Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 04:33

General

  • Target

    a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a3d4cfe513c883044de3b8fd4a1ed5f0

  • SHA1

    d92972584ba16cfca2260219f792daacd100797f

  • SHA256

    7a1fef7798f1bd2b7918626286e4a77c51674e9d4fbadf35951b96da6871129e

  • SHA512

    bed8b70377c727330fcfe510a2b704738acc8ac12e9ddbf81c99c0db051302500f174815652322237f2cda0c76f7aecd37bc03a441ca05f84db6d26ae380b828

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6i:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5L

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\SysWOW64\ppvujbrfvi.exe
      ppvujbrfvi.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\qzjoemzj.exe
        C:\Windows\system32\qzjoemzj.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2488
    • C:\Windows\SysWOW64\blybfzebdmfwdqi.exe
      blybfzebdmfwdqi.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2756
    • C:\Windows\SysWOW64\qzjoemzj.exe
      qzjoemzj.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2644
    • C:\Windows\SysWOW64\pzpoowuqldmrj.exe
      pzpoowuqldmrj.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2520
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2280
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1768

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      fe8f384b58d925c2f4850ead8a552e85

      SHA1

      1916a120887360bc76e370c38e82baf3c4ca16eb

      SHA256

      d2317d53ee612fcaac008e6b06c86312ccbd4aa4316cdd49c47a9dd96de91200

      SHA512

      b52ef067760efebb85f6ed56800ea0381d6ebd0ff9bea023c6c1957659eb588bd6f73be0b9eaded6c9d6f1de9c6f48b04ab00394847fb4af96dcf165b6118d85

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      dc5ef7e60ed56daede20881d80aa3e1e

      SHA1

      23b7076713eacddc2268ae97353aedfead0a2d52

      SHA256

      46e50b8c6b014e6fa2892fc5ffeefb6d4647ee1cd299a5295b6af958fd8875d2

      SHA512

      de546965ddc1d10d7ee55d1252a0b530449c4b360a36013fc5c003ab750056ffba8282ae2a695a721b798a79b2003e890b8c224b50f9ace06a8ce5edb4a66950

    • C:\Windows\SysWOW64\blybfzebdmfwdqi.exe

      Filesize

      512KB

      MD5

      409870ab39b67b778c6b09f98a803f2d

      SHA1

      b9749be8d70c286b26c87cb249e093fdd97ba38b

      SHA256

      998b15b6b8bef6d00a368ff99228b6f9daa8b86ffc67c94eb4fb99b8573c087b

      SHA512

      97ae3b6166f7594f5d6e0381314d4e9ba9124cc040a4db0fcaa5d6b42ef3dbe835eb22cb5582bef483a80e93e4108e3702b0b146ca94f033e73d4d40970d4187

    • C:\Windows\SysWOW64\pzpoowuqldmrj.exe

      Filesize

      512KB

      MD5

      564654b69b18d76d2aab10fe67813c37

      SHA1

      b37b2721ac7bff00cd671ddfe0114822e9eb6a30

      SHA256

      d2d8da2369ee09f37a1b6d43c5dfdb2399ed118fa9ff5d984882ae898ede9972

      SHA512

      ea68259f2cac3d374f62d3765c6625590b04fb8162757a5c90e2e501533a4845be15abc07a17f8ae54fa01618ca8534725e4d8c31605c0459e440055bb7fb98c

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\ppvujbrfvi.exe

      Filesize

      512KB

      MD5

      75723c59cd00b4a389649180831afef8

      SHA1

      5d3222ddfbb5f8b724ce6f9e87af948fcaf3278b

      SHA256

      ab626f9a3458fe215f837862b5ca3b310853609a563f12c6007dbd671dbf5caa

      SHA512

      88737762d7e1b7be301d0acf407db55ea91a61b5a3cd0a1c97e49964c4889984d3c90ea3a2a34568acc4df7441dbcbc37355163c43d8fa268347872788b76beb

    • \Windows\SysWOW64\qzjoemzj.exe

      Filesize

      512KB

      MD5

      001a3f120a03c5c3a4850715abeb5541

      SHA1

      c7c124728a212efee6df3734fba2419b3298bdef

      SHA256

      d32dd78c60fc0be6915c8ef115c08510a560d3fb774aadf27d7c0386b957d3e8

      SHA512

      f7ed196fbcfa73ae5dc7b71ec91a8b5b6d9683faeb1980cfec2cbe332a22d17898bc98d06a869b38bbb145c78359c250bd0c8f52bd10d90ddfaefe64f3ed325c

    • memory/1768-85-0x0000000003930000-0x0000000003940000-memory.dmp

      Filesize

      64KB

    • memory/2436-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2560-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB