Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 07:03

General

  • Target

    89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    89b0694e89982148fb33ce9cc419001b

  • SHA1

    2ac9b4db6c1f0d96f20f969e6fcdf3d73e95d60c

  • SHA256

    38ae795cc25d24b2ec10f7bef5f44bec744511e20cbda8b081d9bf36c25a2b60

  • SHA512

    a52d72978c3db1ce3f24724d59fc8e5082e775136981613c3bc12bdeecb0d93bf00f7eea74a7d902866b17bc5876512b669433fef1ceb8fb09ad450379af16eb

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5P

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:684
    • C:\Windows\SysWOW64\bsasbbinzb.exe
      bsasbbinzb.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3200
      • C:\Windows\SysWOW64\djiezbpf.exe
        C:\Windows\system32\djiezbpf.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1980
    • C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe
      hqeztvcrvvpqmom.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1060
    • C:\Windows\SysWOW64\djiezbpf.exe
      djiezbpf.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4112
    • C:\Windows\SysWOW64\fggimspiafatk.exe
      fggimspiafatk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3612
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    211531205ea688b4e1081fdfd2f8db68

    SHA1

    b3ead4cd873066bf7d5202c3cc5e4a7d2dfd6ef5

    SHA256

    9fa9178a8f48a944bd9368e9790ce096736d091d50b9153458a57a7d2d2daba0

    SHA512

    465767f2421041b89032c9f82649a319c0fb2330aa5e4fc6656e27604453d742b9d903f04650b8b218161a586de2f6881759e86ffae64cdf416b1055a3fe3a43

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    cefc9cc071475f832b45ba2c343b2250

    SHA1

    09f5e6058c4c0b669efb724233af143a88121339

    SHA256

    f2ff4308823c151d55118894a3feff98ef532b8a7ae56f4d2adfdd23e6282ab8

    SHA512

    b2833612bdc310724a9bd240343ed251810cd8cbe49d82dff387eaecd0b670f403de55d2c043ebed26d94834f317eac309ea3b38dc42dd5adca316d6dd2b3663

  • C:\Users\Admin\AppData\Local\Temp\TCD8BCE.tmp\gb.xsl

    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    21a601493a4c53e30182d3ff93d198ac

    SHA1

    08018a3011585d01f34f2b968ba98266a47ad978

    SHA256

    7d77c3cb9ccdfc50f76e0ed2438a65241b69aed65a2e4c05a5398e9512bb06fa

    SHA512

    c077f807e628ce77639da1927b5807dcb15f48a8432128d83537e5102645caf3f072cbf131e2638948782c6c2bd7acf9c6fde3458dfab6f278a91d1f0a3a0c70

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    b463c9221bc751a1610ad7f23cbab1ce

    SHA1

    6c5749e02e11a31e02ee00e25060cb661c61de32

    SHA256

    b603fd0d878c4b00318b20d825715a953aa8c953b0663c34d57bd80107265409

    SHA512

    1a9642da462f7256788acfe5dd82ee2ebdc0d1cc7e09e5867890a3f532c6b7103201b5939c145337faa131a3c0baded52796b029655ee628862eff6e94836b20

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    243c47a9ce61b4c773956a364f182b43

    SHA1

    cdc799e890b6d2d26a37d2609a25709994f7080c

    SHA256

    9da27a6987f2d3be7b7323d5a98ce9769d7f1ec614bb988d166236ea95d6c9f1

    SHA512

    f1bc5e840b78fd8dde995ee18e6ab771904c1b365f41078acb8bbd6bef40b095012c00978b9d044f23a86654921f096880075b4061bdaf37a432b48375810a12

  • C:\Users\Admin\Downloads\ProtectAdd.doc.exe

    Filesize

    512KB

    MD5

    e363458352ddefdb2173b0c899571428

    SHA1

    2d2ea6215fe06c11c7113d8c73f5b0fa35c1d2ff

    SHA256

    6db6b9aebe7ea71e72ccebf2e648cb2cfa675caf92300ff99b3292db432edac6

    SHA512

    a2f9ad7a22dd3227184be4c14907c27760a7a467e4534f1ed24e487da73d611ede6369624448fcf718a10176885249e773a0cba0c0fdcf82934edf0eeb9bf47c

  • C:\Windows\SysWOW64\bsasbbinzb.exe

    Filesize

    512KB

    MD5

    6de3210a63d51ed66a532e459a7f38b7

    SHA1

    1e85e3fdd4190957920954afe33e8e3f8b2d5783

    SHA256

    6315d4313dec30894441f3ea1df5e8eaa8bd49919ff2d5e4a9a3d768ef292913

    SHA512

    380308a57a453e69f17b9bdcb832767e529360cd9d6f4e6275ac849f9a322ae5b767c266d9d0576d65bfc24830a30da1927f84e27be137013cf088415384a145

  • C:\Windows\SysWOW64\djiezbpf.exe

    Filesize

    512KB

    MD5

    d72ba72f7e2865c55c061ad476b7c09b

    SHA1

    cef1958ca4e28894629e30afcc9a917e233c4d21

    SHA256

    b200941375039741486d1b8618043a17b09de7d27965744e396509a69ea4a59f

    SHA512

    5d104e727e451a4d05fb702e8780f4e9efa757df77f265e3cc09e52a5eed34eea55a7b285c1003f80afc1619d9b920955dacefbda9748b541470bbef630c1bda

  • C:\Windows\SysWOW64\fggimspiafatk.exe

    Filesize

    512KB

    MD5

    596cd9ac87826a855b9839e789b7980b

    SHA1

    3c1425945a4899ed2ec15bdb5fc0ca2de2a8d49c

    SHA256

    c8c6938058a09078a5d5e5fd77d38556108ee44536870f5ce7fcb9decda8cde5

    SHA512

    1d48211c2ffbb0138f82c6b72511fbdc000670f9e46ff724b7b47d8d3cddaced1635bc343ab207a4325e45a19fb7ff1546fdd288e788b06a7a3f0222574f0eb1

  • C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe

    Filesize

    512KB

    MD5

    5967099882bc66025d225ed10535c840

    SHA1

    239f637d1af9c33878ceb7fc2ae9dda1fdc2e729

    SHA256

    c7a9314959485e09ea9fb2258ab76fc8a3ca17bab105e88cda8861809db20a1e

    SHA512

    77fd583c1020e8774ce4c7d4fdd97edf543ed5103fe0a494817f3610b919015635e97ec65bedf9f40d724ab0443db286b15241818df81799b853f76fd8d4b42b

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    20c9d05f808c1ce43f9f020777003f80

    SHA1

    d94c13439647ed94d5d4815263cca38dcdbf873d

    SHA256

    106245a45614809d531402ca03c0b123f64ccce2b3f52ac6f982e3269c72e60a

    SHA512

    3f62320df489042cbe3565bf121ce5c3e5d4641a81dcb02e5ce2eedfb2d896ca245b2014a1b649be377ff3396ecb2f1e83f06956361b9f41f3d46f49baf4933a

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    eea2c99390e324618d092d500c25913b

    SHA1

    986ca4b0887084dc392cb379061fe6425da3287f

    SHA256

    6e336a29add21baaa0b9445dfaa0278f1d05041062d3e519e3c27887ebd1d694

    SHA512

    4248ea9cdd4e2d02fc2621c0af8e228b626aef557647458ecfa43f32b3e436382ffbd8e4b06cca35de1d1eec0c8305a34fce56458d5ddf5b32f061c699209f27

  • memory/684-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2272-35-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

    Filesize

    64KB

  • memory/2272-36-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

    Filesize

    64KB

  • memory/2272-39-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

    Filesize

    64KB

  • memory/2272-38-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

    Filesize

    64KB

  • memory/2272-42-0x00007FFACA390000-0x00007FFACA3A0000-memory.dmp

    Filesize

    64KB

  • memory/2272-37-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

    Filesize

    64KB

  • memory/2272-43-0x00007FFACA390000-0x00007FFACA3A0000-memory.dmp

    Filesize

    64KB

  • memory/2272-606-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

    Filesize

    64KB

  • memory/2272-607-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

    Filesize

    64KB

  • memory/2272-605-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

    Filesize

    64KB

  • memory/2272-608-0x00007FFACC790000-0x00007FFACC7A0000-memory.dmp

    Filesize

    64KB