Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 23:55

General

  • Target

    a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a306ebcea41dcb77700c72aafdb992c4

  • SHA1

    e41b256f2a196aa6ce43309b07925eb6072d993a

  • SHA256

    3b6df89f59c1adcef354652073d26161b41c47df8af04d3e71a82e7c2dd35253

  • SHA512

    aa380355b6598831253a3634b3fdaeb47b0be05621e488d715f60cf754c3c411ba5964f9b0ef5b47b5ee41a97b4de318731e5b0e2fd8b6766c364c4f8a8a630c

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6g:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\SysWOW64\qliwrpoecp.exe
      qliwrpoecp.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\gjilibco.exe
        C:\Windows\system32\gjilibco.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2308
    • C:\Windows\SysWOW64\orbcxhpbyouhoad.exe
      orbcxhpbyouhoad.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3068
    • C:\Windows\SysWOW64\gjilibco.exe
      gjilibco.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2240
    • C:\Windows\SysWOW64\vxphzpqdinbuw.exe
      vxphzpqdinbuw.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2684
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2204
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    0ebb74bd4ebf733b73cff874902178dd

    SHA1

    dc68ea16178edf26c5854099b6372747cabb866b

    SHA256

    8300da4bedd3e013eec89468c1dc638c8e4a91d05341aa235b33a21140216287

    SHA512

    cac4381686c0d55a2d1e4d20375199b2e0e95da4b2142764f88defe119721887fd3a052bf118305bb592e2d1b93ff2b166bd528546d026bc7272b462dcf5dcbf

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    7e7f1ab14cb4005e843b9b4c3afad805

    SHA1

    1c555b7b82fa08b66ec1f1772041a531850274ee

    SHA256

    c114ab80e738c6b96e390834986389dc86a6eea567c35899434fef8c21b51e6c

    SHA512

    0c38ee473c64201dbf749082040961d776349ae502604ffc857a964e7b78789f025082a0e8c2646d1f9ee02d21f0a4688ebaec124c84b928d10ca1b0f47eba50

  • C:\Windows\SysWOW64\gjilibco.exe

    Filesize

    512KB

    MD5

    8cab2f1ac60751326e12eb889129314d

    SHA1

    991e101af8631877bbda436fa3d2be8de387ecc3

    SHA256

    4af63f61f5a266f01345af3dc3c2775f42520777b6f5fdd1fa64094a5e7567cb

    SHA512

    329c973e42eb0a466d70a5acd361db3b33b0d7612aad9f9a82d99d0e7947cea6f4bba4a7386dd72d5386d43903b82a2b1a9746e23679f239a582985d8770ea8d

  • C:\Windows\SysWOW64\vxphzpqdinbuw.exe

    Filesize

    512KB

    MD5

    69c6df8eba2332d4456d1d8419f1462c

    SHA1

    ef85bbe572f3c514700b038e00bb2d15a2f4f91a

    SHA256

    adb2e45e5a7680bf364bb2531b2b21b1273ae5e243bc2047f3ad6637eb90325b

    SHA512

    3c87493f10d090dadc614ee76e9448434cc8d93e9c3d7b95f37e5d449f1bcb135637b9481692602d7e668c5f9de5b71f82141e0be8bc77c10cdf4f544d5bce57

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \Windows\SysWOW64\orbcxhpbyouhoad.exe

    Filesize

    512KB

    MD5

    a618aaf807e0f7c1982cfbd155569364

    SHA1

    a9ac50082b317f6235b9970c961a00abaca1bf2a

    SHA256

    d50ee648deb948d2c97a3c99015360e26e6346ba7ae6c3e1cb8202b3265ac9b3

    SHA512

    71e8d09ae3f8f1e9a958a6ee48f614461d1e2dc00f43693fcc53557760e0d37d7a97773b6e14765ec1b8384330ba0f2af4ef92b5a92fcb16bda6cb0a0a0473f2

  • \Windows\SysWOW64\qliwrpoecp.exe

    Filesize

    512KB

    MD5

    c6ae9bc26df7be6677a2487f05ac82da

    SHA1

    1efb84ec9f5f2f21719dedf2fe34f1f409f47f81

    SHA256

    a26dda0aa5b89c284cb3a77c13dbeabc575cf3cb757ac4cdc19abca68284f663

    SHA512

    1fe88d838a6c20369fdc7edf03833ab19ee00a2974368ddd54085d579cea236a57dac687839665cb84dff4ea84c60e47111cb1fd1d07a3965726766f8574a975

  • memory/684-81-0x0000000002A40000-0x0000000002A50000-memory.dmp

    Filesize

    64KB

  • memory/1740-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2204-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB