Analysis

  • max time kernel
    150s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2024, 08:37

General

  • Target

    97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    97a50fa5b38ce05acef9a1c9b76d192c

  • SHA1

    fe842e3591b412cf4bc21feb180ec507eb9f9c74

  • SHA256

    ef59ce22252d36c9da7b529a93a33edd78dab24a75c2cfc56b62d5b4e8b96bc3

  • SHA512

    ed13d86573b9649c37ed798f5c6793d0d9bcde5e4f739e15d58d4917a840aed61fde8c961ae92522fd4130bdb1779722c5c08c7ea5e9e1ccd4ea53c81172e908

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm50

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3336
    • C:\Windows\SysWOW64\dwrngpjxkq.exe
      dwrngpjxkq.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\stovwebt.exe
        C:\Windows\system32\stovwebt.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2096
    • C:\Windows\SysWOW64\sktjpsiuyglpmys.exe
      sktjpsiuyglpmys.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2064
    • C:\Windows\SysWOW64\stovwebt.exe
      stovwebt.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4264
    • C:\Windows\SysWOW64\efjjfwikvrqed.exe
      efjjfwikvrqed.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4548
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4180

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

          Filesize

          512KB

          MD5

          6884f1d57fd9eafc66efcf366d57f33a

          SHA1

          70ee0639e949cd40a87068a3534666349fcd0261

          SHA256

          4d6339085fd28bc876726935548007d934ceee6a5e5c6ec9dea19fa69bef629c

          SHA512

          2209164be30ad14f2fb26acf25f67fc9c43059fcd78b2354bda9840ebf9ab5539a28617c06ee0868407e631926de8d308eced815a55169ae1194a24228d364cc

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

          Filesize

          512KB

          MD5

          61f640a47e9495bebf50d3a23c3bf66e

          SHA1

          9a3d05e209fea2912ce4284d2ee03f9abdad2af2

          SHA256

          81cccf7f8d33090e3754abc4d506fae994df5a6ca99f6468e3aa6bec5a44df58

          SHA512

          0728b027f3c25fba084d0438803b978cbaf318ae4c74778a6cabacd7c86a3902ac5aa47b8176b056aa428922ccecbc8fecf3612264bbcba4c75531d8731fa7a9

        • C:\Users\Admin\AppData\Local\Temp\TCD9870.tmp\sist02.xsl

          Filesize

          245KB

          MD5

          f883b260a8d67082ea895c14bf56dd56

          SHA1

          7954565c1f243d46ad3b1e2f1baf3281451fc14b

          SHA256

          ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

          SHA512

          d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

          Filesize

          239B

          MD5

          a2f476fb970ff4f078a53f0164f2b959

          SHA1

          531f3f100f11ff07c32df8d88038f4d5da7a58c3

          SHA256

          f35b49bd36bf81dbce2df6540b03155ca43ef30609b3ae1d947a62eaf289d2c9

          SHA512

          f3187e9e0465b004e3eb6320dfd1b75b37b79ff0240d989bd15cacc547a97d0a38a3b73deba81a824e71a2ae3306aab32cb692bde594dca3c2328eda16defe79

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

          Filesize

          3KB

          MD5

          940ec4d209695f66fc258b7599860f4f

          SHA1

          b17a38821baae679d741ce8f5fec6f8b7baf2593

          SHA256

          705afb63f16757afc64e08b2b46d179346af146c3228b5a77a0ba0ff44abdee9

          SHA512

          c0b92d78e0b7709777b35d6978ee5f0e1cf34a12092230d8f8acc440bf380cf10cfad6b1512997f552afd5dc7c2cc3fe7a28bd2f71d3c8f4ed10f60e7602b845

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

          Filesize

          3KB

          MD5

          8a91a0a8f27381b81a25ede12e8498cb

          SHA1

          a83c3761c1730a8eeb0e13db20b5175cd3b2463a

          SHA256

          792434584a8a97242982be254860b40cc30c46a5e7ecd221e866074c7b2c19e1

          SHA512

          52726a362a8b5daa530f042e86ac39991057c625325c22650be10bc98ca59eb55f056d6f638da1d03ab8b8ae5be711ace7b04d1f1a6abb0147a045fc600780fb

        • C:\Windows\SysWOW64\dwrngpjxkq.exe

          Filesize

          512KB

          MD5

          8b5cf7e730a18271c9fa2e51b78e69e5

          SHA1

          0feb05b27bb2d9307486ac7ef1b51c4f7ad83790

          SHA256

          2fc29bf4ce337ace23165dc2037614f1275babbbd3019bf264b678373395cb9c

          SHA512

          a78c8b3e0655ec9219bcb94c170f633d6b82cec50cd3bdcf5ec5817844b8cfe9c2888345130e78edfd78145040b49b7b4727f197069ab5d0c7052d1c1bde1d20

        • C:\Windows\SysWOW64\efjjfwikvrqed.exe

          Filesize

          512KB

          MD5

          205541b8f99239212ea27f7bc59f0375

          SHA1

          a3a93f48169e3d9a877ecf59e7ab3d011aef0342

          SHA256

          8412be904d746807ecb0ab89212cbac52d802694d75ee5c69542ca04a2d6292e

          SHA512

          8df1299c0896688bd35417d8981fb0bc6bca9b682ba21c87420525bee9a08dae09b433b16efaeb6fe9c196a24b2307eb8a62c862de6e3ea2f0e14de9320dd400

        • C:\Windows\SysWOW64\sktjpsiuyglpmys.exe

          Filesize

          512KB

          MD5

          d2dc625c98fab67179c2d3da405ac7c1

          SHA1

          328ba204d5455f9efc1e59f2c6988d1214a51ac2

          SHA256

          14108fb8a466bf8752e52a74867a096233da384608d0cb4a83a7d308297f8dbf

          SHA512

          d5d80753cb0a1c1e1f9bfddaa818fddccb579b593a1165c497f1923685878711e62fd3533695c3e7a73c084745b6c409c1f07f2e061df6009458d0a9131fb046

        • C:\Windows\SysWOW64\stovwebt.exe

          Filesize

          512KB

          MD5

          f9765c0a0a1041f986f1afd10ec199d3

          SHA1

          a31482553f598720c7c310669b305e74c17a4106

          SHA256

          9e398e74af28a1030884329fdd699aff018978a76fdf277cb19b8e4bda35f766

          SHA512

          fdefe95332710e355d61946f7d7a3e459f1287c30191b7b2d4cbb97b2b6603bf9d31a6b8382b9acf806eb362c19408ea293cb4bce479d8289cedc117ecb51e4c

        • C:\Windows\mydoc.rtf

          Filesize

          223B

          MD5

          06604e5941c126e2e7be02c5cd9f62ec

          SHA1

          4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

          SHA256

          85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

          SHA512

          803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

          Filesize

          512KB

          MD5

          877662c896d348dbc5844aef2d06af07

          SHA1

          b862a3c5edf6569e8abb6e67542dfd11d138fa90

          SHA256

          e316a98edfec8a8ce15ef7e9aca1163edfe8f4a15a9bde0798c7e52cace5f39a

          SHA512

          d3512a9ded4bde14c47d8b60e5a6ea30c32e31d39e3fbd32622d448fe3666b93d616f7863504db2c162cde428f4cfb69224ce30a0a7f29de032dca80c16ec367

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

          Filesize

          512KB

          MD5

          1676917d6e3be65d16bbd18176aa5e8e

          SHA1

          0615cca028bbdb34120918229e69fe154fd8ee7c

          SHA256

          28fe4890fe0634d230dc06920ef2bc672dbee57c8d1cf897ef4b7701d3510911

          SHA512

          9b65d3ddc170f4cf556d89ab122a5f51079baaa455b4591f38342097227527c45b4e330d5d7098720842f54f8933e14b38a2fbac5fbe922031fb9699b71bff18

        • memory/3336-0-0x0000000000400000-0x0000000000496000-memory.dmp

          Filesize

          600KB

        • memory/4180-39-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

          Filesize

          64KB

        • memory/4180-38-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

          Filesize

          64KB

        • memory/4180-35-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

          Filesize

          64KB

        • memory/4180-36-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

          Filesize

          64KB

        • memory/4180-37-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

          Filesize

          64KB

        • memory/4180-43-0x00007FFE0C1B0000-0x00007FFE0C1C0000-memory.dmp

          Filesize

          64KB

        • memory/4180-40-0x00007FFE0C1B0000-0x00007FFE0C1C0000-memory.dmp

          Filesize

          64KB

        • memory/4180-604-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

          Filesize

          64KB

        • memory/4180-603-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

          Filesize

          64KB

        • memory/4180-602-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

          Filesize

          64KB

        • memory/4180-601-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

          Filesize

          64KB