Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 23:51

General

  • Target

    a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a30314302457d8c62b1a1e3bb102d350

  • SHA1

    9237d76816287c419dfcfa5729a38358792d9ef7

  • SHA256

    6a3b945c8915c0db9b3aaefab1e5315c3541fa14f14c9f8efcb357bcd656265b

  • SHA512

    8fc3f472db321ab85494f9e5da4982202ee878f0c63ae9fda49958c49bcc2b9560afc39b4bd6b8b0bad19665b4f249aebce66caa44203fe35376bb1ee6025454

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\egbunkzryg.exe
      egbunkzryg.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Windows\SysWOW64\tmscbkzm.exe
        C:\Windows\system32\tmscbkzm.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2880
    • C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe
      owwmpzlcqodzdgw.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2320
    • C:\Windows\SysWOW64\tmscbkzm.exe
      tmscbkzm.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3040
    • C:\Windows\SysWOW64\vsuvetzczfeie.exe
      vsuvetzczfeie.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2728
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2156

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      45e80dbd6bab1596bd0ff3730b929871

      SHA1

      c60567f8dacb04bd188ae18b2fecaa67dee86df2

      SHA256

      26cc4510600e67da37427dfda2196f3a4a54cb6d578d25fdb0de9bf450a014b1

      SHA512

      bb61f656d0b3643241bcbd4f9a036a03eec99722781074d17cbaed409361062e57512c6021049391406eb9479f1ba755f063c2798dcc7b06ff8e7e0d43a2cc00

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      471bbedfc346f3dae42c4abb4bb2861b

      SHA1

      b2203bbb9fe7b4b8894b26fb7aa340073ee76b33

      SHA256

      79172e846d6ef958aa0af9d5f32ebf46bf35b089e63eedb9ae809ca743239518

      SHA512

      02bac8b1353233749fd94b9bdbc070a64ce24b2ed13a7588c6945c35b578e297ea5f4f8eb58925c28b054f98450e39c492c765ddc7a3f9b203e83f9076a94009

    • C:\Users\Admin\AppData\Roaming\EnterWatch.doc.exe

      Filesize

      512KB

      MD5

      dc86af49c0d20a47031260fa49bd163a

      SHA1

      07b9e3d2e92c33c3a92145d679f45da41cf077de

      SHA256

      ae86f68adb4bf7c4237934a4cb3ca10104302a71a5762d64a2b2c3f70d1092c2

      SHA512

      aac3a32e6e16d21dc4336d667749b797f57fe3601dc9eaa26dab9d2f50a40f2a1db66ea153ad77b063d3136d6c817cce9eef4da7647661a38c02e70da348cbf3

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      0a9249f9f51b68c3f327793ab1f292dd

      SHA1

      ceef2fa0f632556db3b73f4dd626f3314e4eb7f0

      SHA256

      8b9eeeec37c7cc7dcad935873b7d3b78523007a4e98ee75ab095eaf2ed447db1

      SHA512

      d35645eb0dbfc73b972a78c263654840424e27850cdd205384da42dd06213b88e14ab06c0f27f4570a1f31e8a4c05db24e0a8716ab51eed53991f13c3ce07560

    • C:\Windows\SysWOW64\owwmpzlcqodzdgw.exe

      Filesize

      512KB

      MD5

      2be9dee5bcc3d5fc31657edfd1ac470f

      SHA1

      f79a34a1595e3ef9df4d8f2bcf3d2295d15e24b5

      SHA256

      888341fc8a0ad5b1c38be7ddf57e99adc1a0d0f647bd15fef121facca6ca8e30

      SHA512

      e4d1a472f5522f0cd62c4817833640a3723c531f040184f9b9835763f8710831d5a6ce39b167c90b45fbaeda399aaeafb2a8a27b0827d8f2d48d0790f229d0c3

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\egbunkzryg.exe

      Filesize

      512KB

      MD5

      323c39b80a991c62bd03e2f0a82b1f0e

      SHA1

      128ff89bce1c27636c79ddb2239798713c5954b7

      SHA256

      adb7586678ef5e60aa2b2a34158fd4338670cea144c62b175dabf6b997ebb46c

      SHA512

      f572ce2629689e1b87dd129457390373b1c4a96046d5a286f3fbefcefb6ed9b3b56437a195cf8b2eb9b7f2441b1adc031d63772dd9a2623872ca0d0e7008a748

    • \Windows\SysWOW64\tmscbkzm.exe

      Filesize

      512KB

      MD5

      5c7edf84416946ac3f93f34ecd0bbb5c

      SHA1

      cf3d7093ad829cfe48999a22e27a8dc0d31a5557

      SHA256

      3937e58106f3920c503274c108d60f4c9ea4e24b3c3ce10e68aff67cfbdd71df

      SHA512

      1af1f9c6065b5095c80bdd6dbd9ba483779733d21615309c825c8561f9d6ced110a0d6e5fea063765dd72997733662ec715adcf166b8f77b32594d8ee148207a

    • \Windows\SysWOW64\vsuvetzczfeie.exe

      Filesize

      512KB

      MD5

      a1c5876088ff7961b4f706e61074f8df

      SHA1

      948cec4dda7ad1d4a00ed02d5061e2c11a8e5792

      SHA256

      055a573f54094a5f6ffb310d99769db7d2f247d3ecd913a93e13b7fe638a642c

      SHA512

      c41b487d5f5c6d1fb0bbee2ba1e0cf637f2ad8570e0b850b8921149f78eb938014589f285591fed6b492dbe8440a2adfbe1422a9ca93bb3bdd7702a47aa189bd

    • memory/2016-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2616-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2616-100-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB