Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 00:13

General

  • Target

    a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a316ee6c5b7ee445db9eebf286dcce12

  • SHA1

    943296eacac5edab76e4cc05174d5c6a07356d5f

  • SHA256

    b07a2af3717c3e3f1b48ccd756fb359f0be8d87b442fe8fb959fb3a7c8b0eafb

  • SHA512

    8a23918d615f25c504bbeca5d0697a1bb440f8dec1aac8f9f99351ad691c497f200130833953e68afad21ab802c8ee4ace25061b4f13d76c8cb5d47b3c3468a7

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj66:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\SysWOW64\ydqxklwjwy.exe
      ydqxklwjwy.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\SysWOW64\idnbcmuh.exe
        C:\Windows\system32\idnbcmuh.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3036
    • C:\Windows\SysWOW64\pdregeegfpikagv.exe
      pdregeegfpikagv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2640
    • C:\Windows\SysWOW64\idnbcmuh.exe
      idnbcmuh.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2908
    • C:\Windows\SysWOW64\plkjqltnwzece.exe
      plkjqltnwzece.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2900
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2464
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    c714fc43ddfe6d2ce84573ae16807683

    SHA1

    2f8ab8fbe128e4bb128967a37256b50e04552abd

    SHA256

    e4cf1000fac249d6f94542dc7313db50a13891056f96dc6b79c71d181d561889

    SHA512

    f64ca5b8f77eb7be1f260bf9b16d17235d3d72924dbaa38f33494bc06c74496c593c8576f8dce4f5e65a1913a559ccb2e709d6dae7c52080af5fdabaa93133f0

  • C:\Users\Admin\Desktop\CompressConvertFrom.doc.exe

    Filesize

    512KB

    MD5

    edf989594ba221d05eb401b7c21087e4

    SHA1

    b3bf47f4b5df5526313be4a9cd3a9da142eb4a5f

    SHA256

    ef5ab621e3637f8e9bc890335aec5175950f9b7b3d430e2abf0431659da1dcfb

    SHA512

    6509bdab52f156a19c2b98e83b1c0dd4ad7d6e555afeff338a9a94c5322b650ad23dad3a72ffe02f628b078604056a5021c667c873729efba7971b355c1ba942

  • C:\Windows\SysWOW64\pdregeegfpikagv.exe

    Filesize

    512KB

    MD5

    abcc5b3e655491975a6de9cbd1a57e01

    SHA1

    2e6c50d6e1e6263eb8fee31acfc98bf6ff769115

    SHA256

    7387851f1a29e5cd62b9cd14c6d1483a7cd869f5a26fc1f46c1897249c90f550

    SHA512

    2d14f7f60026a58b33000dd678511dc203847a9e44715b5fc7f64a3e138b474db6a48fb0d91945d635328ba08e601523ebda97e9ce51bf3c0916a31c63caba31

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \Windows\SysWOW64\idnbcmuh.exe

    Filesize

    512KB

    MD5

    6e77dfe81bc39f39cc604d1802658a1a

    SHA1

    3f9d942cbd277b2052cdb6e3ec023796796a12d6

    SHA256

    40582a98fbcb286fffbf96af4b6b1b3f3de74fa8d46a1cad23ed6b6730790b6d

    SHA512

    ba7b6ded4ea055ca08faf7a3058c1d0d125191b3988a9014eba98e02f060d9c61467f0842f52a56a355c8fc7f34393ae475f32448c0634228760746b1da2ba14

  • \Windows\SysWOW64\plkjqltnwzece.exe

    Filesize

    512KB

    MD5

    cc7ea3316c1e0e76d82a3c1606ff4dba

    SHA1

    ccee5cd01535ad5a57f14fdb2869905a012ee523

    SHA256

    72a7b422ca5b635d81eb1011b74a3f338725d4fc7656c1027626c6fa025e95c2

    SHA512

    9d7e3a3f14566a60dd918d27131c0eee34fda4a3e132dccdbccbc86dbb80180613a8c99066d037f5fd5ce18ac4cd4206f756ed555ac267564d930ba7f1edd84b

  • \Windows\SysWOW64\ydqxklwjwy.exe

    Filesize

    512KB

    MD5

    cb229e0231fbb9cdda8986095dd148bb

    SHA1

    8020d47861f7ed3534ca236c043b26ba4a07ef24

    SHA256

    2b361acfdf320f9a36b2aa3eb7a1477373f884459db8211a7c8989cf0504f560

    SHA512

    749ab1ddce4e46dc1c6c63fe9e50bf39512a1212596edff41122022d48648601fd599a0ce438bad2fc6e50aa4eddd7865ebbf4d7f99301ca8fc4845413a685ef

  • memory/2000-81-0x0000000003CF0000-0x0000000003D00000-memory.dmp

    Filesize

    64KB

  • memory/2320-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2464-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB