Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 04:42

General

  • Target

    a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a3daef70f8e18e75bc011c85e07c4105

  • SHA1

    34fdfe6ef72db4c150cae13db62084441fa313e8

  • SHA256

    96b225fb8a884b687523bc93abf93879662f3b8fba963e151fa49718fe41d03a

  • SHA512

    651e9418c91ad741ad8ec08afad25f4ed8003b10a5f3e8d820fdc93080f29fbef1796ff5723e7f73f4f1b41267b7e8bcc11c696ade0c9558ae4d8ac52e68c0e1

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6H:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5S

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\smebyecwjl.exe
      smebyecwjl.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\SysWOW64\bqbxpysf.exe
        C:\Windows\system32\bqbxpysf.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2440
    • C:\Windows\SysWOW64\iencrmpuduwuxbc.exe
      iencrmpuduwuxbc.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c bbgssnjykgbhz.exe
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\SysWOW64\bbgssnjykgbhz.exe
          bbgssnjykgbhz.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2464
    • C:\Windows\SysWOW64\bqbxpysf.exe
      bqbxpysf.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2712
    • C:\Windows\SysWOW64\bbgssnjykgbhz.exe
      bbgssnjykgbhz.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2424
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      36c05e1fef9c02c78798266062e07b64

      SHA1

      6d7cb44100c0cd37280713ba5cd16f96f50e8fe3

      SHA256

      6b0dcb48b591e8b524c3d59cc7a9c0da210669b4c6074c25f30ebb48318e883c

      SHA512

      9dc6a4371e422fa31c9e8db969908d60414d39d1c77c6b41a33ef7691f62981b33342ac1d921c9bed8aa6d4ec3588e8a38d98ef250e4704d799c21eafd4824cc

    • C:\Windows\SysWOW64\iencrmpuduwuxbc.exe

      Filesize

      512KB

      MD5

      bbe89e395a9b1dffda456ba1fcc6039d

      SHA1

      abc9d34aa348f7c21e0f4613800eafc752b2b386

      SHA256

      6a5a1cf3c0e79900251f6186fcc832888cdbc3adedfcc305eb0b9c31fa810061

      SHA512

      c2fd74b52fe9272da49417604106423fe0d957c0489286f90ea7e71f5f4b2c5c88a2b72c587767858ace572bc476043a7864fb18d12b6807b4b4b9bbbaf30285

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\bbgssnjykgbhz.exe

      Filesize

      512KB

      MD5

      f6f725bde5a11596804a247197fb80db

      SHA1

      37318209575f87b7de8ea0379933d963b2848b83

      SHA256

      d31e685dba7f315a9db570175cc808c6a50195bc9fd3a3b72be87537cbb4955d

      SHA512

      cf70138de647904ef7e32d772ecf52057bac51980837301c7072ce11c42f4ee67789f1dfadb942e5e0ed63b120fb6e0c21b04765c2416ad1a066a8142770e56f

    • \Windows\SysWOW64\bqbxpysf.exe

      Filesize

      512KB

      MD5

      39c2e71505c91dfb800b06e203b96e1d

      SHA1

      f1408ba0e956eec7b2bb7f7ac7bc15fad8b2916a

      SHA256

      651a859bfed21004895f05874c7f00061ffd36ab1855f63995a76db9b92d7725

      SHA512

      a8fa82b96ba81f5990fd2a1edd9b2523d8c8a6c35044c999c07a5389bf9746ead90d7b3fb8dc2ca7560728758a6f502e29592840053b0c31ea39e9e2eeb31a86

    • \Windows\SysWOW64\smebyecwjl.exe

      Filesize

      512KB

      MD5

      dbb1cf82bf81f3ada87e24879625b3ff

      SHA1

      0d04934e1e71e574526268aae8b63c54c99c2be7

      SHA256

      d1cf672636117e67cb904e476fd72ca15733617a0a2d3899c2322f275b8f5b4c

      SHA512

      0e376ffc85f099cf46ca983c6e21b81df1ec31861e844371925deaa5d0dac371dff345cfb8cd321bd224e19264aa84b22e031e059fc3b0ea0555079337524a2b

    • memory/1640-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2916-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2916-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB