Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 11:53

General

  • Target

    86e8bbed71045fe18afdda2247e74c12_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    86e8bbed71045fe18afdda2247e74c12

  • SHA1

    a55258f83c441e2d72d0ce7d66327d91f4c8c5ae

  • SHA256

    aa19fab72eda55a0169a3b063054cd76e1494eda391018b31542ee70a057c001

  • SHA512

    336d5336c89305ec778ed2853d24e02a8dbf2355d08f304c942661445686b9449ce97c764ac1d581f5c75c744c8bb833da149f05ae7e6c870e93db80871a08b4

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6p:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86e8bbed71045fe18afdda2247e74c12_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\86e8bbed71045fe18afdda2247e74c12_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\Windows\SysWOW64\inhvmlmibj.exe
      inhvmlmibj.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\pgodledc.exe
        C:\Windows\system32\pgodledc.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2376
    • C:\Windows\SysWOW64\uboznabjhyuddfi.exe
      uboznabjhyuddfi.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2636
    • C:\Windows\SysWOW64\pgodledc.exe
      pgodledc.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2668
    • C:\Windows\SysWOW64\zegzylpepvutd.exe
      zegzylpepvutd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2452
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1832

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      816062a716527ce03f74eb8c2027b84e

      SHA1

      4c08a36e4a19b3529ca8592f8beb05e7c7f25b20

      SHA256

      e75a627283a424229aa55b003e04cac4509210cf482ddbce4879a8d0bc9560ee

      SHA512

      78943308f4884e8d3fb56eb70396be9910cab384a64511e07d4a95a805f7d01088cac7fd604422218d563ef4120790378367262e2352d9f4186ca92efc98165b

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      eee7aaea150b75602071e982b1990c3d

      SHA1

      1d9b0ab4ed03060c41934c9f889953ef6951c05c

      SHA256

      74e998a7e620b27dc126897795943170a309119833c0c09611d93fb24eb0ce64

      SHA512

      ff5d0be90053afafd0f5d56713f4f57a0119194945f50b1423eeaa79e03bf2cceee53e14a631e1f083023c0880e69e2ae33de2005b6a00eadc51a1d96cbe5f33

    • C:\Windows\SysWOW64\uboznabjhyuddfi.exe

      Filesize

      512KB

      MD5

      ef6eb4dfc484ac509ea7fc91b7de64da

      SHA1

      4c22357e95f33a8be299536c485ee175e19abec1

      SHA256

      0f98fe74269cfc09588d9450551c056979d5e33f2955636b534a795a20db2da4

      SHA512

      9c6956571cd6b458608924404e1687dead8d5f62cee07ae034739538ffad6bcfafc79adceea9197172e6114d5d97a22de2248cffe932891d24e8c49b1c9d0e41

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\inhvmlmibj.exe

      Filesize

      512KB

      MD5

      bd7d367d1779076296e96f621c81eeaf

      SHA1

      ff7c47f2c03c2b780c0942952ba1d52e20d46bba

      SHA256

      96ea08ac0a55daf2ccb84fbf28abe86fac4e294e6acbc8f5f132e936c205389e

      SHA512

      540f60a0fe4217d981275ac47d8af87df705e761ee5001cd980478dcb5bfa92fe18034a5fe90fcda3946c1ad46a35d6e6d3396636b542df336b2590bcb7b0b10

    • \Windows\SysWOW64\pgodledc.exe

      Filesize

      512KB

      MD5

      39b162bd2d199a9b63972ef8d5cd657b

      SHA1

      38359f3cabf6a56ea2b72dc642b0de794c4734a4

      SHA256

      8f9f895da99f99f8fb454ebace43ecabf0770e3bd956defb04aad1ce35166f26

      SHA512

      a47435fce05531429033a32a057f3e01a049f596fe0da115ab30fef57b4f9800910a3140524e9e7b88871719ccdc3e6b3a27bbeaf58254b5e6080632c1de08af

    • \Windows\SysWOW64\zegzylpepvutd.exe

      Filesize

      512KB

      MD5

      13716022ace81d24f500933f47179503

      SHA1

      8372b976eda9d7fc2b538bb06709621b7461cb2a

      SHA256

      17b7335a4b7505de2ab433c7d783414a330a3dc087c88b7ac90f6d446c71cc43

      SHA512

      13537c91716c735279fabec649998a6e9b97ee5d718c404f23936c93e8fa484f2bdf23e8d7f364b25b668abe2c4ae4c646fdffaddb1df19cfe14af1372718b2d

    • memory/2444-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2444-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2864-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB