Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 13:33

General

  • Target

    a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a0d70dafbf56fbf8248a1a5f8a9b81cd

  • SHA1

    232e4d759c7a4959d1ef54f50b9a3462286f8ab9

  • SHA256

    2d3d7773775404e6b644e50be9dbc8fd33f373a6f1430f0fd8956f4c32548ed6

  • SHA512

    3051a78bfd170f5d8be770ae8ca648d59a59c1e77eac824ec2382a98df5d4f088cef26f931cde0ef12df08b257fabe930070d6c4c841e1fc3e63f117d0bb903f

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6D:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Y

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\SysWOW64\hvurrujxvg.exe
      hvurrujxvg.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3760
      • C:\Windows\SysWOW64\zwakkcns.exe
        C:\Windows\system32\zwakkcns.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3432
    • C:\Windows\SysWOW64\antmaonoyqbmjzx.exe
      antmaonoyqbmjzx.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4164
    • C:\Windows\SysWOW64\zwakkcns.exe
      zwakkcns.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4616
    • C:\Windows\SysWOW64\zezlshojmodsa.exe
      zezlshojmodsa.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3704
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    ed98ee1fab61a68d4385068c94748d5c

    SHA1

    c02d0f25e493df1b2627c65c8e41a7f0c1f34f2f

    SHA256

    0559589e01a7afeade6678adcfbd77bf62ce32af62f6ca7f9f009b6a1987a300

    SHA512

    402f229a914fa6f330d3faf6a0f9bcacd86f74047c2967c89bd7bb4b73b46514407ee5ae3eb2ba7020439f51217d8c72e889d996b19a17592d659fc58dcc456d

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    279e0ef3b94c8f9ae239082a68b2acf1

    SHA1

    70d62b5bb14094b96575866fec8f5b0868505fdb

    SHA256

    6a6193861a5dd370c7e20f099a899d114474992dfaa11ed1572fa1f97371cbd6

    SHA512

    f6d0dcf736f2ec2b121b17c688c79c4d93467a70c64350e451cd67ff9d38adc300a07dca72bea2645d918507faca6c078f18d93017a6a1779aeca470aa575999

  • C:\Program Files\MountUnpublish.doc.exe

    Filesize

    512KB

    MD5

    4a582e2d2da15e1dd7e7993b189acf04

    SHA1

    894f70d53c8cdd0aca64fbedd4dda06a8a348f98

    SHA256

    25bb775974d6f316880242d5ac48384c92733fd4aa216ca10d28766b56cba29f

    SHA512

    c536ebf51cccc916c716ec96c68eb9436030e7974a267f6d4cd0922e55aab036518e5c2c2ffef050ebbd31caf2df7aaf7933fd37db10709cfb52a9a7d3fee6a2

  • C:\Program Files\TestDebug.doc.exe

    Filesize

    512KB

    MD5

    c37728c3fd74937eb62a00ffc8749789

    SHA1

    bf959f43c766adcaa6a150e2860c2810a27bf2bf

    SHA256

    6d151a2039de96ee7b1309807fd2d4576d31a7e4066bb845ee00a36527288058

    SHA512

    d0277eba5b7d83f1f24cfdbae785ccdf8f7b49b2016649e88142ed406035b4f7be48cea926f2e57fe81fb48c89e17e218a2186708f97fa34ca18c31f414a4a09

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    6c472de24a316fb7331f7c0fa09d4dff

    SHA1

    0abcd6907a3c4f8639ecd9b96c96d7e3de5957e8

    SHA256

    de1d69c93e5d93b9912f24e87897a38d0f4ccb72f5318d154489620777689598

    SHA512

    24df39a06e6ce0ddd4aa9964c0fdc6920690d48cdc9628af90407ebda9cab4e7d4b285d0633c95202881916587fc3dfefb3dad7cf6bf6fc2cbefe39822c74a26

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    88b3f7686c8a659e26ae84ffc66130e5

    SHA1

    014314e28b29ce61899d5e8e811637d48a9d2709

    SHA256

    0715a0be7696dd394eb7525e3cbb8ae272e0287a3e7470b68830a99c3953550b

    SHA512

    286e312e0e62b7c5379cdaef0dfe4b2c3a82692f7afca54d3d707796e5b1a99f0ec3b683ad621e04aa8eddaa10028feed81233042691b27fb54769968c7a6296

  • C:\Windows\SysWOW64\antmaonoyqbmjzx.exe

    Filesize

    512KB

    MD5

    ec37a39e502529074b9c69753da53ef6

    SHA1

    2977264dc29ea91ecbd1baa1879eae8ff2f25d39

    SHA256

    8a3dd868d1a25303ecddea09822a40a9509776c56ea8d8e1b559d553741bd56c

    SHA512

    d21ce43939786a9970c4d8bb94dc62bdfa4d2cb402d8c57b2acf79b3a51f99dd6a29f72992ed066cd13a7697a9b522a534f29ffaf954f38a60e8489faeaaa7a8

  • C:\Windows\SysWOW64\hvurrujxvg.exe

    Filesize

    512KB

    MD5

    4b90858b5bcbcfb87ad05873cae063d7

    SHA1

    09d35bec066f34be14704e8e2168db8e8ec285d6

    SHA256

    fb5f49c3aa173bca89e2e68dce5c0d223bd7fdee92e18f67d79f0c95fa16d4ed

    SHA512

    e48ffe989dfcd7ec34275f64b745d98a7e2306814ad9300e19a7ecc95d5e555c6b58c2f558a806e91cf3e366831238191530a20e5956c6c229ea1a95c630be2c

  • C:\Windows\SysWOW64\zezlshojmodsa.exe

    Filesize

    512KB

    MD5

    f1c5a24077932fea415489f7cf267765

    SHA1

    2da06da8372786d803b51a645126a9aed451263e

    SHA256

    5a89c0bc96a273c9b095bf823132376b42e1768d98037c7dd17b9dbca89c237c

    SHA512

    88cbe97835ccacc553cbbebab76dc3343290c8e8dee2bc122d77e732be89ee65b3e6d571c6413e4b932716367f0718852e7591143e539036b88b4b85f7eb2806

  • C:\Windows\SysWOW64\zwakkcns.exe

    Filesize

    512KB

    MD5

    cb9d49a312f051f81a8a546989beaadf

    SHA1

    1f60413e3220439e78071fe5699aa61c4a1e8e12

    SHA256

    28884f9944d13e08e0259563a175a937d7986509acc1dcf7b00a75b24c898490

    SHA512

    760d19d11fc1c6590bc4d07b2199f1492aa77f6f33e934ce60d52a6f7dc9d1e3392bac74c6d4badf08878a258a6787f0b955bbdb2f5e5a48a31f6d74735bce2e

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    07d1ec0994b651227df3c57ba1263fa7

    SHA1

    d1714d74985a68e9d8cb7f04a4da63aff5586aa6

    SHA256

    d6bf959615404ed53e8f92989b96d3f3995bc4dc75feb539324078d18081cd4f

    SHA512

    443a43730fa8a6df7eb6fd03565d02b2e456c4682dd63d81836499aac19bf11d3e4ca442e950d6e13e906100c5b1bcc76577010dd061a4da37cdbdaf382b0c16

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    d4d04f92a0a7f6bca3de655e3e903546

    SHA1

    f56b631b446d290e1db01ad6a42443a5ba44597d

    SHA256

    609f191923f3fea9b91131b641571bdb7bd4d79566364b90d545a56eba348820

    SHA512

    d0e6d9af73e77bef721c4f142d1473bccc96f0401373d412659537c328e493ff98808e38bbe4a5f382b8fd93981397f1db4627001f95489b5e42724b423792e1

  • memory/3040-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/3920-39-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

  • memory/3920-38-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

  • memory/3920-37-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

  • memory/3920-36-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

  • memory/3920-35-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

  • memory/3920-40-0x00007FF95C9A0000-0x00007FF95C9B0000-memory.dmp

    Filesize

    64KB

  • memory/3920-43-0x00007FF95C9A0000-0x00007FF95C9B0000-memory.dmp

    Filesize

    64KB

  • memory/3920-119-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

  • memory/3920-120-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

  • memory/3920-122-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

  • memory/3920-121-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB