Analysis

  • max time kernel
    149s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 04:33

General

  • Target

    a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a3d4cfe513c883044de3b8fd4a1ed5f0

  • SHA1

    d92972584ba16cfca2260219f792daacd100797f

  • SHA256

    7a1fef7798f1bd2b7918626286e4a77c51674e9d4fbadf35951b96da6871129e

  • SHA512

    bed8b70377c727330fcfe510a2b704738acc8ac12e9ddbf81c99c0db051302500f174815652322237f2cda0c76f7aecd37bc03a441ca05f84db6d26ae380b828

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6i:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5L

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 22 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Windows\SysWOW64\youhviwmvu.exe
      youhviwmvu.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Windows\SysWOW64\gyxqrrxh.exe
        C:\Windows\system32\gyxqrrxh.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3000
    • C:\Windows\SysWOW64\bolcjqqdetygepm.exe
      bolcjqqdetygepm.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:412
    • C:\Windows\SysWOW64\gyxqrrxh.exe
      gyxqrrxh.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2840
    • C:\Windows\SysWOW64\awxxtfcbqaqkx.exe
      awxxtfcbqaqkx.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2480
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\InvokeSend.doc.exe

    Filesize

    512KB

    MD5

    680cf6820b893368ddbbae6f888bb556

    SHA1

    232e864d29f5f69d1fa9eb57e5e11d80ea560cbe

    SHA256

    79b77a0419f1b5bf206184dced1f0af09473b507ef5f94dc837aa10cb4e4cd01

    SHA512

    1c84172e2e3812b4b6008f01cba6af339aaf6d456153971f1473a2c102c4ac2c7712a2f639b4e0690527bdaf5118bf85427c325668fa66ee458a4b420c6014e6

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    8e88428409eee8b27193e509f7565fa1

    SHA1

    ee1a6145f6e1aa29270b57c3f9ba2506c05ccce6

    SHA256

    c1f53c1138238dc6999dc8990db0e4a13d079a33b4acea3b1701791e9f7c25e6

    SHA512

    1b050294d751d1bc0bd63f92d74570e68728fe55b8abc7b6c788a27c6ab8c7bec498717304ed8aadd4be8c755fd06c7003a3a2e8834ff371fca4ffacb2f315ea

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    1af8ee46bd5b3ad794faf4a88ba9215d

    SHA1

    2791143bde7d7ede72cf4fd771dccf112fd1aea0

    SHA256

    d2560b91ee6d8cd16760517bef6194794e84493d75c41984f222f266e1d13d24

    SHA512

    f61a2e3bd6d5ea148bf4b647c12c08465ca3996a3ee3d6df47d57eb145dbd68f323f05fed1b8c9a072845ee74be67a1c28766fd0a9357e5336c92abd3c702ac2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    ae1e9a33488b618ca6c3d26627fdba8a

    SHA1

    455e344e3f9a9d004fcbcf748ea4776dada5278a

    SHA256

    01bd815591c48ec786cadccf446df8b948e8504fdbfc477118901cc49a388cd5

    SHA512

    fecc08de32bc22bbcac10ee3089cf041b4d7cdef06617294bad485a7d10c673d40863006b2b044250056eed93d8a80d6ccd2d6c07ba62bbca96a080d6722e5ab

  • C:\Users\Admin\Desktop\DismountResolve.doc.exe

    Filesize

    512KB

    MD5

    9b93d392101a800cae76595335269823

    SHA1

    1679ee0b2e04c3e0c542fd318178ec7e0468a503

    SHA256

    57455b02ca52acb226eb68fb43e2e580dd236512c7a423c3a62c24d0c3486474

    SHA512

    537fbc414193ced82b81327379a259a1e6cbd61b209d0e523e4f38038f33825cec3bd10d988eeec25dea96f8f221ead947271617fdfb605140a570642a643e48

  • C:\Windows\SysWOW64\awxxtfcbqaqkx.exe

    Filesize

    512KB

    MD5

    2e7488902cb8b32a48753b8e2a3e7491

    SHA1

    96a5cf3ee30d97294e316d23fdb62bfc94eb39db

    SHA256

    ef59cf30fc287d2bc2cfc1b6b71396a3d0b5a025b1aefa168b998ad9a6ccbf32

    SHA512

    e59189bce0d5365651d8e82efe792cb263cc41da8e98cd13a12ae3c264aef09b7c1bd8cf2ca110ef98b85357f8459d8fb64c3b06111bd4a78d705ba5dd538f43

  • C:\Windows\SysWOW64\bolcjqqdetygepm.exe

    Filesize

    512KB

    MD5

    2aa715a33d34db9b08d3fad41b20daa6

    SHA1

    b43b4e7b78b04168bb8bdd8fec68cc9514aab9de

    SHA256

    4c643fc6106a02155c1d879c7246174038a9780371cc2076300898da07f420b3

    SHA512

    436535f31e8ea6289673146f0c32bcc148ce9d8ac02f9b69672ce7eec7d30bda90bfb541f1dd833eaf573246b47592ca475cf263056f8383eec363f1229a524c

  • C:\Windows\SysWOW64\gyxqrrxh.exe

    Filesize

    512KB

    MD5

    153bb693bb70257c1d5215b7902253f3

    SHA1

    2da9ffcd69a8bd625af996f372f93a8336bd50d8

    SHA256

    3517620eaec1639b5fdcee18e45b54dfe5750e432d0215235780f55231592bc2

    SHA512

    743aedbf0d5fdc924a7a84d3f7455cdbafc77b6b0eac85428f9c5dceab7c17dde7105381be377e8082312af4e4fc2ba9a7634514df280368aaf6ee5e46b2c79c

  • C:\Windows\SysWOW64\youhviwmvu.exe

    Filesize

    512KB

    MD5

    a397301c5a421d3110e557ee12dae517

    SHA1

    5b1b27ed0e299a395d77a2e6776ccc42b2bd160e

    SHA256

    3dad4ea15b7fffec42af0a4c06a164f02277df6dc7d0f00928f23bf7e44b47af

    SHA512

    82000f522eec7bf9d6b668fb049267920a7ac7d56f3d9de699a47e239f8b115b52be3f1fdbb39a29a8268f98810fc499853f681726c1143fc0959c849a912754

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    142ee775e95ade3b0506ac99a344e1e6

    SHA1

    7cab6589cd4bf30943e2ae53caee3111d3dac338

    SHA256

    8339bf352e207501738dd211206f8d50fb5b4bec666c87899f1a0b8b5b3c2260

    SHA512

    af93fb8f7d0a1c8cb1833b801ee4c78b52f41930dcd8b9e6e18f21162c5dc44e79d755254145a45728abe0f5f4e8b1f4c2a2641dcce3a766aee428eccbe491e0

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    d05f3760517def08d9f25a8b0582b414

    SHA1

    a5b546df6a0a419f160d579d0486e43d36fb2b43

    SHA256

    5fbf008a0fb695f883526e3045a0003ddba1c135a2c698a00b12585348ebe742

    SHA512

    8c1da98ef91286b939f004dfee67578183c9a88968f7c0d07e90e9961a761593fdf87a7ada9706338950df76b4a6f779fc4767f867eb0f78865ba94e58618707

  • memory/3112-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/4968-39-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

    Filesize

    64KB

  • memory/4968-41-0x00007FFCA7390000-0x00007FFCA73A0000-memory.dmp

    Filesize

    64KB

  • memory/4968-38-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

    Filesize

    64KB

  • memory/4968-37-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

    Filesize

    64KB

  • memory/4968-36-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

    Filesize

    64KB

  • memory/4968-35-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

    Filesize

    64KB

  • memory/4968-40-0x00007FFCA7390000-0x00007FFCA73A0000-memory.dmp

    Filesize

    64KB

  • memory/4968-123-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

    Filesize

    64KB

  • memory/4968-126-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

    Filesize

    64KB

  • memory/4968-125-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

    Filesize

    64KB

  • memory/4968-124-0x00007FFCA99F0000-0x00007FFCA9A00000-memory.dmp

    Filesize

    64KB