Analysis

  • max time kernel
    150s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 00:12

General

  • Target

    a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a316428effee4f96edee4b7601cfc78c

  • SHA1

    62c62a83b191db7672a7aa45235c8446335b6e30

  • SHA256

    3c6d66ea64e12029bda1fa7c1f9432980342dff406af07f91c12156c4e27220b

  • SHA512

    601302185a305d95dddb19aba0dc7f3b34b6028db5d8c0ee32efcad8c1962942f6a49a8587557eb8b20e54279670f8b0f7118411ff38b99ecd5a2443953db831

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\SysWOW64\mkwiblghqr.exe
      mkwiblghqr.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3792
      • C:\Windows\SysWOW64\ohuurgda.exe
        C:\Windows\system32\ohuurgda.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1068
    • C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe
      cmqklxkydwvdrqh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3392
    • C:\Windows\SysWOW64\ohuurgda.exe
      ohuurgda.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1756
    • C:\Windows\SysWOW64\wmuddujoyhdlo.exe
      wmuddujoyhdlo.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4240
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    9553ab7ea22c5f8ce78baa57436b4abc

    SHA1

    c0feef834ccbe82e0841af9ab3b77001ec8b8eff

    SHA256

    14e2c90ec5341805e96949abc3c1e83ac392f8676858a63b75f24205bdd31346

    SHA512

    c0203ec280c3c50447ba76e6f4c3d0a05acaccdfef8d3f06a914840c0c84adfb3c9fea9dcae8eb6eeb2d947084c614ec1559bd783381c4c63f8c03dd78cedc6b

  • C:\Users\Admin\AppData\Local\Temp\TCD7D39.tmp\sist02.xsl

    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    5fe74d5b6d51a7d59897d088a3b30e30

    SHA1

    d7ecb9f598eadde86b6aca2912196888cc858573

    SHA256

    6c6991f1bdedd5a5ee1877d20722bc029173f53bda6ce8bbf698413841020b48

    SHA512

    4f96f885946ab4ac32e831fa716fe315f9fea67a27fb4b0f11e0f501dd3c34699094007281a1efb8754130eaead3a27a2b627cd03f79300c5a6b03a744ea37c2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    3b1b2fa9638e9544c3677add890ef1a3

    SHA1

    1cfd0636dedbaa408164a4ca18bb72394c5f06d9

    SHA256

    1f23b3baaa4c215a05d0341594cb89a410a73bbd8ca0922a6b23e7470d61363e

    SHA512

    5bdc07bbb868f4525ee5661e33c70228e97c4a911adaf20121e25efa9058eb48d8ec4d1da7cb0161be04056c92f269a478bd7e359b74694b9b92aa718d838c08

  • C:\Users\Admin\Desktop\WriteUse.doc.exe

    Filesize

    512KB

    MD5

    c12534fb5833e15169a164aefacaf827

    SHA1

    1c46bfc2929880a0f94c5970777b402599256586

    SHA256

    a231b66e1caa5b5f9fc134ae30cc24d3b3d9ee6ffd831819a6de5fbb7bb70ce3

    SHA512

    c439273065a7e3ac57a02c5598f857115daf0d4607d548c9b2e76f6e5530d1de2be9ea0c6867d98c3d36a6ffa6b76ff1c55ede7c41fec6aae0901713383058fc

  • C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe

    Filesize

    512KB

    MD5

    b39b83062a0aa3103a7dd6c6abc4ed1b

    SHA1

    5533ddb7a18e171771fcde47a952fddc2f9dd80f

    SHA256

    2b36a9499febab2c444c5176bb022c57c690f379b442e5a6d64358c2904603b0

    SHA512

    c57cffb3097dfad26e0572df57b952e6a57cdce973ed4d7f8ea4b7c25cb9deb8bcec8d9e11595854dc4a42478d9d3ec89f8edba1d21438874d39dadf764eb1d6

  • C:\Windows\SysWOW64\mkwiblghqr.exe

    Filesize

    512KB

    MD5

    ce18a4d36dcd1e01885001269f6410b4

    SHA1

    265fc188db1651aa75dd508f739dce7d3fd5a6d1

    SHA256

    18b4b85656ce3b7ef114b6b0ac920e60855d82fce14ea3cdafca49436ec3b971

    SHA512

    c4bb7ec0fa234a2ade1bdc38cd3044cc04372b7b8b424688d97aeeefcebcc7ac3a0cc2cb47158cce1755f90d68e96281393014d1576ef97ce39202dbd7390f14

  • C:\Windows\SysWOW64\ohuurgda.exe

    Filesize

    512KB

    MD5

    d4a3afb70af4b3e2d144754d10d0f728

    SHA1

    5919aadbeb838b4586c2730969a69a62a5b0590b

    SHA256

    b1644fb1fe3ed73c76a54542df14ba55ab6e441e8c3f1e3740cfecff3b08e108

    SHA512

    fc698de6faf2376e1d1340aaa1bc7d4d9e074e22efb2513f1164b0447748c082a4ec43fbe2aaef6052f138d0f2fd966f434baabe17a20e180ca6d7321c7ed6e5

  • C:\Windows\SysWOW64\wmuddujoyhdlo.exe

    Filesize

    512KB

    MD5

    cbb4456a4bd50ad6d6dc5a6a1a9bea33

    SHA1

    32620b65c4da7c1fe1a450cad4409fe623d438f7

    SHA256

    26d726ce75a621d66ca127b2c525fe97743106a75254ee9d02d2cfc0965a12b4

    SHA512

    e5e7bb5d7059a1b13e07a7cfb4af570120b53ec72142310a378fd6eee048bd37ae9786444d9cbf39bfa3e548c5b733a84822195810249c7f8f099472220f6637

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    21c60b3e9e570e8d6641d75d0062d6a1

    SHA1

    953dd0523594b4537bacc17e8b885a6eb2d83fff

    SHA256

    803bfbfe5defdd769cf7023081cb49209e82b7fd53c6ce231cd12e2d8afaeaee

    SHA512

    0bbf66999074a6295588f612b46cd8c7cd2e51fd774bdd626e2a4cc826d2e523559aafd207b1f5baa79e18db795508c96fd49c6a1f38971edc5b918d7ff8fb1f

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    9510926baf33191bde745a3fa385130d

    SHA1

    e3be3f65e95917e4b4e1eae6bbe077e5b0625504

    SHA256

    9dfa3409c7185e8494906956ba19b17c4f1f05024b033b6027ebf9e24391c2f2

    SHA512

    b827061fe0a150f4cca1d9fd6eab5c591cbfe34486263082081b7192235a99e9d6b9fbb955c8dc478fbfe3cc90e5070ed1061a69e54d5217974772469a22f9c5

  • memory/3896-594-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

    Filesize

    64KB

  • memory/3896-39-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

    Filesize

    64KB

  • memory/3896-38-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

    Filesize

    64KB

  • memory/3896-36-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

    Filesize

    64KB

  • memory/3896-37-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

    Filesize

    64KB

  • memory/3896-40-0x00007FFDE5CA0000-0x00007FFDE5CB0000-memory.dmp

    Filesize

    64KB

  • memory/3896-35-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

    Filesize

    64KB

  • memory/3896-41-0x00007FFDE5CA0000-0x00007FFDE5CB0000-memory.dmp

    Filesize

    64KB

  • memory/3896-595-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

    Filesize

    64KB

  • memory/3896-596-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

    Filesize

    64KB

  • memory/3896-593-0x00007FFDE80F0000-0x00007FFDE8100000-memory.dmp

    Filesize

    64KB

  • memory/4804-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB