Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 00:20

General

  • Target

    a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a31da94f9abda3681199df91e2cc364a

  • SHA1

    118550ed6b4e99cb117c2e1409af456499d549c3

  • SHA256

    0def2b2922ba6a3ccdc47a8b0b7c7685772f0fd3d0a4c35d90cf423e54e58041

  • SHA512

    d53c5bb3bfe3737483f17e1796cd2960147d1a7cf45882424801a912410ca624e9d94d6fce784daa8b2674827b12b47d956c87e622fc447135c92b786df8caf5

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6n:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5C

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\SysWOW64\vuqdslaqgw.exe
      vuqdslaqgw.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\caqckuag.exe
        C:\Windows\system32\caqckuag.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2720
    • C:\Windows\SysWOW64\gceqfznzigtyffl.exe
      gceqfznzigtyffl.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1872
    • C:\Windows\SysWOW64\caqckuag.exe
      caqckuag.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2780
    • C:\Windows\SysWOW64\esrywywaywwbw.exe
      esrywywaywwbw.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2580
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2772

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      2fbba212cf537d0d15c5d6993135e986

      SHA1

      258ea96fa1ea5226be4aa9039a71dbf95387ec81

      SHA256

      a2dd37023c3a7fdd54ed861f54481f23de6ab4a3907ec29e52fdfb2e7c7d42e6

      SHA512

      03df45433a094fef96209028007ba646a24f2ceebc10e5f40b841aeb9760dba6ab4a4f5e6c582ccfdc8935ff2d6c0eeb8e03b10518bccf9b310ed11f46fa2ba5

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      90cd91da18297b441c5764a45261f3ba

      SHA1

      05f3c790259f12a28b501f064daf9bdbaa1344ae

      SHA256

      9e4cfaf35eee5598b43df6138dec7597ab9e742526e5c2fd6cc46268fd1a1147

      SHA512

      16ce33d1e28d5ac6710d69c9aa189cf5081efe65102c21c956de04e89572c51a3b030365dd733df6e44088f5099915441b82e3b1d61e80651a1df26a6ad7859b

    • C:\Users\Admin\Downloads\GetInvoke.doc.exe

      Filesize

      512KB

      MD5

      5e20ff467be6cf96ae707f9f1f34d6da

      SHA1

      0290475e69f4af7de154c7d872302dc9c9b53c0b

      SHA256

      4e44d782deceedc66a2f922be1388003d2999cf4031e03117bb913fb6a073a11

      SHA512

      ae0d2f5da974a1c2dd37e94eeec2afe55a2423758323b2a736ac194b9e98137497a67dbeb851a99bd3fb9374a45cee41d5f09e402b278fb09be969803e2d7133

    • C:\Windows\SysWOW64\caqckuag.exe

      Filesize

      512KB

      MD5

      128f8411d4ce349fa319bde7fb089726

      SHA1

      366a61781483dc7993107b0eb9f34aada440fbbd

      SHA256

      74e27cfe408dc0ead0e65b998d29d0a2c458dd1511400d8e03a6cec474778b32

      SHA512

      18c24ea21a4098792fd1b27f3e9e53524ee28996da8297d33431382ebc31d5d31347bd6e72ecc699999552877d2e93ab352c96450ab3321d3b06a9a2441318d6

    • C:\Windows\SysWOW64\gceqfznzigtyffl.exe

      Filesize

      512KB

      MD5

      c3d0d72ad2fcd40ae7e305e5509da3a1

      SHA1

      9268c792d781d1943ab767b34e02a340a691d5f8

      SHA256

      884ca0b2d044d514dc01a7a1fe9047c6fd73356196ef42155406e91382b9573a

      SHA512

      7f0e8881b849c75ee8c630b0aa978e88532276137116adfdfbcee190f5655e22e44e205216963071deb33ac6896a35c923d3ed0ffeb23040c02c6ed65d89afdf

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\esrywywaywwbw.exe

      Filesize

      512KB

      MD5

      46814d62d6a384c5de33249f6d3baec3

      SHA1

      c3362bef24a2101d141bda977f35ffa86aead697

      SHA256

      be890b3df2d3c364706b3970adeb955445cdf9540cfe63fc38e4dc850747f43d

      SHA512

      30cdc4f6c23032cad446351ae871e919ef112ee1dc758de9b1ac1d33f76555128c87d383fb78774b0bec83ce36a67fea982e3aa3f5488107600437dcc806c618

    • \Windows\SysWOW64\vuqdslaqgw.exe

      Filesize

      512KB

      MD5

      013eaa7e1c397f4c070d90a9c42782da

      SHA1

      0aba05a31e3cf3aba7dffddbabc26a103aecbefb

      SHA256

      43da9ac4ce68a2a1be694b0115e46413116856622aec3e9807c9413fcfa67dcf

      SHA512

      60526b65c6c4a1f12725df360e7dcf4a3585c44295cf2e51a998d6b1296ca8e646c513b0fbd871d51ba15454a8f750fb5ddffb5d86cce44d25bc22647342dbfb

    • memory/2296-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2632-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2632-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB