Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 03:25

General

  • Target

    893cea07129af938056f726cdc6c5940_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    893cea07129af938056f726cdc6c5940

  • SHA1

    bc69405ea6380e33cc28e3e31c456784bb1815f7

  • SHA256

    a736f4f4091ec120fba8ecd0cdb1c1058c1ce959d5ae7a8d731bfe5dd83dade6

  • SHA512

    9f036eca881953cce748c6cbac62a69f5e754ded712836f3ecf3ca1a6700bbead9b874a3f908f02ca73c1b7c6989c8b4e47bf6044751e5a641a2c05b20a7a57d

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6K:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5z

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\893cea07129af938056f726cdc6c5940_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\893cea07129af938056f726cdc6c5940_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\SysWOW64\ubzsqdftcq.exe
      ubzsqdftcq.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Windows\SysWOW64\dcyiirsm.exe
        C:\Windows\system32\dcyiirsm.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1964
    • C:\Windows\SysWOW64\gnybgpxltylqdrg.exe
      gnybgpxltylqdrg.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3976
    • C:\Windows\SysWOW64\dcyiirsm.exe
      dcyiirsm.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2284
    • C:\Windows\SysWOW64\jxoskrspcfilp.exe
      jxoskrspcfilp.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:900
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    611fa7e88ecc4b8c4e5eb6a81906b505

    SHA1

    50329b3a21759e0477e6f8ae9d57c13bfc5dc1f3

    SHA256

    5eac9876ce7db89a7caf2d5743f094a4f89696ec5448b5d418d8b8549d31771b

    SHA512

    f5571392b4efc83f45f048d88954a46517ed99da44f69e3bd81867f2b463213fbd0766c370cbf821ae64abb77676a0331e5b51b84b6b94d6b8023d6cc2e4c19f

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    eff59d9177c314e081b4210460ac3bc5

    SHA1

    a7086682e9237ac5ab808316301c9bd1283f17c3

    SHA256

    152981ded86e7df909746b4689edc1a3c4bd44058b1cd2c3de9afd1bce8a2dc7

    SHA512

    4e351454e12b5aba658696f517464410b2c69ca27e552397fb754402133fcf0778b525263afec7258429366510553cf8a56d95be708eda1c3d17a99d39c93177

  • C:\Users\Admin\AppData\Local\Temp\TCDC335.tmp\gb.xsl

    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

  • C:\Users\Admin\AppData\Roaming\EditSplit.doc.exe

    Filesize

    512KB

    MD5

    d408363dfb622d04a2af9a0094179384

    SHA1

    521ef1852610377375e6be8caa68755596b16204

    SHA256

    24973d712a0e902c287d47e0571a5d0eada8ad7863f587666d6d753b694a6302

    SHA512

    deea8e366b2d03b61a2c5def7f045bad258cc1951abef7b7ebd51e4bb4f960c37989fdefd1e65016a1f8ef0bc833f426c7682716e672a0f187d65c23ddd3bede

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    0a3443ed2a6e22c6e64699121d176eac

    SHA1

    e207b038127acdd8bff0fb2fe0b9227a01948056

    SHA256

    70b19f7538904fa274eb855ded00535b3ae87bba372121454961cbdbbe54f519

    SHA512

    1f57016810bbf3fe7b02b7331e5d14524a06621fc126a4dc84e4d011bd20857226db7b47a173d4febb4f0a897e49ae8acb5506730778f298ea156219dbaa8436

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    f0e29495d70d1402c41217a2d85fbe59

    SHA1

    931bff1279c07637ceb3e1a1d6e5edce83bad82d

    SHA256

    28cac614ca8c0edeb2433744820f4b0729329c711edd1d41d3a7c94b8e6520b5

    SHA512

    354261ee0c1012fabbce84d3018d4875667352d64e102fa1b9d568b9e8f0fb590de2a0909e13e8df46b862ada3f3acd9a7b4b5caea6bb8dd16aa15ea5011e43e

  • C:\Users\Admin\Desktop\UseEdit.doc.exe

    Filesize

    512KB

    MD5

    c6d9d83cb39d91a65b7dee35a1f08cd7

    SHA1

    218c78e80eeb4db007f9b246effdb72723685f64

    SHA256

    8e83342a5ecea284c710faf6e86c3e4477ad9f87e0f90ea7f48a699dbb2842ef

    SHA512

    509d31d8890d92b84231fcb517f313346ff8d8c5f3faedd89d05277b031ab924b571ce4366b73b0a46f46fe5837d125fb9a67eb27d7118220b55792012877152

  • C:\Windows\SysWOW64\dcyiirsm.exe

    Filesize

    512KB

    MD5

    90f8c29ae0234de0418363493b51244e

    SHA1

    3735398577fc7924f210ab61f69ebab5b56a2696

    SHA256

    03cebd5d6c7a9196e02b7185f84f892607bd3b22d2bbc15e7b93154352cce2c4

    SHA512

    38e3f89cc10842c3772110f9c0d935e263bf28cd838e5768494f0d1135cf20ac7ab374c2f6592b1f00a591afa06fe6d4685c5160281b715a1d8647628d17b47e

  • C:\Windows\SysWOW64\gnybgpxltylqdrg.exe

    Filesize

    512KB

    MD5

    11257935860cc9d414c7fa2adff49afe

    SHA1

    d0b052622c1e70bb455d2661f91a667c7a5f1ea9

    SHA256

    fb1bdb3417cd5235562a9a0366cc66f36e1cc5a31ebd2fe593e3249f22294e59

    SHA512

    d710817d9e5fee6a18516bca710809e9b4b514616a0c5d60dc1b9a3d3703cb20c9d6f57f285574d6910e1dc519f9b3d71cdb5c7674a0d72c56daafbbca525ba7

  • C:\Windows\SysWOW64\jxoskrspcfilp.exe

    Filesize

    512KB

    MD5

    c9900c097bb688071897bf0ee5e6d863

    SHA1

    1a5541923e29eeacf6769ae38aa5e53af8142032

    SHA256

    cc5a246ae55a6f8f594eef44965a365f054488a03acbb47caebaa2a1c44eae20

    SHA512

    4ab01e6ba12c70a58698c072a41c21d61874141aa8582409cb05aec85a4798ff56b1268fa2596388518b8f8a927459d3e543d12d0178ed1530b6d0d721bdeb96

  • C:\Windows\SysWOW64\ubzsqdftcq.exe

    Filesize

    512KB

    MD5

    b9fee795311ee3c38cc8d5de0da668f6

    SHA1

    9623424e915a3467473307e8072d03ee6bff3fb4

    SHA256

    a686df3a383225f5bb603a693423a0b4597cf1ad54ce77563fde79d74e0f2793

    SHA512

    0351d5c2088809fe308f6f1c754201594a3a17ebc7b6df171410eac688485a9a64b2d21290c38ff68e70e50a8cd7d3a313862afe45cadbb115bd6b5e29f15839

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    2b0f8c2878bf798e0176d6d182b3cb3e

    SHA1

    7fe0794d2095ca737c86359923a9c00e7e42ff5e

    SHA256

    82005c03d13e46a3e9680de5adf5bb2af153774c109fb4b19fb33f0cad844c46

    SHA512

    58ab7852cc8a26c18af73f62ccf0cc1d4140b293773b67739d795993800e1d15601fa13e3bb8d979462c988024b281cea84c271d0a0451ba5543bffbcfaacf84

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    893d712ab56c908422ee753d91f475fc

    SHA1

    44f868b5d305d553b0974abe9b7f1b89bf965fb5

    SHA256

    fed6e868de078ec9fb63f574c07f6d9a972756a2ac35d28ad5c3d010a45e5a8b

    SHA512

    f55a852271ab345f1d5d511efcc620d2e093ff1877ef6c4554f0df5a4056f99ee92ad161a3d2ed371cc8c9ac3f6c58f157e413edb417166c36123b1e346b9629

  • memory/1192-39-0x00007FFD60FF0000-0x00007FFD61000000-memory.dmp

    Filesize

    64KB

  • memory/1192-38-0x00007FFD60FF0000-0x00007FFD61000000-memory.dmp

    Filesize

    64KB

  • memory/1192-36-0x00007FFD60FF0000-0x00007FFD61000000-memory.dmp

    Filesize

    64KB

  • memory/1192-37-0x00007FFD60FF0000-0x00007FFD61000000-memory.dmp

    Filesize

    64KB

  • memory/1192-40-0x00007FFD5E690000-0x00007FFD5E6A0000-memory.dmp

    Filesize

    64KB

  • memory/1192-35-0x00007FFD60FF0000-0x00007FFD61000000-memory.dmp

    Filesize

    64KB

  • memory/1192-43-0x00007FFD5E690000-0x00007FFD5E6A0000-memory.dmp

    Filesize

    64KB

  • memory/1192-606-0x00007FFD60FF0000-0x00007FFD61000000-memory.dmp

    Filesize

    64KB

  • memory/1192-605-0x00007FFD60FF0000-0x00007FFD61000000-memory.dmp

    Filesize

    64KB

  • memory/1192-608-0x00007FFD60FF0000-0x00007FFD61000000-memory.dmp

    Filesize

    64KB

  • memory/1192-607-0x00007FFD60FF0000-0x00007FFD61000000-memory.dmp

    Filesize

    64KB

  • memory/1748-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB