Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 23:57

General

  • Target

    930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    930c33ff94fabe0b19a313d5c36b1243

  • SHA1

    bd5bcc8905ad2c876853bf434a90a860a69e0b8e

  • SHA256

    f4725b05284b9ad3b6e6be5007795dce59b504d4c6c962cfef2955fac97f952b

  • SHA512

    1aaf565607effb18fdf6bdd5f1548c81dda9f0e6d29a0499d466bba55cc6c4f2a86b24a63250bbf769144071397e3a2b169ce68c65252f8545ed00218b84ef72

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6c:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5b

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Windows\SysWOW64\wqimvavhcg.exe
      wqimvavhcg.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4544
      • C:\Windows\SysWOW64\ahfklvua.exe
        C:\Windows\system32\ahfklvua.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2732
    • C:\Windows\SysWOW64\bihncvjnahjzbnv.exe
      bihncvjnahjzbnv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3972
    • C:\Windows\SysWOW64\ahfklvua.exe
      ahfklvua.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4616
    • C:\Windows\SysWOW64\erffyikmsdtfb.exe
      erffyikmsdtfb.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1824
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:5088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    b34f59b18b5afb684b5c06e605dee700

    SHA1

    e3ed31d11ed85e07edfd5908b0df5f318a3bdd22

    SHA256

    dbb04c5e69792322c08dce865fb851153e249bdf4ad2e2b2f771ad469eca5860

    SHA512

    c150b7334453532273fbb21f128c7afc49f41e6166910326fae56ac72c0d8502d1f1895ad855fa66a7650b8bf83540a03a8696d0f976c5e6ea39bb401eb0b0d5

  • C:\Users\Admin\AppData\Local\Temp\TCD7C70.tmp\sist02.xsl

    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    361ba5cdfe246f4303b0a1638e0daf43

    SHA1

    eced7199b1af3c8e92209a68cb9a925ff3f369a3

    SHA256

    507143acb38e64408d03a0dd98e16bd34ca557294c466ae8ec9c7c763eb3a2a5

    SHA512

    81b9d124396d138717aea4dc71cec59426a3b65b47eaa0d13523adf030c5e3df9fa670ed48f7634d0301812d4b546dd43bc5bf863b58112570a2ab049bc7ab54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    7e1d9ecea49df89930f47693484d3db6

    SHA1

    f91de86d39e949a5a4ce13a33571a5773dd44e1e

    SHA256

    13fa82fb2f37961421c59b8f810d40949cb0b4384ad049a8d47c7d4d05ae7b6b

    SHA512

    bc5b321d5783a5ae632f08de853ce8e177cfa6c2eee48053b7eed7060fd73966b5111eab71356c9ed2cd19ae4cf3081ef44b431ae73a8c965b1224f60d909b0b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    00d8b3cd5fce651eb3126ddf38bfc927

    SHA1

    0ae4eba1180c06d439e4614c57126a77b98a096c

    SHA256

    dd6a12371c623dfa374a0373eb72512d52d828021be53e13f735d4c8c6c2bc42

    SHA512

    5379dbcf105aead9b780b84d76fd154f06d864bcd830ef50f267173814eef7e429a0d6383e49af21aa70a46aee61d9bcb28ea94cc93279a2b86b8ad6d3d4c260

  • C:\Users\Admin\Documents\JoinMerge.doc.exe

    Filesize

    512KB

    MD5

    c6d5169d73678b0c1b047bd149202154

    SHA1

    7ecf8922a634005dd6142e18c1748790bf35e8ca

    SHA256

    885bbb7d337db632e2360043f29def73a4d48be3f6f5e55f2a5cc21196ec325d

    SHA512

    1eac0dfb534622ba3a8ffb7ef1976a2a9481ef591fd913a838d49db6ecb2c3205839742610a6915438c170a34576b4fa0e9d482460c3efb3dc3fcd81ca4a3d82

  • C:\Users\Admin\Documents\RequestConfirm.doc.exe

    Filesize

    512KB

    MD5

    10a27820e2d4f3e056b474100d0c7c52

    SHA1

    4b01991780d4282ad40ee3241c30c115b7589cfc

    SHA256

    a936f68534ff021dd3edec275e1e0b6075d5d91a36fa94ab753416d520d3aa1d

    SHA512

    97fdd0c3dd20feb59ce1514bfa209de192b17bf2883996e0cbcbda9437b5dcac3c09333cac14e9e65c80dfa388555524a5abdd70c56b3081303562e463f3a9d0

  • C:\Windows\SysWOW64\ahfklvua.exe

    Filesize

    512KB

    MD5

    be02c5accc70e153cd596ca144bceed0

    SHA1

    e39335736b28312e5631afb04a21d3059348f674

    SHA256

    7552b428f53095ca87ffa569602e706798ebe8c921d2287f7d43bf86d20d7ce9

    SHA512

    e6816b59daed1af0e7a769873b787e251c0b1d5b01f6e72f838c8eae2527e2688c5a241048ffe6f94e1e8364c20029dfc7ca1faf93ba8581c12ed24c5dcb9205

  • C:\Windows\SysWOW64\bihncvjnahjzbnv.exe

    Filesize

    512KB

    MD5

    1e3ae845563779a9f92adf2259f3175b

    SHA1

    c13928d7a3a6ff1d136084b5d4d4df81cf9ce83b

    SHA256

    c434f757c6abf53b1b751b80082d58a8a19841c9c76170a25ee8b070636cc8b5

    SHA512

    f33a0b90b31697cb9b84e19fd2af6718feba0a391a4a9c6bc70610c78787db480e80a6181dfd4db015bec9d8d1be44ffd90f2d1effd76ca64a92c52df3a65e9f

  • C:\Windows\SysWOW64\erffyikmsdtfb.exe

    Filesize

    512KB

    MD5

    54be701f5de97508d8e5a68a296f5ad1

    SHA1

    22b3eae4e9260a4ebe4e611a595c9097c873491f

    SHA256

    fc9186f2da2b447afe40360c01baf5981a409794269355113266cbd6b1d4fba0

    SHA512

    fc83c11dcebf4d6afb6a22a3f80b418d5f448f81562ef93872214b16b59da7b77df340b225bcff6ab5b0290a2e7c336c528c15b991c284eee5ba7db1571d915f

  • C:\Windows\SysWOW64\wqimvavhcg.exe

    Filesize

    512KB

    MD5

    1e7054d898f195cc849573a3a301e0d3

    SHA1

    9a34d07f7743a2162c947da631bc6a94553c689e

    SHA256

    a46f76a5e12457e17c1bf1bbfaa35e166c672b8efccc51ba0a5062c4c2bdc337

    SHA512

    8588f7b4d81103307d5080528ebe8c414e3d556c18f902ec6c417b8c86adcd40e653cd5fd1f282c1c220de68b212e52d39f0f5597afdb9cb36a0a80a1a3a9d49

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    20ec81b3b35cc983a61148dac19b3b24

    SHA1

    1c94bd0708553e0bf81aee8327b5ef71cc8ad19e

    SHA256

    6a7f2f82e438391af54e14336ca3622b79f0442655948e3fd80a4968b94f5c60

    SHA512

    70e1b419f98eccb9b0278f31797208380ffeca00ff92a1ff243bde9d59d4c630776d1ac659e84053ae833ed50127c94cbabae2d0cc9bdb9f9ae2dfa9f47d15bc

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    e325ff41d7b676a975f65f5db492271d

    SHA1

    c39b13f4db08fd08c93ef19ecd29258e9a77b81b

    SHA256

    874c72474e30727d513829b8f53754a06f82ba310b0015ca25afeec2f3e89956

    SHA512

    bbb4674e37539e8a8cf5fe5ee5db446658f12e3f4a19b88a95a8deea5c3bdd66c74f328f85ff03f10e42caf24cecdf76780456b21262f750dec66888db68dff9

  • memory/536-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/5088-38-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

    Filesize

    64KB

  • memory/5088-42-0x00007FFD0C810000-0x00007FFD0C820000-memory.dmp

    Filesize

    64KB

  • memory/5088-39-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

    Filesize

    64KB

  • memory/5088-40-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

    Filesize

    64KB

  • memory/5088-37-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

    Filesize

    64KB

  • memory/5088-41-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

    Filesize

    64KB

  • memory/5088-43-0x00007FFD0C810000-0x00007FFD0C820000-memory.dmp

    Filesize

    64KB

  • memory/5088-603-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

    Filesize

    64KB

  • memory/5088-604-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

    Filesize

    64KB

  • memory/5088-605-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

    Filesize

    64KB

  • memory/5088-602-0x00007FFD0E950000-0x00007FFD0E960000-memory.dmp

    Filesize

    64KB