Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 00:12

General

  • Target

    a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a316428effee4f96edee4b7601cfc78c

  • SHA1

    62c62a83b191db7672a7aa45235c8446335b6e30

  • SHA256

    3c6d66ea64e12029bda1fa7c1f9432980342dff406af07f91c12156c4e27220b

  • SHA512

    601302185a305d95dddb19aba0dc7f3b34b6028db5d8c0ee32efcad8c1962942f6a49a8587557eb8b20e54279670f8b0f7118411ff38b99ecd5a2443953db831

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\SysWOW64\nzsdxjqkoy.exe
      nzsdxjqkoy.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\SysWOW64\ifisuamf.exe
        C:\Windows\system32\ifisuamf.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2868
    • C:\Windows\SysWOW64\ovmytroaudrcrgd.exe
      ovmytroaudrcrgd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2572
    • C:\Windows\SysWOW64\ifisuamf.exe
      ifisuamf.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2672
    • C:\Windows\SysWOW64\yzvzjvkwflgwr.exe
      yzvzjvkwflgwr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2664
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:3048

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      68B

      MD5

      4aa671ad497fc5111055a5cd73ed00f7

      SHA1

      cb07b411329fc10b812a00e529780b6423499e28

      SHA256

      b5c2d14c06ec67d8aef21a76a152d01ca4f01ce3f84c4842030dcbd00c5f10ef

      SHA512

      eea59c86be5eb784263378651bff550fb1cd158f48b121e4438826bfbf2129bf13cb61914fe3e60a953922164d7314e2b582f08fb7e9664482f37ee056b9ccd8

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      90bbcf3df1b84d185f084893abcb4f92

      SHA1

      c0aa89e283b0979626fb9d0cf5591156f2e1156e

      SHA256

      231a48e7cca45f48501239d02aa14bf62f8b0e214233b6dfb4d0ca3950318ee6

      SHA512

      af60930ded213aa422f819992c7699febf0835e866e99b2c517ea94c64992a2dae4251af8c1086f3884b4d7a2b9234e2ed8fb4b603e478b3fa27e1e4605688b6

    • C:\Users\Admin\Downloads\UnblockMeasure.doc.exe

      Filesize

      512KB

      MD5

      8cb6be392ad66e135dccb3a2128456e4

      SHA1

      7bd0dd7eb4a3c6284c68336e39f8725b999973a9

      SHA256

      7d8987f350302ae626d5cf394d441fdf576db6595b3b9f8e14a75c42a88728e2

      SHA512

      12481962cd77a5ab7e20e84965a94009e109fb5194a555902e734eb2a74f96a0ca0170e58c4b51a33038e16e4520c7be92dc8625206ec6bb3b653f607b400354

    • C:\Windows\SysWOW64\ovmytroaudrcrgd.exe

      Filesize

      512KB

      MD5

      fbef3dc31de85d893ca08cb3bb00d8aa

      SHA1

      5cda2ac5040261fa5d66171a33733abad4ffd06a

      SHA256

      e436cc9545b805ae104651b8370460bc9573fd2f2fb04ef99383c5b14b3c8703

      SHA512

      e3e28eefcb4527d465bd520265bffff1414ebdad917402f80c662a2d85cca72784db500c70a4f83ba35575085752186c4bee5bfdbdce78f51a4690e09ad753de

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      b911d8ab8be19d5fac9850dfd0233707

      SHA1

      dcf1e9ce89d782914bef56f0b88b67b2c53d0969

      SHA256

      d155dbbadf581210af551ed55277b67d57930e5f6cdb48a2938df0a62898d241

      SHA512

      3725312fc8a744d7d0d36fabb479135aabb5ca83351c1222c8e386ef45bcf76cd3ec484925fab99ade07adf6bafd39408b588ca34f3f60002a62d2199cc3456d

    • \Windows\SysWOW64\ifisuamf.exe

      Filesize

      512KB

      MD5

      7999e71fac19f5d5ebb894724e963f23

      SHA1

      839d8c01d036c90ceef99debffbcad590a35b184

      SHA256

      59c49a0f571fe3528fbd5f2b712ec759b4883c16034aec9ca5629e712f27af42

      SHA512

      2a068943e9ef87101e6b00c3514972cba5c7f5b5c0019d93c5547d09bbb387c66db480446e29815e7c07e29b706861ae83b12c1a45a1125b4dafe6ff2c28d441

    • \Windows\SysWOW64\nzsdxjqkoy.exe

      Filesize

      512KB

      MD5

      9c2174fdf2ceb236b002416f793b2195

      SHA1

      241c0fe9c947d4a2499dc7a034ef199f1082f8ff

      SHA256

      b6cf2b7bf06b9c5413f56b1a7989134d49e0c3f4ec7c7f9bd02c8e2a7cb2bb12

      SHA512

      900c5ad5cdd26e5d7d910335656282b3d50a3c78610ac4805c209d7fe84fc70a0481cd698c384f93083c15f39b9ea5570ffd1182d6e83c070a713efd29597f57

    • \Windows\SysWOW64\yzvzjvkwflgwr.exe

      Filesize

      512KB

      MD5

      0a6fa2a135a9a4aba4e3e824ff06b092

      SHA1

      90e2e2ef79f534278f2512f539cf4bc6b3ca904d

      SHA256

      08fe18d3dba4229f6b0619d8531191fa660818d66e65c44757cad920c758b08c

      SHA512

      939a69f1bbd8191fc70bfabf90d2a2709486825ce9e4b8b205301142352b682ebe1358d1197de5d7e72a25a84c2523b0803d71015aef12416b0218655325f955

    • memory/1940-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1940-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2548-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB