427fd5cc1b13946c871a7c36dce4d615e9

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    0fbd83d09599a3dc86faee52e4ec0912

    SHA1

    9c00f1d3852e22e743c24a52fa2988384fc5ed5b

    SHA256

    0a341fabc0c4325d6908d9182804e8705a82963ded7f78097029f5780fd2aeae

    SHA512

    2f5ca6ee43a34d44dda1d683c0da7583df788d071353f43e2f54334c55e21e495f367897cbc592e6e3c46d5f2a318aeeb1181d19ba60a7f437c0e5dd6d725016

  • C:\Windows\SysWOW64\avbonchageruj.exe
    Filesize

    512KB

    MD5

    239b6024a2546aa3344e28b00b73868c

    SHA1

    8b2c29fc9e77d3b32d66c139690eebb0644005d8

    SHA256

    7f650b3b9f8123d274795dc0660f196540bb36a05be33ccd558c224ef42d0d01

    SHA512

    3584337cb688f7cfea2fc831730fcd7a743425fb2a3d7064e2ed65bfcc909456b73845e14fab3545778b2fea0e363e6df49f726062fecebf5cbcb99cd01f7a35

  • C:\Windows\SysWOW64\bzsclykilrnlsjh.exe
    Filesize

    512KB

    MD5

    2ad019e5a16c694ef43e6555a9c84215

    SHA1

    9e23d8f9d5f4032e6fc6c7f6de9ac6ba86fc5f43

    SHA256

    7c1a8be8bdb712261df8b2d43f86e8a05a3458a733967dfe73a0cd928127f418

    SHA512

    090ad3f7cb67fc5b18bd7477f8f3cb9028f8b1e3858ead444b808f4d0d7f41b5f5d1d3f2340143e24908107111480d12e04d952ba6623bdf240725853306cd51

  • C:\Windows\SysWOW64\mwueaptlro.exe
    Filesize

    512KB

    MD5

    7c89046979003b4ee25dd3cdb516349f

    SHA1

    8f1b0f6aafeaea6665246ee9273138fcdd266d05

    SHA256

    055010ee3bc75d6e9060b5a39627c235304e90054ae3050f00fdcfc668e944d5

    SHA512

    e371dba74a401b31c9da91561467c2196439028279cc2dae63d4564745bd8e26261e41c23ec0db32a5b94affe138f2825763461526eb4500aa43053d7b5dbae3

  • C:\Windows\SysWOW64\tamhgepe.exe
    Filesize

    512KB

    MD5

    5616bbcc34396394874f989211d9274d

    SHA1

    73a3c7b5654d5cb9cedbe52e4c16301abf40105f

    SHA256

    a2f397487e157f4819c40cb5f022e89704afec84627ba697c972c03e290e24fe

    SHA512

    7e90f28f5cd7020c86167aee6e034399b81f6fe92d6bee5f94b93109ef6fa9d7f83233b8ce83b5e3c050ed22007f251bb46d4cc6444c136da2d08d7a80911f4f

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    15457e1beac9b4cdaefcbf8560b5a236

    SHA1

    a033e1cb1795f99d4c73afb3f1ab8d5a9279d6f4

    SHA256

    b2b690780a8a0bbceac85975eee2c70f138e8a7b33087bf446a87f9de83cab8f

    SHA512

    a0cdcd2ca243c6886a7226281fda9ed2cfcb322c9741f003c9b37226ec17c16a8671b7098a11c2cb32245fbdf08e66eff11ec72289be1222e40c2a8cf7c4e2d8

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    6eba262ed69037bbc61f1895b97fca15

    SHA1

    7cd7546356660ac8f81d3ec664262f276467a872

    SHA256

    37d461c6e18a6efa9d2de49f80e2f92fce96b439394bf7c16a62bc755356178c

    SHA512

    329b9a509f54b92cd038889849a5d69d1c596d284ef102b44744cbedb032cc0c16d58d3921f486655f170e93a23dfadb7978cd00db171bcdb19ffa56c5492bce

  • memory/1216-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

  • memory/4920-39-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp
    Filesize

    64KB

  • memory/4920-38-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp
    Filesize

    64KB

  • memory/4920-36-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp
    Filesize

    64KB

  • memory/4920-37-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp
    Filesize

    64KB

  • memory/4920-35-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp
    Filesize

    64KB

  • memory/4920-43-0x00007FFDC1E80000-0x00007FFDC1E90000-memory.dmp
    Filesize

    64KB

  • memory/4920-42-0x00007FFDC1E80000-0x00007FFDC1E90000-memory.dmp
    Filesize

    64KB

  • memory/4920-599-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp
    Filesize

    64KB

  • memory/4920-600-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp
    Filesize

    64KB

  • memory/4920-601-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp
    Filesize

    64KB

  • memory/4920-598-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp
    Filesize

    64KB