Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 13:11

General

  • Target

    8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    8441f9b5930b9ac744a512ef31fa8362

  • SHA1

    17e1c9b51b782e6013a213d1eaed9606601492a3

  • SHA256

    61344f96b80699a7fe8c95840205245c3c0acde18d860e015496e9da190ba9b9

  • SHA512

    a003c494c5b22606255b55d00b994be22dd14fd6cd97424fe3269d52fd804f166e91974743f496c83c9db3935ffeb64ca7656c47db3e44388925532e1b7d33a3

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6i:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5J

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\SysWOW64\kosuamcfpi.exe
      kosuamcfpi.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\SysWOW64\ogcxpecg.exe
        C:\Windows\system32\ogcxpecg.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2560
    • C:\Windows\SysWOW64\ivpytuxdedtlali.exe
      ivpytuxdedtlali.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2680
    • C:\Windows\SysWOW64\ogcxpecg.exe
      ogcxpecg.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2728
    • C:\Windows\SysWOW64\plwldzpeinxtc.exe
      plwldzpeinxtc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2692
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2596

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      2a49ae7afc52d19a61f4bc23ae1b6757

      SHA1

      74d9d7bbe4ec477033eff7c64af930fbedaefc83

      SHA256

      51c2ac8ced20195e7c1e8ff5da5975bf90cd6efb2ee55ddc913cf5dafb6bcc94

      SHA512

      394a942c48ded76a7e5c78370284ff48414aaa7ba22ad7b1b1df7d417ed121fb5ef4a7aa44359cde0372727baaf3fc7d31f09478a420da74c101d99688764d38

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      68B

      MD5

      75c4180f0045f72b322a9b6509118eb0

      SHA1

      687b3566ad728813edef80568be23c4c911146b2

      SHA256

      7e8cbcf762b16922cc84d4fbef0dca4a0d6182794e2e0370ce99f98b3e2a4e0f

      SHA512

      e78ed9857532a06472247b1200890758ab3aa7326549601531b40de9b2069fdbcb84e8b9f2da8951f7955382e2b7a04ff2ad8deb1c5dfa3516fe05ebb834de4d

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      5cfeef74d511d97667beccd3286303b2

      SHA1

      d0b44507bf2de410d25a92ef0a1d5c7317b84862

      SHA256

      ff2d15de67f6479b8837531028e104008f10871084bb1c832f0ddd91878ecd9f

      SHA512

      ab377e3b6ad10ba8adae048d438c6364dd635880d26905f6c87bd11582b541acd9b5ff7ed13af71234c509a538d01d51b16cadb920432c8ae1fbc2e2a9f22053

    • C:\Users\Admin\Downloads\StopRedo.doc.exe

      Filesize

      512KB

      MD5

      c07f939bb4bb03f3089555c1e4fb4548

      SHA1

      236935339182f3822bfa8b9420c8b8c8e3df099f

      SHA256

      95cdce6fb39a00cd9c34294225e0d5a1ae8f7263ade3ab983be609d519dce537

      SHA512

      ee0792a1dce4381a0c665a62c58d2fac1c0dbe68450138e0ff4835a4fecae6bd032816207d0e088b38bddcba582053d7612f0d9bc563def5ad3b7feeafd24531

    • C:\Windows\SysWOW64\ivpytuxdedtlali.exe

      Filesize

      512KB

      MD5

      6b7a1bd01f20e882bc2b9dcd4a433bf6

      SHA1

      2ef85bb4ff4d7114938f081e1cbb1d7aa0c2f32f

      SHA256

      48520f96bac462fa848a67dbf864d28879d02e68f1b8445b69490bcc092dc813

      SHA512

      6b8a2a9e7b2e93811f87152b8ac932562ccfcc510f62b11637de94154faaf41420c16b27c55788737ad01018aaa7fab404f2f1c48c1d9335f316f5926c9ccd3a

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\kosuamcfpi.exe

      Filesize

      512KB

      MD5

      3cf973830c2648a112f4b1def74330c1

      SHA1

      fd2e8c076625ff3e61aa371e6abf334c35d02c6d

      SHA256

      daced9c5f6f9313b4a70da05da0fdd350a1690b8d570956ce282bc07728f2b83

      SHA512

      d4dffe922084a46423cd090b060de0259afcdcbbfd74dca6dbc985794a9ae95b4858a4d2509cd207ceebbc942b6f0cdd465d7020d25c8a5014f9d690023db565

    • \Windows\SysWOW64\ogcxpecg.exe

      Filesize

      512KB

      MD5

      84ff5c2a0c507cc565af66fc1ceea748

      SHA1

      ce48887399ece50251b16bafd2e649317b4c9805

      SHA256

      2157714bbce486b777fa2215e280b4847989a3cfb7026429f90d9cb671348f4c

      SHA512

      53e4b78e627e2169034c47ddedb5a15b364e809b33d30e04e8638fbd36464e74f63d741a7deb9f7ecbb522f57b5922eee5cfcd6a230faf68e74002afd9d8b926

    • \Windows\SysWOW64\plwldzpeinxtc.exe

      Filesize

      512KB

      MD5

      0c686706ac65fe68449447b49bc4508d

      SHA1

      75a6600f5c9bb956640f8cdf7fe8f9419f8d3f79

      SHA256

      bb49bced59a3c36d9f07f64392aa541f7b625e7f2edf185b57b6373552da1bc4

      SHA512

      9df29d0ce812a5c38ffbf83583dd9e35b78d03d667526e4127a77c18001d4c907d433dae2e274c8aeee28bc857bb5d5c256d68f04f6d0d026564a5fa4334a1d7

    • memory/768-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/768-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2288-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB