Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 13:16

General

  • Target

    8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    8446c3639a6f4ec5a9935ce446ae2728

  • SHA1

    9cc04840fadd4d6591ad87e40163ec9e571b7e27

  • SHA256

    5e5cfe9f55fd36f4c0bab6ebad0d7e5dfa7749c94dcaed927697f3394fa1f933

  • SHA512

    9466103187a0a1c857977cd5fefd342faea23ef287e332bb6b980a204b229f99f0adec80da801a4fd6675566952e62660d9935e02edd1dd952eeeff678ab70ca

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6w:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm57

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Windows\SysWOW64\pjfwyfudrg.exe
      pjfwyfudrg.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Windows\SysWOW64\wfofyuon.exe
        C:\Windows\system32\wfofyuon.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5044
    • C:\Windows\SysWOW64\adinvvodyymxraw.exe
      adinvvodyymxraw.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4928
    • C:\Windows\SysWOW64\wfofyuon.exe
      wfofyuon.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3788
    • C:\Windows\SysWOW64\umynkhngvsyxj.exe
      umynkhngvsyxj.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:800
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    e5bb41c30caa3757ff99fecbd8ab0650

    SHA1

    53c6c14f9114d4bf9f203182c0646adeda67aeb6

    SHA256

    4003cb5eaa110e4d6d512b9df9840acffefe1c8808fb576ab77f5f977859549f

    SHA512

    94f13b4a9e42e9b9af7d766a5e436d5da6dac8f46569e6304b4eb274884de7a99723e5b072ba4bae6a0df3e3d526b1fdd2a1b4fb802071389a64c7ec2c433570

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    2d7665f0f2b12f30326913a5f6cfeac5

    SHA1

    461b263f93cabbc356cd6e56e9e72e3b0e90f90b

    SHA256

    d702607e7539d47908e11f9e51a168f555337f5ad568d70bbba8e1310bb290fe

    SHA512

    78e507d17888cb96150724bfab056b84b90b8d971f520f13c187d88353830f292702f114ac8c33276e1ced032b604bbce3a29b83984efc2495564ca79dab2b92

  • C:\Users\Admin\AppData\Local\Temp\TCD8F31.tmp\iso690.xsl

    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    594ad1ff4dfa1e95be01dc288bcc115d

    SHA1

    dc4549ae523f7289276131789ae3484e196d330e

    SHA256

    09a2d33f4d346420e22fcaf484b9a746c7c56a81fdc2e529d52cd5c5521691f0

    SHA512

    1c7d198d374dd5f812d5cc7c3e3c572962d497dd41c1d7161c2db5db46182581db824b6a306967729f23f71bc6d8419e6e7f69d5e4a865944a4986ac796d4b49

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    3ca6f369647deca4e9dd8820d76629cf

    SHA1

    a2bc8f17db965a63e936495c7162a4c88996ebf5

    SHA256

    73d25fdeb00b06ec80d071aa1436bfe46c0f7a62c501b6d37abfb58ee8c719ab

    SHA512

    09f5cb7aaa01b93fd7ba9a0daa55c5c9eeb8d5e349b19feaaaa115e1e4b56a93bb6873d9ddefbc37eee7064b12ff003bdf9a254522e6d8a2145c04b38c41820a

  • C:\Users\Admin\Desktop\UninstallUnprotect.doc.exe

    Filesize

    512KB

    MD5

    76f120767dda4870d2f70a0cc36eb1ed

    SHA1

    0c0f177afd006fb7c881d7c2ae69342bde3cbf87

    SHA256

    5a0e686675f54411f0eaa50e9ed1878e070d85c3e72430892219625040cef9e1

    SHA512

    e9945bd0c9a9994dc57311f3572ccd9e5629dd2dd623134d6cbd6e312bd074fb1c87a00cefcccc18fef2b5a023e04b4695861f3c11ce431467d6caeb501b0e7b

  • C:\Users\Admin\Documents\InvokeSync.doc.exe

    Filesize

    512KB

    MD5

    75891ff33505abd63e1d817fcc6b2203

    SHA1

    3ed0b3d67627930063e1fb20779b35a3e83f5c0f

    SHA256

    5c1f27118d72577fc1d94af952a98effd79cc9f5e61b239829c6810f471593fe

    SHA512

    3cc7c09b8de9877b6cf7c9ea72379146801393c8b0a11598a8d3d2cecd6d3b64da67d4a7a9a7df11d562e6f58c46ffb8a6d200ab230899809bdfe0b9a7bd653a

  • C:\Windows\SysWOW64\adinvvodyymxraw.exe

    Filesize

    512KB

    MD5

    3b7ecebd45af6f5d36e9b02db9730bc8

    SHA1

    c04a0c3f770c782e5592ad623d5675d337159d66

    SHA256

    e3d46217de88932da2f3352ba561e868036241665191752c8ab92bc6e5c70525

    SHA512

    eb59bf11745edf9b1cb799c3ae538a88397a02a36000a7162c064515ab2603356b9b043a9b4c27a7a9f4f60b21b76e05f1beff412cb3e2a506b2fab90b327b8a

  • C:\Windows\SysWOW64\pjfwyfudrg.exe

    Filesize

    512KB

    MD5

    816e3c3b5a8d48232cfd37e9920195b8

    SHA1

    58327415e300ab33aab75a6a08f3d2a3e06bc872

    SHA256

    dc21bd75c220d3c4b163e596a35acda5c49bc3697af7023df4ee6e5b8f0004f4

    SHA512

    550208a0c38bf146c568c22c18ecfb91b1d07146bbc55ecefc2ce51327071fbfb1b2be73999eb82eff47d3117967f433f9a6101b110bb09fd4a639d07092a872

  • C:\Windows\SysWOW64\umynkhngvsyxj.exe

    Filesize

    512KB

    MD5

    3630b8327ef7583c7d3f307c9dcff27f

    SHA1

    9d7192260a78038c343d52dd0010e1b42a3e9d08

    SHA256

    8588b60f9bc752a85cfe43432315fa6a42616f6750e9d2a4bf876a757a22c9bd

    SHA512

    b42d55496f4aaee58fb01da3b452821db3a5ea3ba757137efb99fec1604dc6156323740fa7e3c2b1d3184d07012217dfe099eac1048c3ee9b2af350eea4c4c6f

  • C:\Windows\SysWOW64\wfofyuon.exe

    Filesize

    512KB

    MD5

    c3abbce300cdc35909cf86c3e4dd1c68

    SHA1

    3fbb952df6accb8e158f6d4909f5ecd140b89dd0

    SHA256

    b8de81be4b53ad63f662b9a7cecc302c0b56b84e055f2db56e73c95174dd5d19

    SHA512

    36fed33385b630c0a516b26344f0c80186ba833f7659d1e36cf0105fedc02740c6693368e39e61458fbf8dff7a623a971e7e5cb1dd26e0afdf26cdc12ffdfa33

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    dfc4889f7fb60fc651a87056093f85e6

    SHA1

    132272f00a8a990a0b8319cd22d84ba7868718d8

    SHA256

    aac8b3deafa10d3957622fa8341fe0bc7c6bc858cb5d1fd158e5019b84ef2899

    SHA512

    1a38ae9be1aaabfde99402c8b410b24c4bf31ac7f90aca3d3b9543b743b6506935400b428fc3fe2605a9882635d3cacbf68d61ece3cd0d05bfd4a5d928d466d5

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    06d6215360624cfb5210394a02bca60b

    SHA1

    66b835e2c15a1e60309a342731c597caf4d03e58

    SHA256

    a0ad7db387d678eb0c7f95d44d5706b89927ebaed3133b8c503bdd6720c537fb

    SHA512

    36a64dd17d8b5bd312e99d011409ab81fc460f795d071e06ef8681fe7a21fa5dfee9981f626bd642519648b2e4d5bdaeccebb6011374245f77c5cf372da0c0c0

  • memory/2400-41-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

    Filesize

    64KB

  • memory/2400-40-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

    Filesize

    64KB

  • memory/2400-38-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

    Filesize

    64KB

  • memory/2400-39-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

    Filesize

    64KB

  • memory/2400-37-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

    Filesize

    64KB

  • memory/2400-42-0x00007FFF26730000-0x00007FFF26740000-memory.dmp

    Filesize

    64KB

  • memory/2400-43-0x00007FFF26730000-0x00007FFF26740000-memory.dmp

    Filesize

    64KB

  • memory/2400-613-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

    Filesize

    64KB

  • memory/2400-614-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

    Filesize

    64KB

  • memory/2400-612-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

    Filesize

    64KB

  • memory/2400-615-0x00007FFF28C30000-0x00007FFF28C40000-memory.dmp

    Filesize

    64KB

  • memory/2560-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB