Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 03:25

General

  • Target

    893cea07129af938056f726cdc6c5940_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    893cea07129af938056f726cdc6c5940

  • SHA1

    bc69405ea6380e33cc28e3e31c456784bb1815f7

  • SHA256

    a736f4f4091ec120fba8ecd0cdb1c1058c1ce959d5ae7a8d731bfe5dd83dade6

  • SHA512

    9f036eca881953cce748c6cbac62a69f5e754ded712836f3ecf3ca1a6700bbead9b874a3f908f02ca73c1b7c6989c8b4e47bf6044751e5a641a2c05b20a7a57d

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6K:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5z

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\893cea07129af938056f726cdc6c5940_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\893cea07129af938056f726cdc6c5940_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\SysWOW64\ywdhaboqrw.exe
      ywdhaboqrw.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\SysWOW64\hnslamjx.exe
        C:\Windows\system32\hnslamjx.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2372
    • C:\Windows\SysWOW64\tbdhtespwraitta.exe
      tbdhtespwraitta.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2128
    • C:\Windows\SysWOW64\hnslamjx.exe
      hnslamjx.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2488
    • C:\Windows\SysWOW64\djkjurnobrume.exe
      djkjurnobrume.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2528
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2004

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      5c65347e91044134d70080a9557f4df5

      SHA1

      e04766ff280e6b9f2b0565bd85f47088c8d0d1bb

      SHA256

      486a6406ac674bcca7efeae940fe5cc7bca2c662d532ef357b68a70b1ab46e0c

      SHA512

      8a396543a622d941c5684dca99633f3cf01c29ab580fbc7d5dbb6b457aff7e3db132edb551ce3d6052c57ad0c4d19ea2f288f37de213eeab57566591048115ca

    • C:\Users\Admin\AppData\Roaming\CheckpointConfirm.doc.exe

      Filesize

      512KB

      MD5

      1cc647df5d2249992c4e4da2269cfd5a

      SHA1

      05692006c814b09fceb9b8382bdf89098cb9f8ad

      SHA256

      3e64571aced10247d37f6f611ed8bbdd0da9dce832d9472de85198156fdecb19

      SHA512

      2dc3ca30e428c83c119c983faff1ebe22df65ccb9a87f352b693c08b0c299c8d7b485bd7067cf26b911b484a27e643b70700cbeeed3869afebf4f29bfa1d441d

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      1b1fee3d0da7eef237f8e192ef5feaff

      SHA1

      c7c85c360cb4d4285487c5cb18b92dceded6038d

      SHA256

      977ff0c5491035ed6c84c019e189b880360b5d396d03c9981e5bcf8d1d2d5ea3

      SHA512

      9b19bc89eab0e3f3de0fd0d92cdd73805e1a2891269eb3e05b1fd4b956cd9353077382b5a359ff5f6816c0e544447170685089abdcf2c14ddae743f895deff91

    • C:\Users\Admin\AppData\Roaming\RenameRestore.doc.exe

      Filesize

      512KB

      MD5

      d80901de6469f39ece0492de1f8cddd0

      SHA1

      778aab8d9a2839f0a6afccc4648a04ebe0e60e79

      SHA256

      cbb5b8c12dca6545d39fc03b5341b2bfd9163af988bd8ade0677d2634f2e4c23

      SHA512

      5d7fdd5e1be67b23f58c08252b85059ac5c27ec1cff808b6a6ed6a4ea7ee88a5eb7898bb3a6f5f80a28719563b2360be990c08ca8379f4dbe82c18a3cbefc4af

    • C:\Windows\SysWOW64\djkjurnobrume.exe

      Filesize

      512KB

      MD5

      bc92c4228da79546342c2c3743e8e7d0

      SHA1

      a9d987af051782b77e8b3c2ac10897efc56f13f1

      SHA256

      956bfcb0b457e47818b5bc7281f659dc318ee1b74c10c8fda35fae6a5492ac64

      SHA512

      bd2bd56d2c635b309e3004d3254c696f4aea7fd3e7da16c9c4a5db0382f6b5a02e625232a204b0ce3f79f298e9a5e8f349d2e20694117df9be7555e4c15c263d

    • C:\Windows\SysWOW64\hnslamjx.exe

      Filesize

      512KB

      MD5

      43412d9d61ccc82cac9367c860609144

      SHA1

      9fd19ec6f0c0c7e543a3598bf931b0450bd6a44e

      SHA256

      b23efd6ef8a323172e619cd2bfc85a12447a46bee820309ab3a27a1ec3a1ceae

      SHA512

      dd63d4522fbffdc7292626ebf6868f2635076933909590cef499f07c10b2d9834e4fab39118db5f4eeea1fc43f6bb7a258d76ced247688d5d9cacad03b48964f

    • C:\Windows\SysWOW64\tbdhtespwraitta.exe

      Filesize

      512KB

      MD5

      49ceb22fa47ceae109b869e77322ccbf

      SHA1

      24181a93e88c28e650512f877198243119cc2d3c

      SHA256

      6311cb2f712e22540a528b399eb8cde875a91409c1233b0efdcd8340c3b6c8cb

      SHA512

      b850ae7e9226619b8bbd67549052118cb24c0db3ffc3235b53b846b874ad494ce03a43eb6511ca5e3d3ee97663abc6258d2b9504fdbcd7ebf4969e03b4278ea4

    • C:\Windows\SysWOW64\ywdhaboqrw.exe

      Filesize

      512KB

      MD5

      9bae5ef8bd811775a4ccfd913bcf4132

      SHA1

      9c7da8947c5403daf11be933fde7acd94c5a5879

      SHA256

      1e200c8da80ea32bb2b6f8847dd6b7b111b0ab75429dd48499c3bb8f447b65b0

      SHA512

      43fb496ebe6c93c71e554fa82f594f822e74b95b4d9e0141d753059c0135e65e53e739687987369bf314033c27c522dee2b8618440de4a50d8002d59989c39e7

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • memory/2392-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2392-105-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2820-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB