Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 04:04

General

  • Target

    907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    907abca4a46cd96738dd4cacd43e276e

  • SHA1

    a6261c56d6dcffc147cb8d2883834c2d12e7429d

  • SHA256

    d7d117e4bbcd6880006f68a014c68d43601d4df9bd64a61bd315a7981bef4e7e

  • SHA512

    ebfeeb895bde071c23a9bb40bb36ec192156d80f7f70e229cfaa155330c99e6e41a9294a3ef9c8b1e53b9ae2a161ccdafe8c1a46be93a4a152f693d169088dd9

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6j:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5u

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\SysWOW64\azsgnoggem.exe
      azsgnoggem.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\fnfqwypr.exe
        C:\Windows\system32\fnfqwypr.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4516
    • C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe
      gmxcpjqpjmvnfwm.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1944
    • C:\Windows\SysWOW64\fnfqwypr.exe
      fnfqwypr.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4148
    • C:\Windows\SysWOW64\zyqixfxdndokn.exe
      zyqixfxdndokn.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5000
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2280

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    e92ca4fef967247c7a9df86b13d43eb7

    SHA1

    2114dc9eaa2f094a17a250c16f995f059264803b

    SHA256

    96c996384abe7a9fda3b55a1dbf40ee23ef36e10fa4faab6f8589eb555da6eef

    SHA512

    bbaf2bc785939b8987299617c35c3eba6b02d8e2dd397f3b590f12faf1033741d95e4da6d101987b477d59aaaf127a0959459d908079636766114705ef669b1e

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    10767850e1a1ab15346744be26f6109a

    SHA1

    8aa8ca656edfb61645cd8c9f0d91eba4a33d6ddc

    SHA256

    1c462407d4f4718299144cdcac4e0b6ac1c2fbd3bdf0848e7d964ba769743538

    SHA512

    ba93d2d6af1f126d35a6d72dde5cfe4e3ea8c89b432add0d52042456b3d5096fa6bc271912b4ebcc014a232c9c6585889a2599a1987bca698ac20b477724b662

  • C:\Users\Admin\AppData\Local\Temp\TCD9BF6.tmp\gb.xsl

    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    78bbb275ee7c4f95ae9bcdf53ec6d8e9

    SHA1

    e2dcd3fec20003abd0dec81e1edd98cc1731302c

    SHA256

    bb8860b517b293a5e593d56b5b3adfbe5e95e17c41572ba886283581f752d992

    SHA512

    cd859582795677146d92f9b131a53d7c537037c5ac5ae8331a6ae9be7b3c01adef3bb6edc7fa7d8108848cc49746eeeaba1153f2eaf3e9d44375c1b975ed9284

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    8541b8f68b1ebb191eecd33a66f932a6

    SHA1

    0b07a81a137e1574ce0ecdf70aeb838176b8057b

    SHA256

    2fb2d882a98fbf1fd95479ce89847164d8dfd8365bda0aba0502e36a2bb401ba

    SHA512

    d0cfb3d3d90a7357ce74f4c03ad0762b2649c050942973ac0ded3651a4f79cee5af43c617ae335abe9499549b0c43509b85d54f223821e07bca9b9100e1d0648

  • C:\Users\Admin\Documents\DisableResume.doc.exe

    Filesize

    512KB

    MD5

    e7e8ac49c17476f7b6cd39082d490e7f

    SHA1

    7da9d4ed3502b5be31f8958bac65c7693fea795f

    SHA256

    522a526256b4d55d4a2e2dee1f36d3a1b0d5e544105247bec202ada4c1b8ff2c

    SHA512

    1a0d310fe8bc9bbe3761d332859beecfabe36f94e4ad451f12f04f2e6fbc86f0d35b688433780aca53e66e91a489b069f31fefba708704e200cbd70829814fe1

  • C:\Users\Admin\Documents\RegisterRemove.doc.exe

    Filesize

    512KB

    MD5

    79143e693f765631f5fa8c56478f283d

    SHA1

    b7fccf87d1caaaed2685a523e10a40c52f336b30

    SHA256

    d5ce3d0d73ae831a7fa45edffc6411301acabd7966f7807b000effb25bdf023f

    SHA512

    0def78070ed9e96f80e28c5894d02c38d76df3424573a9a38a981f60760ef0b72d6dee3aaf30df31d976480ff24c6992ba23c0b8c1fbedb8181696abedca286a

  • C:\Windows\SysWOW64\azsgnoggem.exe

    Filesize

    512KB

    MD5

    f0bf4b580e4810fe438be89a58153330

    SHA1

    c00bf8622f560f660292d5e26138f5ba7ebcc1cf

    SHA256

    9ff21abaefcd933067a2e18a14f052479823fd6813eaf887a6993c81b68bfe23

    SHA512

    b88aff1c8ca9edd889ddee9981453cf8f128e1c9166ccf3935fe0acd371d9fe075e1d06dd6eb4ad045bd798361e0ffc39e5bad361977af91e50d1653b83e4ee4

  • C:\Windows\SysWOW64\fnfqwypr.exe

    Filesize

    512KB

    MD5

    8afa6046a96e9ca345ee21d3519c9446

    SHA1

    eaab374932201e68bccf9c7b2eb4536fa00ebb06

    SHA256

    d673fcd4c87093009ab071f1764815eac5b7a8ef8a524707bf39b1043a121091

    SHA512

    9aedcf41a4c9b237157f8c5eb407207061f5db33547392d27a21b36ab742bfcd1febc3b46eecdb14d97a8ffbd1ffdc23007accd9688d22d6c5e8efae031112e7

  • C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe

    Filesize

    512KB

    MD5

    5ebe0857dfc84aae8a9853371b6e56ec

    SHA1

    8fe129e1879f327347a788ee848379298ca2754a

    SHA256

    f1afc7e8ac2fe8a4e1844a81d0e0eaac18861b92f9b49afe457c713fc3f83057

    SHA512

    750db96626becafdd7af6333ee092cfcc62de042ba29704022eaa135ed3d670b33084a481a643ae4c005aec7c067b73a839d83ca70910942e4ee69024787c588

  • C:\Windows\SysWOW64\zyqixfxdndokn.exe

    Filesize

    512KB

    MD5

    793376f775364d7a73caaa78244b2b9e

    SHA1

    aeed29a74a885b3cbd0431acec3c07a510464409

    SHA256

    6fe0c119123a5a52a4a0d772ac6398905513cdc22edb58dd8ce4b4fa946465f1

    SHA512

    35be72ee6c5c57cb82804014459bbbeb0e77c6e08a4813a70fe26411828c50bf280c9e57128c0e890e03782667a7b39428e7e14e64e9b1699342daf3154faafc

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Users\Admin\Documents\RegisterRemove.doc.exe

    Filesize

    512KB

    MD5

    530290362f283464a6d1e3aaa9aa4ecd

    SHA1

    cae6b21079d3c2483712301a80872ded55df8fca

    SHA256

    5494061f6a89ae045b27da43ec16ea64d4131027e690f297e5089691128decc5

    SHA512

    3940cae74024ad126bf2a42bb6365434c7a5e189389dcf2d08c941420995c1ea0cffa954106b9b13bde91e9edffa56b04eb82968bcf09a7bdf5a3712f67ecbd2

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    63bef064744e4cc9c958502cf118b639

    SHA1

    f26875aedebb6871af7101d82077a7f40324c615

    SHA256

    79c46c0525fb2c480e108a134c91b281db11988eec4c7a22a6cb01bbf758bcfe

    SHA512

    2ffac0497276183cbf4d9067b99364d5c64aa9c273c8068528a7e706d7e617138da7ede08af8e4f9708cce9a36fa8bf7537e2d1c50763fa98785f084e9ade06c

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    4d6295a99246db92bcb83836cdb37925

    SHA1

    67485c14125d0fbcb9e56b40b4f789b859a635f8

    SHA256

    9961bf6c5729d12219620ff68079fe45320c547f5e622f09c82394b33f926d5c

    SHA512

    ff98ef80cf8e329b5d6167c736ffab90ad057529a1fb1af7fb1fef2ca186d00a0af2752153256b2832f4cffe25b25e54a6f38d0af769fc70fe1fbfd2818fc74a

  • memory/748-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2280-35-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

    Filesize

    64KB

  • memory/2280-607-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

    Filesize

    64KB

  • memory/2280-43-0x00007FF9C72D0000-0x00007FF9C72E0000-memory.dmp

    Filesize

    64KB

  • memory/2280-40-0x00007FF9C72D0000-0x00007FF9C72E0000-memory.dmp

    Filesize

    64KB

  • memory/2280-39-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

    Filesize

    64KB

  • memory/2280-38-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

    Filesize

    64KB

  • memory/2280-36-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

    Filesize

    64KB

  • memory/2280-608-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

    Filesize

    64KB

  • memory/2280-609-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

    Filesize

    64KB

  • memory/2280-610-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

    Filesize

    64KB

  • memory/2280-37-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

    Filesize

    64KB