Analysis

  • max time kernel
    149s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 00:20

General

  • Target

    a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a31da94f9abda3681199df91e2cc364a

  • SHA1

    118550ed6b4e99cb117c2e1409af456499d549c3

  • SHA256

    0def2b2922ba6a3ccdc47a8b0b7c7685772f0fd3d0a4c35d90cf423e54e58041

  • SHA512

    d53c5bb3bfe3737483f17e1796cd2960147d1a7cf45882424801a912410ca624e9d94d6fce784daa8b2674827b12b47d956c87e622fc447135c92b786df8caf5

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6n:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5C

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3096
    • C:\Windows\SysWOW64\vuqdslaqgw.exe
      vuqdslaqgw.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:5076
      • C:\Windows\SysWOW64\caqckuag.exe
        C:\Windows\system32\caqckuag.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3084
    • C:\Windows\SysWOW64\gceqfznzigtyffl.exe
      gceqfznzigtyffl.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4848
    • C:\Windows\SysWOW64\caqckuag.exe
      caqckuag.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2716
    • C:\Windows\SysWOW64\esrywywaywwbw.exe
      esrywywaywwbw.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5016
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    b3e2360020de0543038cd1dd37d9c63e

    SHA1

    0c9199b2d7bb8a76b62e27b12d3ac08d758deab0

    SHA256

    a8cbb3d48f815bcd38131b03ad686aa838cc9bb4963fc85e456200a08b62e981

    SHA512

    163139b88725a2af1deb25cbe6477b8a1717fc02fbe120068d8bed078d0a6777ea2137ccae241bb7ecacfb495920c20107c2c92ee5af2fba1eeed939412ec303

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    6bdb066cb6c008a7060f69d6f0e5a68f

    SHA1

    67780197ba54a01c07f79ba285e863ef7bd1bb5c

    SHA256

    a413418215ab89663bdda44da089c9e2d8de434508cb05bee47ece09c44bc44d

    SHA512

    5df2a60e4ab349e0d2e8e3df7304cef17f274d044b8e5de3fe916a12a69333e33684c5e5e2fa17b6c789ddb8e31ddcb417392e727dd959737c8e19796b5c261f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    3dddb578ec9cec548169ca988348d291

    SHA1

    ce3cc250142f882bec42a8f16a203b3feef631f6

    SHA256

    ba3f20392e5e8ea594a1045e455533cf678c019cb3ba2b821deec371e3b2c916

    SHA512

    7f0dd0fc4e924bc126a1c9b282d4ca82e536ba48e82f7684d39561c0c77ff4cdd0c823cab18f26be66bbd2430cf4b0288f588b74bda799a3763a70164343b4ea

  • C:\Windows\SysWOW64\caqckuag.exe

    Filesize

    512KB

    MD5

    5e0846ddfaeb2fa39c74459a49893a70

    SHA1

    e5cdf9d0e9532820de49ec3ff0c68ded49661f7f

    SHA256

    f7fdaf457516b0b9ec8e81d607c03efd61680246f968dc01fc3dfdb9653c6b11

    SHA512

    5048c65f7f16d3dcf2d8b81da0c0a4a9d676e3ce0d020287b24cb199dda2835b078fbd9763f8a7f7f2e2ca3c5b42fe1ede16c306da8976edea2c4d98260f1339

  • C:\Windows\SysWOW64\esrywywaywwbw.exe

    Filesize

    512KB

    MD5

    2aaba6dfa9bd0fafead0c14a32bd2577

    SHA1

    a01a2a3311e7b92cd7e22951d9a2ab44bc03931a

    SHA256

    c6e99fab1f10ea94fab4a22ce9fb7457c648c33eab83ccb4488c495d6cc3d3ee

    SHA512

    3581692b9124c82c5a170c5a9890e1139d9b8f2cb11ed2c79a97224dc0ea8e51ad767b65fe7690d13212339db1ba71f961d1e8b136431b6e773db26f98340ffb

  • C:\Windows\SysWOW64\gceqfznzigtyffl.exe

    Filesize

    512KB

    MD5

    d85aa3f4674d276535648f7098570fea

    SHA1

    1be33e113391730bbc82e5380aba74f02eba5bf3

    SHA256

    283d59f7db29c7d1bd24b81b848a6e4ca557194a84ced79cd35935739fd0d620

    SHA512

    73e1afe1f9ac43981e199316f5732ab667a20ae7455eb4762e830e6f480f4033c298c28b015ce044f9665e570b61a05f016759d701cd9d186965e64512b317a9

  • C:\Windows\SysWOW64\vuqdslaqgw.exe

    Filesize

    512KB

    MD5

    bef9db029985d581cfac2b7552531918

    SHA1

    ef56d3e9f7f2600b97ec2e1c21f43e2b347dcd82

    SHA256

    a177f24f9e62bebb1db2579f5d79c9748da9996695530eddcb390c06ab656616

    SHA512

    9ddf93083cb8684bc95678483aea4acce91cb3ce3018b66aa1c7e437606b6fb252ef53516dcd90d166557687c5e84c191749da133db139e46c3a148dcc05008c

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    24026aca0d8cdb9fb8056e791871d40b

    SHA1

    4f40f85eb8d66a637c75126768fea63b105db8fa

    SHA256

    dd7bfa56173679f4688b7c06462ad172a32e83a9086117356436c0f31f4d1df2

    SHA512

    91904595050ee48b1a8fbbfc6ed6aea1598b212074a92738066adb4bf124eb8cb51766056d9ca7d1febeed0617d542099eea29dbdae4a219ae53d9d3c51dd37d

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    2c515395ae306a044f82caee4b3f4bd9

    SHA1

    8ea7e3ae84d8d0c393b04084cd2ba0ac9e597251

    SHA256

    77adc4b863288fb2cdf03f9e17a5b7e28da6e0937cac98e280526ffbb3c17eaf

    SHA512

    eb90d38b99c61acf9e5bf39a6b5df700958a00ab353e719815431a280380349b1b3687d22105c4f035c04b7eccf671aca5de87246beabd6c96015099e3fe7ddf

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    a21db77de178be5d6cca3b8786122be1

    SHA1

    4c3ad726076306d8bea98ecc5197064e4b66fdee

    SHA256

    bf27594c12380d322617af359e36ba285c60a5d7e4aa5c2be2b5e95faec867cc

    SHA512

    f0349bc016014f452065d81cace1cd968c1872d36f41e38723d4f25a9608496725dd615e9325a1300bdc951793b8d551f004840e3b5dc37ecca939a1fe779c02

  • memory/3096-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/3652-40-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

    Filesize

    64KB

  • memory/3652-38-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

    Filesize

    64KB

  • memory/3652-41-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

    Filesize

    64KB

  • memory/3652-43-0x00007FF9D2410000-0x00007FF9D2420000-memory.dmp

    Filesize

    64KB

  • memory/3652-39-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

    Filesize

    64KB

  • memory/3652-37-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

    Filesize

    64KB

  • memory/3652-42-0x00007FF9D2410000-0x00007FF9D2420000-memory.dmp

    Filesize

    64KB

  • memory/3652-113-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

    Filesize

    64KB

  • memory/3652-114-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

    Filesize

    64KB

  • memory/3652-115-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

    Filesize

    64KB

  • memory/3652-112-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

    Filesize

    64KB