Analysis

  • max time kernel
    149s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 03:56

General

  • Target

    a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a3c059f6e292c34cdb25843d8d476568

  • SHA1

    70cdebf5cb35849003faa7b46234ac41d9729d10

  • SHA256

    17fe9527a24327cb25e9d87429e849a87e99f871d1848d71220b59f63e960847

  • SHA512

    be3d976b244aad841a887a0fb5e41737bc77ef75188272eba9c3866f1208dab0b75416e87d9441767684275b5bccfea08bb6d7d5e5cf796d3b4e5f33acefbd16

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5t

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Windows\SysWOW64\fxwyzdnyiq.exe
      fxwyzdnyiq.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:724
      • C:\Windows\SysWOW64\fhaerkjn.exe
        C:\Windows\system32\fhaerkjn.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4992
    • C:\Windows\SysWOW64\gwqcmizudworijd.exe
      gwqcmizudworijd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2280
    • C:\Windows\SysWOW64\fhaerkjn.exe
      fhaerkjn.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2720
    • C:\Windows\SysWOW64\yruipirqpnmsh.exe
      yruipirqpnmsh.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:692
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    9c3f1e2ae59f97a25815a62fe9e0cb34

    SHA1

    91ef92e30c0ddc32a13cd805cbe892acb0f5c059

    SHA256

    85a5f7860089d47de05c76a95d6c5d4777c85cb80097a15b89da23ec5451090f

    SHA512

    f92181230dec3767f96c611a0e280cdf3eb271e3304117fddeab8aaafdd7a9574bd1974aa8bf889f19169b1254cc52628dc0278c9ca90cf38cfd7e78d20bac60

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    8ae4a27d3edcd1e154e530ed0407cfe7

    SHA1

    0b8c16c7cf09f0866915b69a2408fca2c91a3899

    SHA256

    d2c566242160611a35365e354b9272195f218b61b2d3eb99976918302613bd5e

    SHA512

    16447ca0a7f5b35af676bcb9ae121edb2f181d3a26673ea43eae84bd60f1b065c25afecf0a394581821edfced3782a22f42cca6626c6b7e4bffefc3c45061424

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    8f5c44e1551e133335388ab8900e956f

    SHA1

    1c115828a253459d609ebc7beb11283e6f94d2be

    SHA256

    8e4f760f7ddc9edb116aa6dfd13e9a7171b9c088ca201ce13238c62e745bd3c4

    SHA512

    7d5c83f19c5ebb15ef54a738c8352e457328019a0e209bb754a3049c0617f20f360a1dd5863304fc3e3c2946b1f0a994b4facc20fcd16668ad1f615c4bc2461c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    c2d8b34f0559f63b157ae8a75090f341

    SHA1

    ae20a342ab7bc08149dce71b96bec5c94541362e

    SHA256

    1acbe893259c639ceb26cb6596dbc4fb3b3521079aba3262e45088bed9495d05

    SHA512

    a1b97dd9e7929267407b16e6cf51d4dbc6f5eb920cbfafb497b54e7e74c1ad0b6c3ff787b877f45358802d703cdde67212abc385af2b413540bf9735dc0f7f97

  • C:\Windows\SysWOW64\fhaerkjn.exe

    Filesize

    512KB

    MD5

    407df293b5887f17853bf76153584693

    SHA1

    bf1f601df9aff0e6cdb5f946968225a6482d5ba7

    SHA256

    1036fb08179cb716bef7e77d4e8ca67644d66b90e544f883a2ed52a5025d443d

    SHA512

    08b6e2712d8f9cdf7929ad46264b7b62a937213b718ab8aa7d6581604dac2014c7405cedc4ccffd37b305e365dc0d986eff72c7ce575595f7acac7c76d04bf6d

  • C:\Windows\SysWOW64\fxwyzdnyiq.exe

    Filesize

    512KB

    MD5

    74be7c489d44fb5f4bdf0a13bfbf761d

    SHA1

    e562f2dd22baa77029be723fdedadcfc267d56b3

    SHA256

    59a85f76326ea05b56c1706dcb2ffce9f07e5fa4365732cc251a116e7cc5aaa4

    SHA512

    eb0d6529638d00d6441e849b851660d982db9ae23edb413c1cf8e194731da71ead0a5076b2edf875ba828f242adcfe85d5a675b935457ca522f2073364947534

  • C:\Windows\SysWOW64\gwqcmizudworijd.exe

    Filesize

    512KB

    MD5

    da96b0b2544130ce7ff6c8756ef68319

    SHA1

    eb930787c8892f4ad7a8fa277ee33b48c7bb289a

    SHA256

    60c57cf80609f9866a3308433f967564397bba40a34c27ed8b3241fd382a41f0

    SHA512

    ae5103ddaa916f43a688d05d3818584a0d3a153ac77d18d125323367628434976b4d1419ec9b3d5326b65d642f2c19359b4a84cdc841c9c727b2f8516b9da2e4

  • C:\Windows\SysWOW64\yruipirqpnmsh.exe

    Filesize

    512KB

    MD5

    2698d60e65f55656f96b8da07b80ec8d

    SHA1

    13fec9150aba07ec26df8da497f55866bb0f2cdc

    SHA256

    8f1f5ea66610b82d42b32759bf17a9deeb4db2399371c98dcad23ea08a7853d1

    SHA512

    1a7b1c7c26be65bed93e9cde84e21416045198b7102757df5a08a53c03e475739ca93ce4dd758096d8804f420d0a8ee0c1681f06db07923a879ec003bbffbe6a

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    f4ab3aaed00ff5461e4237464f4fbb91

    SHA1

    b6ef20a2cce50efca0a67df9827d5b674343ff66

    SHA256

    9f126d99783935695b56b021efa3d5ee37f79ee8dae6561d7a17fca573f20201

    SHA512

    5e6247bb63efdc5943d9326d2f55b1f52c0ae44c30d4b565777cc27b7a36f111e333f3a2b304065213a171523867eb97084cb136c1b6a0dd79d10c093795d7b2

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    d08872027844dc610b55026dc9f9ad46

    SHA1

    20d182a8d5f6a0c34d7bb6f89cd2a690b3bd3380

    SHA256

    ae6c0a52f6f31efc947d991c94ec76673bfa4c07dc21fe7f93b1d569aa738de0

    SHA512

    a0fed8fce3c0b9f7df6816b7be27ec7dd7d6e0fdc3c115f7c7b4d72dd0c506fed61d3766410e11e3ba738148a1367890087cbaafe6ad24957513b72169bf1391

  • memory/1184-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/1940-37-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

    Filesize

    64KB

  • memory/1940-40-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

    Filesize

    64KB

  • memory/1940-38-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

    Filesize

    64KB

  • memory/1940-39-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

    Filesize

    64KB

  • memory/1940-43-0x00007FFE4D100000-0x00007FFE4D110000-memory.dmp

    Filesize

    64KB

  • memory/1940-41-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

    Filesize

    64KB

  • memory/1940-42-0x00007FFE4D100000-0x00007FFE4D110000-memory.dmp

    Filesize

    64KB

  • memory/1940-114-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

    Filesize

    64KB

  • memory/1940-115-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

    Filesize

    64KB

  • memory/1940-116-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

    Filesize

    64KB

  • memory/1940-113-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

    Filesize

    64KB