Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 07:03

General

  • Target

    89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    89b0694e89982148fb33ce9cc419001b

  • SHA1

    2ac9b4db6c1f0d96f20f969e6fcdf3d73e95d60c

  • SHA256

    38ae795cc25d24b2ec10f7bef5f44bec744511e20cbda8b081d9bf36c25a2b60

  • SHA512

    a52d72978c3db1ce3f24724d59fc8e5082e775136981613c3bc12bdeecb0d93bf00f7eea74a7d902866b17bc5876512b669433fef1ceb8fb09ad450379af16eb

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5P

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\SysWOW64\inmbkrxrpq.exe
      inmbkrxrpq.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\lmfnwxng.exe
        C:\Windows\system32\lmfnwxng.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2396
    • C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe
      zewyqxhvqcjitpc.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2584
    • C:\Windows\SysWOW64\lmfnwxng.exe
      lmfnwxng.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2504
    • C:\Windows\SysWOW64\twpetvtdolyiw.exe
      twpetvtdolyiw.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2384
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1808

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      b912bce5c12bee38699646bedfedc191

      SHA1

      994a377d892f24f551d507382ad2e8102d1858ad

      SHA256

      e1f261a8da96f0db3ed0648ce451b8c09849eb4a09e1ff7795685bf67b8c0224

      SHA512

      2e64589d2fb4d3b93bcc3516cd7a55794ed2c563aa4f714293b6be2752ea9f5565721585881a619273478b45a2a3a215cd8efc79fdad3fd2e4741f9bc1941236

    • C:\Windows\SysWOW64\zewyqxhvqcjitpc.exe

      Filesize

      512KB

      MD5

      8b6abf4bbd68669c3c3c4455cd239883

      SHA1

      1ac32d3bda8a6abb836359efd2e7c559945288af

      SHA256

      826750fa931e20c3541a945202db73d6850447bc8690eb151248a6229a9cf5ca

      SHA512

      4d34d21111311dda3b163db9685feba3b5a895ba5b7f05f636495d55745dd318499cda27d39bd8c7014ba1722f2ec6b0706034e918a2aa2c9d1c3a6f9070923d

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\inmbkrxrpq.exe

      Filesize

      512KB

      MD5

      0247c253536f60c6244f9cd16277b324

      SHA1

      f14629c11f20e8f020e37f3c1f319ee7a535d0e7

      SHA256

      67c7b5b3e361128e8990aaff834ae1ad1e5ed230e05c485847bec1678a886d16

      SHA512

      95669713af49f4e983e1f16ae6adb1c0f5c1c854223a2e06196b1bebd75f724fc926c8f564a0d89418be7f5e7fd563b705f92e0370b1abc7fcd9e0e6d4fe92ec

    • \Windows\SysWOW64\lmfnwxng.exe

      Filesize

      512KB

      MD5

      ce052398459a98657fbfde69702507a0

      SHA1

      4d206a696fd010b7534e5b7392e3d1b8944216cb

      SHA256

      025380828dd0b4979f874dff303fe4d00d58859363fdfa5859bbcc54ea86105c

      SHA512

      861163ae5de05f8fb87d4f4b73d7f7774d80d8384a7df6adae3cfab078248688a87ee6981c7900a4a4e9db360c6b7dd25892e39575d779c26bf625556aabda29

    • \Windows\SysWOW64\twpetvtdolyiw.exe

      Filesize

      512KB

      MD5

      ddf5c264fbdaf8ee9f8361f0ea68ab1b

      SHA1

      8b1d80f7b346504ce5bb4792bf3a73ecb2bf1009

      SHA256

      4e950ef55cd87bbfd771ba05c44f3e627d84cee261f4e590e18281053157944e

      SHA512

      420d07d71cbbe93dc845000d729152146b1b8c6f44cedf0ff66824b67a84d9f5534d0ad115e723eef8d201e06961a4172c25b793acd50e32750638f8ddbbb7fc

    • memory/1664-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2412-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2412-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB