Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/06/2024, 18:26

General

  • Target

    8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    8b5b4431f6219c2c8bd2d0ab07df3386

  • SHA1

    43184e2114ef4256a133123938ba845ace9b63d9

  • SHA256

    8062a435db4a4bb89a349bcdbf48ac2c6f6c8c45874105fa8f568f1e1a21137b

  • SHA512

    4196e6661396e5eeaf57451521042661e0a51e55565578988de7d34b0669e55dfacff27109065bda2388e707ad34413eac83877d9c5c16cee6b0282d4cefb689

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj65:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm50

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3640
    • C:\Windows\SysWOW64\ievqqtaext.exe
      ievqqtaext.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Windows\SysWOW64\rmkrjscs.exe
        C:\Windows\system32\rmkrjscs.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2140
    • C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe
      tsvaavdjqrwcosc.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2604
    • C:\Windows\SysWOW64\rmkrjscs.exe
      rmkrjscs.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:572
    • C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe
      sjwfuvzfpdvsc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2268
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:216
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4756 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2288

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      2b1d7d265e8563ce7704d0a3594c10e8

      SHA1

      db2d6547ac66fccc991e255e459a2ed3601b7626

      SHA256

      4fdb9d87f28a2e6b11dee7ef029f4c69104940c82934a614bd47838dc905d7a5

      SHA512

      8048aee8d486c8d8b1ec7d6f0205d83b8851c2c5e530f42d786d82b1335a098db2089fdd384a11804a597f96ae3ec17d58d2d0506e7c10e046512c3e66b76aaf

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      24675de10e75a97ad49af794c99dddb7

      SHA1

      958325e02e4343178d1ff745ff3dea6a18ad0da0

      SHA256

      8e40ebca5d3f15f5ce40d986149f66597a701e3ff9ecfada7cca4565d0b5a786

      SHA512

      c090bd979e0935323dd01ac6c566e3308da4f9183b3e3ed579a74c496e41e9e6e224a4dd6f0a0c78e91cdff5f530b7c6aabdf12a666246770788425cb474510d

    • C:\Users\Admin\AppData\Roaming\HideStart.doc.exe

      Filesize

      512KB

      MD5

      9e715088d1697f1bca03a700dd659e63

      SHA1

      eaf97a07c0753e69b80031cedbe1ffadec3c30d6

      SHA256

      f98b9a97937ed570ce48ca1c6e466daa23351cf00e6d25f531ce5c8f42ee5f37

      SHA512

      f29a841d7946c205cdb4e4863bc5d023f87407e33e2072d733768e99e9cc7b44b4d34dbcf2a228ba49028c031c1238d8e7db433ae8979fbcd455b1a7cf84205e

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      239B

      MD5

      12b138a5a40ffb88d1850866bf2959cd

      SHA1

      57001ba2de61329118440de3e9f8a81074cb28a2

      SHA256

      9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

      SHA512

      9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

      Filesize

      3KB

      MD5

      a8fc029397eea94631ad75a604df5fc3

      SHA1

      3721f8c8930368f66e3f185f0d9f47836f0bd13d

      SHA256

      86deeb8adc5320cf69a9abb1ae9963fb363beb36cec56a81f565bd253ae74cc9

      SHA512

      5ed4c5b7e507dc6056f03965e96fa613164c7abb8b2c71a1fd7c48699e2110b34756027011c13d4a5f1f92410c4ed98acd66759c29293e0ce882ae690ee3e246

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

      Filesize

      3KB

      MD5

      2d37dd58ea16348b4631aef1940c12b0

      SHA1

      f7b7c7c0dd79fa193e312fde4a9e86e94829636a

      SHA256

      c4b143e4b2dad9958c2a8267a90af690b99e988a567e628659e7ccb8ba0858fd

      SHA512

      57cdac35c0bdd5f50be03f2a691d8cd628d2fe49982c5abec8373cb79388b5eac55c77ae9caf26796c4a9bf387cc79c9ec9bca671af666834fe4a4d0762ef739

    • C:\Users\Admin\Documents\DismountUndo.doc.exe

      Filesize

      512KB

      MD5

      f7e1dbb77943e0412c65a771f54b5f9a

      SHA1

      24f66926080efe3251d4c01853572ec48738b6ed

      SHA256

      030884636b70923a39c1ee2fdf79108e55fb0bc069aa0171c7360bbc5e634968

      SHA512

      be5eb9ab31a8bd50efbd6a4bf098f507494484f86d9f0ba1396e02d21c8c763edc6dd7a5487c355e8a8be31576b8b30cf7234b22b082dfad514230854890ba17

    • C:\Windows\SysWOW64\ievqqtaext.exe

      Filesize

      512KB

      MD5

      2f388e4afbaf7d2a8e2bbc6f3fd74337

      SHA1

      5a8425df0f11674d7407b825f461c47b5bfaaf57

      SHA256

      caee0c63e3ef9d621b76a343ba223dc0a0cdea51f9c37509020a9f58156f551e

      SHA512

      4870bfd0f3dd21014ccd4d4718b0d0d188e5d1859a53cfd1c3699b8b2458ccccd2195563abce38f3466062406fc198e96cccdd32534e15721d3152dd38f21919

    • C:\Windows\SysWOW64\rmkrjscs.exe

      Filesize

      512KB

      MD5

      12ae4a3eea0f77aab0c9de36ff3adbb0

      SHA1

      372eddb719b9e9082daf7b03f5b222189eb2edc3

      SHA256

      edc67754cd3f98ea7be3c932d2a4a00146a447c1e571f96e4a94fbe1a806c184

      SHA512

      2033f70e106890109bfb5bda95f74ab820569fd480264ae2196fb00547543a68df81dd7442c78167d8892813045c133b50bc7630cb04d2441d30f717a0a9475c

    • C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe

      Filesize

      512KB

      MD5

      7496a4d6ca80098c1bd1bae5414e1454

      SHA1

      4b85b05dbb392db2b40628920257e270b0db0c42

      SHA256

      dc0a3a6dccb018eab430a1d06ffb8c1242beef15aae52263d8104e917b3cee25

      SHA512

      369296d0e9a6e92c962102641d83b25b54bff04d22ed8190ea0712b465a9c81c543cbaaad063c4a95b4736639ba28e89be8f19a245bbf1b897784be340db2eab

    • C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe

      Filesize

      512KB

      MD5

      c025ee65631ac6b11d15735904c4cad9

      SHA1

      a989b9372927ae8428406adc13fa284d76cde534

      SHA256

      fdbe0dfb3d182683d1b558f3a9ddb97d5ff673511cacb4ad4c7c5d9c986f2068

      SHA512

      0390a11bc6b7b611d6d8a39456997805a0112d07d67c40e64d721b5693943690e817595b42f40d717c12f51d3e994ed9f51c1ba427924746105779979c4a7efc

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

      Filesize

      512KB

      MD5

      13b8b5c75e6e542e1962989a83e56042

      SHA1

      b033721b7da5cdc6ba0a24f96f7bafcb14004492

      SHA256

      76018c87a8f5dad5d4dc81ba171baf542f38597b240a5cd34391f540b2b9c1e9

      SHA512

      bbc11db570ff247ad9ebe5e3db168af415e636fe9e82fd7d8aac70ba5fb914e2546871ebcbcbe21fb7052173acccc3940200551cef64c89f450bafec5dfc2e79

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

      Filesize

      512KB

      MD5

      6e85f786c2fde4d057f4e32f5f88634c

      SHA1

      1fe254a018ce0d4e0b723f6b0ade8793777bed21

      SHA256

      1fd02d315d1e1278657702b203c479bf9d656a193dc3330062714e44fb429fe3

      SHA512

      398130f396b712588e8a88bade1d4346f1f834838aa17b7aa2530afa3a70f8b99260b10f5eb371254112807be990134f86414252ef9f5e20f6fc737af80e5100

    • memory/216-38-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

      Filesize

      64KB

    • memory/216-42-0x00007FFD54A60000-0x00007FFD54A70000-memory.dmp

      Filesize

      64KB

    • memory/216-41-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

      Filesize

      64KB

    • memory/216-37-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

      Filesize

      64KB

    • memory/216-43-0x00007FFD54A60000-0x00007FFD54A70000-memory.dmp

      Filesize

      64KB

    • memory/216-39-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

      Filesize

      64KB

    • memory/216-125-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

      Filesize

      64KB

    • memory/216-124-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

      Filesize

      64KB

    • memory/216-123-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

      Filesize

      64KB

    • memory/216-122-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

      Filesize

      64KB

    • memory/216-40-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

      Filesize

      64KB

    • memory/3640-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB