Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 04:15

General

  • Target

    a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a3cba6af2053213e5c97c7e1cf3e54d6

  • SHA1

    12c3245fa21cd0a84a78f0178ba6181509c6fe4e

  • SHA256

    c2f3050f83b17739dc4ed6343275ec86e69d658e06b1230d18bf2fd1669351d6

  • SHA512

    c881faa0900d2b8be206772866519cd3acb9723b602988968fa3edcec3182af429389d11dd2d4939bf950c302fc15671db6a9ca73efb6e7082393bdac14a291c

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6j:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5M

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 20 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\SysWOW64\wisgfwkcof.exe
      wisgfwkcof.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Windows\SysWOW64\zcucxclu.exe
        C:\Windows\system32\zcucxclu.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1344
    • C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe
      asceuwbuvxoiwlv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4688
    • C:\Windows\SysWOW64\zcucxclu.exe
      zcucxclu.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2876
    • C:\Windows\SysWOW64\zclowptyihkin.exe
      zclowptyihkin.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1804
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4056
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2352

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      2b425ba0453d8dae977556a430ec48cb

      SHA1

      00ef4e5aa853ca2d58022b198debe52f710dcf05

      SHA256

      932161d69a7a82e68c5cac1f6d0837d9b1b538c9d0951a002fe712e0252c4103

      SHA512

      5fc73c6e2530ad67801d371dd88d70831291036b5ac4c5b98411edc5a8b7a872e4c458c755aad830b47bdb0d23965b120a0cb757d2c65586d75d6b9d3ece5a89

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      1c7ad6c130469c8161786beb9f42e0f2

      SHA1

      b1f8001c814666990ee05e2342c6bff06e1288b6

      SHA256

      e8a9f0eb4019466dc43e9b9f962edf8fd4f5b5e296634547fb51e8787990097f

      SHA512

      23e66ed26112f95cd574e4833ed3fe170e455e30b1de828386a7454c75ea488d561366c79fda200db9d36c1b70ed11924e6c8c32eac27f0bd040e7db841d4f1b

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      239B

      MD5

      12b138a5a40ffb88d1850866bf2959cd

      SHA1

      57001ba2de61329118440de3e9f8a81074cb28a2

      SHA256

      9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

      SHA512

      9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

      Filesize

      3KB

      MD5

      ca3c4f94255e73f27ae128cb0893c796

      SHA1

      e1132c806759bba253f8239db0838e849c910534

      SHA256

      2c8e204011969f8e2cc2a8e9503d695218c3710793f9fd06b6237fdd2b4403d4

      SHA512

      2b53824460c35de5c470c09447542692003f9e418ebb0523c5ab394e97d34bef0ce5f7e8027d99887dfa3fa9db4461e97e646a88e42e7a24b3067ba3c12cd22b

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RFe58561a.TMP

      Filesize

      3KB

      MD5

      bbd6302e4eb6c20dc5508083fb672412

      SHA1

      4a616d0d854ead779da89b10600b722d52615a72

      SHA256

      3fee187f29bac2885388b8314a3bfd148adcdcc79cb91b13894fbbf30f8f3a8c

      SHA512

      02c9b1714170bd24c5ad7acdc18920911704578f28c6a2174b561fb8a7f66a06ae25e74775ffd762a4dd7a183d40463e0d8d542a20fbcecfb0cc7a0c654093d9

    • C:\Users\Admin\AppData\Roaming\UnlockWatch.doc.exe

      Filesize

      512KB

      MD5

      316f4c076bab357826b5dabdb7e82415

      SHA1

      4f9fe728b14c29080dffe1d0eb45c3dfa15bcb88

      SHA256

      59b9555f625a39d43d2464bab74a37dbd03e57287ec7e0c067843a3e8e20e466

      SHA512

      0c6d9780c97e905b3998bcc17eba53da70347f8418b144dca17f57d022160d6c8b6c70c44c3c9ccd04b53ae4f2d91cc4766fd8249036c7cf9354802cc3779a90

    • C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe

      Filesize

      512KB

      MD5

      60f3d57abd84fe8bbf1eae4dad364d3d

      SHA1

      190691c709b42276d47c5ea97286e00553236634

      SHA256

      e8a50e1f1ac678d5c810ab0c43a00b366feb238b21eec579333bb406d35daea3

      SHA512

      b94e4f6d8800769d9d9f924dd49998dbf94f6392b655d015388de154ae8591f06529aaa0731111c9e71af322e632106504a57f4767cc20b804b2a0acc17274ee

    • C:\Windows\SysWOW64\wisgfwkcof.exe

      Filesize

      512KB

      MD5

      18fe070c2f9c8197337da47c7cba2cae

      SHA1

      0dc45ee6fa98f1b3f87cc7ba470ff008a3c3a55a

      SHA256

      d0407a319c0c7114d29d5b6190534ff489ef90629a6bcae98967c830c7a96d88

      SHA512

      f28dd120b87b78d9f0a1669c601cc7fb3d5613ca3de6f083e85395765ec0c0ec77fe324313c3916782ff53009c27ee572c02c9da682b397248bcc30e6bbd18ba

    • C:\Windows\SysWOW64\zclowptyihkin.exe

      Filesize

      512KB

      MD5

      eadb28e40caa864fa056647127250cce

      SHA1

      f8b00a0e7fd6a0475c998ee60183b168b0228f18

      SHA256

      d04fe65edd4e7e2a4a2f3a5d087b7b02b45c17186082f3c1e7be67419c295592

      SHA512

      c9153df1099ba6b995266f364aadca2a37d2f26fb8a611b2edb17498d527050dcca04cf8844885dde0c4670fead975de54e7763fd3d3b31ffb8a2adf776e8000

    • C:\Windows\SysWOW64\zcucxclu.exe

      Filesize

      512KB

      MD5

      3f367a8b10c382093f7a396dbb0329f6

      SHA1

      ed695bb07f2e9586938749b0764970484b5b81c3

      SHA256

      0e5f7fc870e1b12a744a68769ca8284154f1cdc7a97c98809dfc4fec9a134ecc

      SHA512

      ef2422bb2630cffd6081e1e12d81fdd8ed233a6165378b51aabf5beac77d3b633915d1a5301dcba4ad8332a2c56f020f2d11cca047bcfe3433e715fc06e06c64

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

      Filesize

      512KB

      MD5

      16eab06899fbed02ba487d372dab640c

      SHA1

      1c2678eb5282871d9d1f49f46e853304b163e50d

      SHA256

      d15f717d31c0d95fb852beecd727c187dbe9a476996c8424d55ae1a279c87369

      SHA512

      929fc52cdafeeb66b371a112646d37d0b56132d575033326aec0116cd714228160fc2342b6d4b224fad8c785a98cf4cb8c9abacd0412c029229ed1a809ee0806

    • memory/2636-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/4056-39-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

      Filesize

      64KB

    • memory/4056-43-0x00007FF9C74B0000-0x00007FF9C74C0000-memory.dmp

      Filesize

      64KB

    • memory/4056-42-0x00007FF9C74B0000-0x00007FF9C74C0000-memory.dmp

      Filesize

      64KB

    • memory/4056-41-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

      Filesize

      64KB

    • memory/4056-40-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

      Filesize

      64KB

    • memory/4056-38-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

      Filesize

      64KB

    • memory/4056-37-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

      Filesize

      64KB

    • memory/4056-120-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

      Filesize

      64KB

    • memory/4056-123-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

      Filesize

      64KB

    • memory/4056-122-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

      Filesize

      64KB

    • memory/4056-121-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

      Filesize

      64KB