Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 00:06

General

  • Target

    a31224d26b26443ef664482c59a05399_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a31224d26b26443ef664482c59a05399

  • SHA1

    eb1d2af0c1ddaca31f291a742ed4e13b46a62dc9

  • SHA256

    96d822e1de3f50016ea9cd158071698714cb0aa5dd2da3d86d82c987604196c8

  • SHA512

    5ea5307184aedb90d0f89434cb9378a0e7f8eb7bb354f5a8d674314981f6db40403a863c6b6f2ce878b221d726a2e4e527b02335dc12aa08ceab3adfd1fbc47b

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6o:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Windows\SysWOW64\khfjvspmqr.exe
      khfjvspmqr.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Windows\SysWOW64\bxzdtjoj.exe
        C:\Windows\system32\bxzdtjoj.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4088
    • C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe
      mkvnsxlhfzfsvde.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3256
    • C:\Windows\SysWOW64\bxzdtjoj.exe
      bxzdtjoj.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:928
    • C:\Windows\SysWOW64\viadpnxblugim.exe
      viadpnxblugim.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:908
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2440
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3856 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1860

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      d0e5684864f804a4f95d9a06ab6bfcdd

      SHA1

      2009f0938b656b74fa5ad6ed3a7257eda133cd3d

      SHA256

      242047e03c58dc864a7f4de842bcc5bdfacc5caf00ae0a28b4e5bb36e226bba3

      SHA512

      df4130851bd6dcc79dcefa5a19bd2cc0d037acd30e5cceb68990614c3e04945b38ff71cef0b35cade8b3198335ac62dde8cc57d041feba49e446c6dcd7409eb2

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      239B

      MD5

      602dad6ee0e60cde6698692534ef100b

      SHA1

      c3e20be4cf62746964ff865964f4f354d412bfac

      SHA256

      596069f7c5d4c9cea8266af60fcc730fbaec42eb5dd0c6f4203e463b742fb598

      SHA512

      bc1fdcc479d9d46977847557985ca1744f1d4f135da27d82dd2f131419c16fbc70968eb27458a1769e59a9a166847be39aa81b82936e39e753d578ee13df8669

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

      Filesize

      3KB

      MD5

      55c27537c347caba196e23fedf90d237

      SHA1

      776731812ca395ccf78b05b516a9e0908d0221d4

      SHA256

      47f7ddc977ca297d926c1d4f77dd43eed357ce9e13510a3cc0d8e47d248e1339

      SHA512

      fe7cb75fd04f2bf2676778691f417a9dd9e9418a9012770a2bef10041d27b36c820a8a87a4204c32ff15e72188bfbec35839ec4c86c1cd9699645582636ac914

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

      Filesize

      3KB

      MD5

      e261ebdae6427430eafea91bc845b4ce

      SHA1

      8f439096f4304e466bc8b7063ba85848163ead97

      SHA256

      9f1e612bf961065fd846d8aa7ef04c120e7da6c8c081dcca7a17f5d4de4a51ac

      SHA512

      99fc8f8a409a990746668304c7658194a40879802cb4df2d87527ba1dd06d64106901a23e3b943f41fd0ad2fed9a126ce12281dead6d2d7fe9c15f424689bbde

    • C:\Users\Admin\Documents\ShowProtect.doc.exe

      Filesize

      512KB

      MD5

      68acc8f3ce4c13bdd3ec5773a093303a

      SHA1

      41f02e3d517f2b1bad9377e1fd382f41396d6975

      SHA256

      3397ce39b9ed1d8f1eed74e5a3db270c957e2acf41ed04b4353218163157f83d

      SHA512

      b03de2ba2919b37a9ba469d18160fd3cbde60b34bf8279dff4241317b12529bf1eb5fe501cdafeadae9caf7dd6d4b19a9e460daf856878ff98e05655200a4aaf

    • C:\Windows\SysWOW64\bxzdtjoj.exe

      Filesize

      512KB

      MD5

      73ee09f7103bac531804f85d0a6bc9e2

      SHA1

      f1e87adb44e6f63b3afef6a6ec0153b18840ba4a

      SHA256

      d930c61f1e763f62a2d0009ae92775914679a25c8f1bb0daf68e6ba6ac555449

      SHA512

      d91f36a219a86876973713c2a8e90b16001d320ce0532bac57001fe827c121ff5137ef92969a05c702de5d8639bfd563ab61589bb4477dc646f43ec4fcdd1308

    • C:\Windows\SysWOW64\khfjvspmqr.exe

      Filesize

      512KB

      MD5

      4562b7d80bbcf6fd5f68b7aa61c709cc

      SHA1

      745a0b9136ba4877d3702c1c5a49d074aea242e6

      SHA256

      93110ecfe7468f9f7b873ea6c15f380f79c7df16f4685d1198df07ee5bd3e085

      SHA512

      38dc64dacdbdc7f0a31d4dbae409d1ebe308f7ce2febafa6b3b2d4a5cc48b90178ed26efd0a991b79c33a4b5ebda6e442ea948882dbb83e05c8aa2956c7c3342

    • C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe

      Filesize

      512KB

      MD5

      0e87d44ab0a1013a6be5e2d86442cfe8

      SHA1

      b8bf113444abf556b2186cee80f087e8b02e98d8

      SHA256

      e09594bab95b1f2dd1b7c1c5c5648eddc16c44396de07d121eb248bf0d7b0005

      SHA512

      8ca9ba8661e4ec1050c7cbb3974323982a66691cf8d06f968159f1c995d12ce5a7be3e849e75f002c936b3e16c6cf221283c1dc99bc8e4988f9dcf540b877c04

    • C:\Windows\SysWOW64\viadpnxblugim.exe

      Filesize

      512KB

      MD5

      ef6c9fcc248f967d371993a0ca402ded

      SHA1

      52e8924d8e08faa2fa49cf11dbb9b024a8f26d37

      SHA256

      b58f83d694a5edffbb75c2d551e8187b0bf27588874d33b335703e2092f5f417

      SHA512

      be2101c4e52a8b8b7f7e1ddcc4a0fe736154cdc1bb57eebad43b35e945cd531479b3b39a46fcc6bafbff818f75d7a5244cf8ca6f85ef0f6f6add5cc624322773

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

      Filesize

      512KB

      MD5

      4d084adb041ef0e20fdb5e13c024e4ca

      SHA1

      9eb721b46e7ed524630f693e810fbd0dbd68624c

      SHA256

      02295b36eab9b17503d71ee85e1b0a1e4e095c365bfbb1de99329715f54d303e

      SHA512

      c0b277de5c22e5395123c0ef220bce924428dfcbb00b5e36a8bf5cba85ac39cbe4514f9c3b45ecbba3eda041850e8b0e7ab0c5969a696e4a4c74e302e13e56f2

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

      Filesize

      512KB

      MD5

      4e1882104e7967744af0c335c5568096

      SHA1

      dbf95c1a383cfaa02f2796f003647ae0aa5987b2

      SHA256

      425430c2a55dfa7b4983571f36eba787fa68d1e4136c4869fc56d52ad1792b79

      SHA512

      44c41ef11ce169c9be9761191c14c29655d3003c5c50611c056c59f93d7fba607c5d365ab793a9f36e2ae436f904a789561a614b587ede8bd259ca7aecc3af26

    • memory/2440-43-0x00007FF87F9A0000-0x00007FF87F9B0000-memory.dmp

      Filesize

      64KB

    • memory/2440-42-0x00007FF87F9A0000-0x00007FF87F9B0000-memory.dmp

      Filesize

      64KB

    • memory/2440-41-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

      Filesize

      64KB

    • memory/2440-40-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

      Filesize

      64KB

    • memory/2440-38-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

      Filesize

      64KB

    • memory/2440-39-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

      Filesize

      64KB

    • memory/2440-37-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

      Filesize

      64KB

    • memory/2440-119-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

      Filesize

      64KB

    • memory/2440-122-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

      Filesize

      64KB

    • memory/2440-121-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

      Filesize

      64KB

    • memory/2440-120-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

      Filesize

      64KB

    • memory/4784-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB