Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 03:43

General

  • Target

    906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    906ea6d73fd1bac2633dee29220394da

  • SHA1

    a2865d9b082ba59cf89b421f48f6648395f53de1

  • SHA256

    bf932df57b55140592c613e69e27217a80c604100a28f01cf088d43d02339930

  • SHA512

    2f24dd78066cff91a9442e4ecfb05a5a4dadd522a9b956400ae10838e3e81633ecb537a1e95bce7df70da3a2c428a0ce98c3c0b0bb85db3ffc9d1a55dbe3a6cf

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj67:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\SysWOW64\frrvuxityv.exe
      frrvuxityv.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\SysWOW64\rvlgtrxk.exe
        C:\Windows\system32\rvlgtrxk.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2752
    • C:\Windows\SysWOW64\ecoovxkfjfplopc.exe
      ecoovxkfjfplopc.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3060
    • C:\Windows\SysWOW64\rvlgtrxk.exe
      rvlgtrxk.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2628
    • C:\Windows\SysWOW64\tiydjfqfesvwu.exe
      tiydjfqfesvwu.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2624
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1940

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      9f8587c7ef089dce7c84018c0dab69d5

      SHA1

      41c92e112df09059266dc7d42e1018cef3d95471

      SHA256

      3f7b790ac12614d867bc912075120ac0daf3efb3deb863078cded60cc30d9d0e

      SHA512

      fd4efe75b5e4d0d69c7fcb4c4c9989eb4f50209d9670ee332f8e874988b5f0f31081ecef24f31907745c0777d3982e6dbb75e57fe009b62b615e9e30400bf4b6

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      ede6dba31e0f6a505702d93da316b232

      SHA1

      ecd071a2179894a8e05e915fb941b5aeb9215f9b

      SHA256

      38d04532db95e5eb44dcc97d200249df4f2a100a5f4f1fc409a6d3a762d3fa36

      SHA512

      fbe66d95c4ae45f6268feb6a50fb2d486906a094c9d93eed0f1688805b3521ebc3e9285f25bc530973db13037991e4ce162ed699ad692a4ab0d381a7d2c7ba64

    • C:\Windows\SysWOW64\ecoovxkfjfplopc.exe

      Filesize

      512KB

      MD5

      d0d501c43973eb4384ba48c20994d12e

      SHA1

      715d54d56e0b42527e01e57f6a6155af198d62b5

      SHA256

      538fb500940f2493217afe55786c320e9c24150c378da24b69599abb46f4757c

      SHA512

      d24217f2115cdf867160e5a3fd102a082073b493e4132108c14f6f3c0575e014084ea76bad7976a706aa6444bac964dc76a62e89bd3222b5d95464d817b4d121

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\frrvuxityv.exe

      Filesize

      512KB

      MD5

      27fc4abc1d836699d2ae648265eee3f9

      SHA1

      231ad86b06b8819f7f06f099e8a6f10bb97276fb

      SHA256

      6d4bb441d0bcfdfb9177cc47462e77ef01e94cbbda2923e30bb284062af11b02

      SHA512

      538fee9e1abbd7921ee5741cfe4aa9a3e86074e549e80340915b7b09bc4181a3a7295f850d2f1e8e948aad9c87610cdec85af12b26025d3041e7c984414bafa1

    • \Windows\SysWOW64\rvlgtrxk.exe

      Filesize

      512KB

      MD5

      32c46c3fb393940e62ded8e72193417d

      SHA1

      1edf467747e106adeb8e09727550dd163f18fb69

      SHA256

      39779b228c3b84cde1ce83fab4da5b5b4706739da7f89adb22c33d2bf03b7d94

      SHA512

      0b921c431b1391a78f0390eb970b3bf4b4188489aac2f8f34122a9e641225a9ab03c141847a461cc576a76491654637f76afe105eac1da0ce472c354ba3d49a5

    • \Windows\SysWOW64\tiydjfqfesvwu.exe

      Filesize

      512KB

      MD5

      21126303e237846a5855ae2765cb31b0

      SHA1

      ee02e9ac935ab7ee315792ba4467fc45c486bf85

      SHA256

      e3d7b399d89add7da1980a0205b7b9cef5eb9e55966548f2ee5055966b17121d

      SHA512

      206ff8ca3de26dddabf395defeeda653352c9a4ac6a673dd4afc260410c4c477e3ce4a7e66577c6fae200c13b3ea9bbe3793234ea3087bd6bd09f63bec59f972

    • memory/1196-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2472-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2472-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB