Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 13:11

General

  • Target

    8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    8441f9b5930b9ac744a512ef31fa8362

  • SHA1

    17e1c9b51b782e6013a213d1eaed9606601492a3

  • SHA256

    61344f96b80699a7fe8c95840205245c3c0acde18d860e015496e9da190ba9b9

  • SHA512

    a003c494c5b22606255b55d00b994be22dd14fd6cd97424fe3269d52fd804f166e91974743f496c83c9db3935ffeb64ca7656c47db3e44388925532e1b7d33a3

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6i:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5J

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8441f9b5930b9ac744a512ef31fa8362_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Windows\SysWOW64\fovebpkwoh.exe
      fovebpkwoh.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Windows\SysWOW64\qpzqfsak.exe
        C:\Windows\system32\qpzqfsak.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:864
    • C:\Windows\SysWOW64\tdpddnfjzzpkino.exe
      tdpddnfjzzpkino.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4060
    • C:\Windows\SysWOW64\qpzqfsak.exe
      qpzqfsak.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3740
    • C:\Windows\SysWOW64\vijsdmatvtvfw.exe
      vijsdmatvtvfw.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5008
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    6986a94a886100c502276b7917ea5079

    SHA1

    704d819d7910fcf86eabf0ff3022c3edb0c29558

    SHA256

    fe8656737a7127d1dfe48af87d1830b45e4ab9ce2becee2f97bcbc73ef534d1b

    SHA512

    4a3aab3bbcae65d936caee275ffb216d78a5bdb526a747731469c30564f9e9e8e649baa2661f44ade03b9a3481edd56d0eb7b34b76f27704fed68144c6882fc6

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    8396f70d018a1af4a349ecfbeb076bf9

    SHA1

    94b373d823ca490273dade8ce14ad21118e6f947

    SHA256

    5a6c600082545c17eaac94120f31f1c8634610735a384e95167c9fa1f766ea25

    SHA512

    95b17edf8e553b00e9556e8feb0d31b6434c4551d6e25265aed689be134a114df6347c8a78825c5bf4973551989735ccfc575e4bf836bf4f9aa8bad303df68ac

  • C:\Users\Admin\AppData\Local\Temp\TCD8422.tmp\gb.xsl

    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    750c61c82621e0e71398825005faae30

    SHA1

    c698e8e4c5c8246d0e78076cda079a3f4ce353b9

    SHA256

    e5b91cf152a43110b063f1800041542f264b54d62f43d50442ce790e3ef4b1b5

    SHA512

    532811120f2995f2fc9f2a575ae479d01b6fa576a90b2b086537d097110b3f061e9f8fe03e9829c4013dbba002ba723fba647e01a7aa3d7a442dcfd8a91e0ef4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    a8055ac95b4846d8358568eab092943e

    SHA1

    6451ddeb7d1cad8fada52e8820ad74d5d55ddb42

    SHA256

    762232ed23b2dac01566f2109d71fe0065a2e369fa74d0eff04290ac00ba6d3b

    SHA512

    2bd75c8bb5ee5b55602a4ebefaff142a56ba74ee8000611573b9b6deb0f6b3e6ff7d758b6a3dcab447e4ad9ba64dd70d882565e78a6ef9caa94137e703d7e731

  • C:\Windows\SysWOW64\fovebpkwoh.exe

    Filesize

    512KB

    MD5

    905aa9bac285f38834641e6f7fda30e6

    SHA1

    bfcb4e5a9769455fb9f2d0a093f3e5f275265f62

    SHA256

    f1ad8b3cad615a314b74c2559774aa4dd81a73a27fef0b11a6ccb529976bfd91

    SHA512

    e02dd30f42f029c93d36a84c5bb8325adac6ba36056ff084f8f1f2a1d5692fbc3400bf372aaaef9c7bc8c67fe43f458af0b7b9724f674359662b9258a30bd295

  • C:\Windows\SysWOW64\qpzqfsak.exe

    Filesize

    512KB

    MD5

    1fdf95ccec8b392c9bb15794a295f821

    SHA1

    0500569d10f05759df8a03350d02a8ed56f03198

    SHA256

    7755fcdf8896fd014315136096dc7e476e9f31186b16d156825b86dec413e9ce

    SHA512

    ce064ce7a3b58eac4401848d2fb420d88c38cb6bab91855c8b48af74a81c5c054eecfce1311b61d11c15089d4174f266fc58aa2433f5b8f748988829f3ccad11

  • C:\Windows\SysWOW64\tdpddnfjzzpkino.exe

    Filesize

    512KB

    MD5

    9487ffabb37210fc1fc3969cb324a427

    SHA1

    e901e39205802a30e4aa34c7097dccb199100235

    SHA256

    d16cee154781b04a5b030db8f1d7cf50e01dee9ae868a98442012bdea94fd30c

    SHA512

    13221a5668769b0abd3e1660b1936f9082549f88e394a635373ff970eec3623ea65613b7c73777301d104eed6847f1b07d2d9cceb3988450e497a606251af661

  • C:\Windows\SysWOW64\vijsdmatvtvfw.exe

    Filesize

    512KB

    MD5

    5d5e84ee8a970eb93aa95a286807f714

    SHA1

    f1ea11d265ccbef2389705a4d0fedd41781776c9

    SHA256

    7d9f5454ab41e8265fa54abd810e94042ff1f03c2641904386fcb1bf0a1c0673

    SHA512

    1bd8611f3071664be740db4fbeecd95db57320f06a67c2a252c681ba8f6e8654db834f6555885f4b25083f10071abd4c1b2123baa88576e2d5ef333aa3c241d0

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    d6bb51088118cb8c169d55f3f2425917

    SHA1

    abab2fcbc33237e15f2168b133d7712d1cda3ee0

    SHA256

    b4aaf1c406674ca10a50e94149f3104ca61002bb0fab2500479d35188ec22b62

    SHA512

    496231bc8b3187cc5a3ca0daf0d4569e81a56463bc0ee1ab71d25d5a3256d49c593bece261625320310d95908a498203da030b7d67e11e815c868f05a5e41c06

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    3f7040b295263703e6dd149ee61eb253

    SHA1

    b9263e964645157b7bd883b0b9ae4bbcb5f77de7

    SHA256

    1446245365f219f148c25f0655ac5c3b33ed83398d139adb0e27505436e0ac9e

    SHA512

    072efb9c2114326a58baf3c912fa14136b051c9dcef28f9689bb2268c65ba43b77c8c9d3c84909037b133a86d15140cc03986d7faded7c9b477d910408792080

  • memory/1264-596-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

    Filesize

    64KB

  • memory/1264-39-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

    Filesize

    64KB

  • memory/1264-38-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

    Filesize

    64KB

  • memory/1264-36-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

    Filesize

    64KB

  • memory/1264-37-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

    Filesize

    64KB

  • memory/1264-40-0x00007FFCBC190000-0x00007FFCBC1A0000-memory.dmp

    Filesize

    64KB

  • memory/1264-35-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

    Filesize

    64KB

  • memory/1264-43-0x00007FFCBC190000-0x00007FFCBC1A0000-memory.dmp

    Filesize

    64KB

  • memory/1264-598-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

    Filesize

    64KB

  • memory/1264-599-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

    Filesize

    64KB

  • memory/1264-597-0x00007FFCBE990000-0x00007FFCBE9A0000-memory.dmp

    Filesize

    64KB

  • memory/4028-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB