Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 07:22

General

  • Target

    90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    90f0c70e05a03f187734ef651882f6a0

  • SHA1

    84bb8f123173c489f3acbbf895bcf92915a6b0ae

  • SHA256

    f6b159c8e4bb247707be0d044837853e913065bc2c0c0e0d4d23dd3148afaaad

  • SHA512

    df00064bf0b72ea6706b4a13fed12859a7dff93760657ead9da4a983bdbca50ca7d6461b5e11370328d15b5ee9dec118d33a904219b0c3d1602f531cd0d8681d

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6D:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm52

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3856
    • C:\Windows\SysWOW64\vjlwacwfji.exe
      vjlwacwfji.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3224
      • C:\Windows\SysWOW64\audrlbrc.exe
        C:\Windows\system32\audrlbrc.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1464
    • C:\Windows\SysWOW64\yerkmrlagdeoiok.exe
      yerkmrlagdeoiok.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4008
    • C:\Windows\SysWOW64\audrlbrc.exe
      audrlbrc.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2556
    • C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe
      lrbnmpgmgfjbk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4264
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    fd9e27b035934bcd37ea7cde375f21b6

    SHA1

    a8a214548c09a68781d546efe04fbab273fbf54d

    SHA256

    82f283fb98184d4a4f73e011b4da4b1b20d8c15d8d4490855c1555b722a190b0

    SHA512

    9d7fc059bcd0769db0b07f8416943039531b8a92b7d410ffc6a45678008fa07ac0643a0cd14ddb92c0abae108a75b67ff8d767bf33aeea4048b0a5a33822a971

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    b73b80f1aa18b3895ac86ed299f77023

    SHA1

    d0fd5e0f2160455a49ed19ea12efe612b05a31fc

    SHA256

    f14ed51dc9c25903daec9d484546d08670dd672b4869b425503aef97397c6204

    SHA512

    1a94ec9e5b2df1a818f9879abb9051b14651a8ce7d50d2265d0ca6ee879191fca6d53793c8cae7b485c710d73f3030524d4b09f8bd935df9d862f7af7ee1490b

  • C:\Users\Admin\AppData\Local\Temp\TCD9D5A.tmp\iso690.xsl

    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    17de95cc44b08f15cec3d71281c1645a

    SHA1

    95b8826825270b531374eedb963a141037228d18

    SHA256

    cfd697c2b24801e80742c876eb2f0b014a8a16b0ceaa04af229cf1956b88e5bb

    SHA512

    989b11fedc38dee4fcdbb48cc1129b18d3fa0cdd6303595582592bf7e16b662b5c52159e1d9b83f7482b4bddd09ddc189846a88941822de10f1fdaf8b80307f7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    81ad03755aba9cc27bfb3d7a5f23b132

    SHA1

    fd4016a4d7b653afea2538149c69bf700a8d6134

    SHA256

    23177166987993aa5cac3430ce616e3ee308a2ce904bc156905f19e22017e32d

    SHA512

    f957cb9ab6cb3406a100af509459ae77411fd379c8323ff6a31158829ac7df68d0be6180a6ba85975e177cb8d36eb3e36a845380a6e788dbea42d25c109a1459

  • C:\Users\Admin\Documents\SkipResume.doc.exe

    Filesize

    512KB

    MD5

    1fced686974406c6d296288744da77b7

    SHA1

    230e378fc23f64f56655269a90631e6086416e92

    SHA256

    7bf4ecc2c599254d438765794d2d872d54d0702509349111a5e3d96440c87c74

    SHA512

    0d4a2de5f7dee48fe97e03dad54229113b819f5763f7681425ece5d7ce04c967439074c9f0e5e7de8f020f36ee05d6c69e328a0bedfeb1151047c68b3af0106f

  • C:\Windows\SysWOW64\audrlbrc.exe

    Filesize

    512KB

    MD5

    e2de2691dd01a0739035c9074692632c

    SHA1

    bc26520499b150522ee31a79a10004a1513fd7b0

    SHA256

    a376d72df0a047def446c2a80fa832fc5699efbc7ca885a55b443f9b173373a0

    SHA512

    aca9de607dc5e2c8f33a01f9fe91a877622405bd18c34d9fa5bdf3969f529e8ac2b76fe2f42b96a487e6f2b0f830ba6b87f2f171bff844172f61041ccca138e6

  • C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe

    Filesize

    512KB

    MD5

    b3323ae127001bef0d669ed93ab69f4e

    SHA1

    5c163573cc64918384ce906f9c797fa91e5dd19e

    SHA256

    fb91b7f06b69fe3a9fa034e02985e59b8020d1bc5a88a1e22b1f0ebb0a613e0a

    SHA512

    6f777fcda49bd12e8c873e2287f4f13e176380ce02b38222b9307584854cca7fc06dc8401f4e536d5bc2b5bce9c0b95b48137faec132a6b9dcdeec6d5b82d4ea

  • C:\Windows\SysWOW64\vjlwacwfji.exe

    Filesize

    512KB

    MD5

    ce4c3af584ffdfcca42dc527aa43f425

    SHA1

    fc6bc811ce104bcbed8554726fb7addef7218c0d

    SHA256

    3df2e162bbd93fe367b86558c09cad17b80126edc50a26143914f18343fea59b

    SHA512

    298c5a5e8a0ba350d31af3e9c7332cbcc0d9053410b28afaca8ff5fdfaee1f95868ea0249a8e3096354b89754edbb16f5590bdfefd0c62e24dcd5f676b86fd1c

  • C:\Windows\SysWOW64\yerkmrlagdeoiok.exe

    Filesize

    512KB

    MD5

    4b839785987e710d519db9ed9867037e

    SHA1

    d77f42dcfb08a208ac6fdae5f0f60515bd50b6b7

    SHA256

    657141110bdfc16ce590cf3d9a02613b1cfd6be995e81bec4e30e6ece21ca634

    SHA512

    1fed774a9c8d46a4f9353a8a5e85e1bf49c91f10ca77ea66459ce98932cbad8d7a905fe72bca34ca33401a918b3a0f20af6954c5efc8aee3a17c88a6cc177102

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    e99433f3971a8270116923f0f531dbd4

    SHA1

    66297325908b264d625cd985dbf2dbb306923d1a

    SHA256

    2d9c1d19a4f9a108d696083f21023ad4b0c076801494376f47f7052ab06f8194

    SHA512

    51ca2e86078bb011a5d1f605d2205fb9baae8fd4265700211168f2bb9b2ef67c29cb4e938a2031fe09763ea4b9ce38500c7628f015421f44e0ae22f72ee36089

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    61b98f859c300fe1ae5d6ddce04f020b

    SHA1

    09a22d8e8b2b0d04e09063268dd0b579e695497a

    SHA256

    9131b72b49b1cc97f8bc7d3096c91008b02c1db9f737313139c651b9ee0b4169

    SHA512

    d81f943d46f0355e959bd2ec296c902ad2ef9f276fa612d78517beaa35d05217cbe69a1d15796e5c533a26d5d2b44b4bc16a3cfd9b4df1c67d6225e2bc0e4379

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    c73bd2c78c10ffce4664b960eb788948

    SHA1

    bda8ceaf37d5e647c5f3b7d1862204724fed572b

    SHA256

    e3a88821422b8c81e6bf658e5066c99af0dfe008f3048d9ae39bf2f2c839917e

    SHA512

    06f3aad8ae1e5b3630cde16392a8ed88d4e4ce52b1483b4d7b42420bcb78db77407d769c287353ab96d4b0213e10ec2daff0f79464aa12e156bce72f3be7a4eb

  • memory/860-39-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

    Filesize

    64KB

  • memory/860-38-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

    Filesize

    64KB

  • memory/860-35-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

    Filesize

    64KB

  • memory/860-36-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

    Filesize

    64KB

  • memory/860-37-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

    Filesize

    64KB

  • memory/860-40-0x00007FFBCC510000-0x00007FFBCC520000-memory.dmp

    Filesize

    64KB

  • memory/860-41-0x00007FFBCC510000-0x00007FFBCC520000-memory.dmp

    Filesize

    64KB

  • memory/860-608-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

    Filesize

    64KB

  • memory/860-609-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

    Filesize

    64KB

  • memory/860-607-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

    Filesize

    64KB

  • memory/860-610-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

    Filesize

    64KB

  • memory/3856-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB