Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2024, 08:37

General

  • Target

    97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    97a50fa5b38ce05acef9a1c9b76d192c

  • SHA1

    fe842e3591b412cf4bc21feb180ec507eb9f9c74

  • SHA256

    ef59ce22252d36c9da7b529a93a33edd78dab24a75c2cfc56b62d5b4e8b96bc3

  • SHA512

    ed13d86573b9649c37ed798f5c6793d0d9bcde5e4f739e15d58d4917a840aed61fde8c961ae92522fd4130bdb1779722c5c08c7ea5e9e1ccd4ea53c81172e908

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm50

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\cmwtettrsi.exe
      cmwtettrsi.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\SysWOW64\sesbsbus.exe
        C:\Windows\system32\sesbsbus.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2592
    • C:\Windows\SysWOW64\pomqrpdkujqpkht.exe
      pomqrpdkujqpkht.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1608
    • C:\Windows\SysWOW64\sesbsbus.exe
      sesbsbus.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2660
    • C:\Windows\SysWOW64\arimlpatwetzi.exe
      arimlpatwetzi.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3032
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2136

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

            Filesize

            512KB

            MD5

            5e38e1eb7010355c6fefab56dc376d70

            SHA1

            d7a6c292c6027a041edd55de94a73e9ae3da8c1d

            SHA256

            1b4ab45fc3bbe59cf0a84fed5b2dd2e6a5b248da6cc0f4d4777ab5806b4c7eca

            SHA512

            2b5590020a00a85fba80ac77d9f8e182f0d1d67cebd883f3683ff3c360772b74e422bec2656f2bbe247d9e84c379b29509d398860a389134b5edbe4aa9521b08

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

            Filesize

            512KB

            MD5

            ddb117511e838170a97c23a72cfb516c

            SHA1

            299f44038c63e9a2593f12821ddff1b84dd0a1aa

            SHA256

            1952527db987541d14dc78212b1510d55f9b49dbee54b069fd539d1a28dcec43

            SHA512

            302a7a4373f8af97252068e7c7c0301a3aff06fadf5135ee9a05b2d3391a0b9378714578b5ab1634dce8be573a64b8a9bcdb917ae9351b5418071250a1d2c6f4

          • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

            Filesize

            68B

            MD5

            a3fa98311080ffa8d78c5a668e551601

            SHA1

            c1072893f7c07f29a471d50f19a5d4cba958d294

            SHA256

            b68d8fc61e259e5beeee5b4b53930c9fd3245b6fdd8cd36cd1a7483925f4083f

            SHA512

            65ed8c7c8a8a3d300c634bb6d37cdbe001d2b029086461473d6d28672b0769112b887b0bf0889b1773f20c85d87873b181470f5be900392c574d9443460cd114

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            20KB

            MD5

            9cf503a7e4075074d96473a63160c8e8

            SHA1

            f550dedca8191ccf03abb04ebedeb42e0dbfbfa4

            SHA256

            2b86a7bf9a9fb18293876f1215c84d37abadaead6412a8538689e924d140b8c1

            SHA512

            c49ad0275d2be86d4847ec3876225cf2dbe231cfb03dc942b53f5837bcf95cd21442b511ee750d7587d616524c0acb22f9ae91951ccfe87b681bcbbb33efb011

          • C:\Users\Admin\Documents\SwitchUndo.doc.exe

            Filesize

            512KB

            MD5

            56e1df669f4f3541839e07f95cdac8de

            SHA1

            f2b32f0913c8212d78bda3d2fdd422a61cc66f67

            SHA256

            a7580ad494b3a1bfdfd0164e7bf05a2d53cb65000ce9411c5596d59d344becd4

            SHA512

            34f11dcde00c62a65fa647dc6e54bffde43ef2e56598a815c56637d7d56d9ab6bad862cb6f907a28873cd8548e0d2f7eb8021045bbe81fba1a1a68081fa3804b

          • C:\Windows\SysWOW64\pomqrpdkujqpkht.exe

            Filesize

            512KB

            MD5

            0c9d93ad17306f464e80847bf838e67e

            SHA1

            bca14057dda91af53b9a96bb54949bcf3f647385

            SHA256

            ebb73eeeaf54a551760e340563ed2bd54a2c724b6630edba659a394999561716

            SHA512

            67be726557772c6cbbc54e276ec63a218dbc0273d5da3a1197001f28240be2402cab349e11196bc195858b6b29dc9c68147e1f22af414aa39b0447bec4fb8bb0

          • C:\Windows\mydoc.rtf

            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          • \Windows\SysWOW64\arimlpatwetzi.exe

            Filesize

            512KB

            MD5

            a497d8eda042c0d685c2d3d4025ee3b0

            SHA1

            f3fa333acbca8c5fa0d9ea9ef0c9bd01ac7b999a

            SHA256

            13b47913160217ca65674bd89b128666dd58449661f6f4f0144259f95bf65602

            SHA512

            e12f171d8f6a25af02027d7a13111690647ef5192abe2000a32ea549c193c14f9bd66c1113e3f75940d3b63ae8fd3986860d31e060e351d0120ec8a01d9f27e9

          • \Windows\SysWOW64\cmwtettrsi.exe

            Filesize

            512KB

            MD5

            f524f81b68d7d0551be46dd9be19b467

            SHA1

            feea52047070cfa5cceb4149634055e8e474ebc5

            SHA256

            a6404528c4398000a1321778d07a9365280354b89f4faa2d764b935dcb80949e

            SHA512

            c8a97633e25adfc4e4b6857e690cf5b89474ef1469cefa6a43d32be034c3d06a64320c7ec3fc329b455d8a5a3d5d13a3d834f999cf28345b88a26537ce1201f7

          • \Windows\SysWOW64\sesbsbus.exe

            Filesize

            512KB

            MD5

            e5b8281c3f131b25854dd21a80144482

            SHA1

            adbd3ac43c41225550fea1861230c3ad08965722

            SHA256

            a474e5e60a2a1d5df3f278b44e1cb305f244b4624ebf619beaaaa5f1cd1b1749

            SHA512

            799ef830dbb3d215e7d6c655fa19f5ff54a9393fe9339703e9a6b3d80adf85c84bae333794cfe49eb802460849343b11041e7206f57b81400e7883e8b0a56c78

          • memory/2232-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB

          • memory/2664-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2664-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB