Analysis

  • max time kernel
    150s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 04:42

General

  • Target

    a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a3daef70f8e18e75bc011c85e07c4105

  • SHA1

    34fdfe6ef72db4c150cae13db62084441fa313e8

  • SHA256

    96b225fb8a884b687523bc93abf93879662f3b8fba963e151fa49718fe41d03a

  • SHA512

    651e9418c91ad741ad8ec08afad25f4ed8003b10a5f3e8d820fdc93080f29fbef1796ff5723e7f73f4f1b41267b7e8bcc11c696ade0c9558ae4d8ac52e68c0e1

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6H:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5S

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Windows\SysWOW64\gkbxbblfpu.exe
      gkbxbblfpu.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Windows\SysWOW64\zetofspu.exe
        C:\Windows\system32\zetofspu.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4224
    • C:\Windows\SysWOW64\chyirpliscvridn.exe
      chyirpliscvridn.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2400
    • C:\Windows\SysWOW64\zetofspu.exe
      zetofspu.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4324
    • C:\Windows\SysWOW64\kagcvjkayfinl.exe
      kagcvjkayfinl.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:220
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    3590a4ffa2f0eb2d3bbe65e88b044589

    SHA1

    5325523da1847c9455c2e5160a128b8939674af4

    SHA256

    6f9b7ed96fbc50c833161b4c23a8226f9706d3772b8332073ec078badfc32fc3

    SHA512

    1b4efee9e8a3c6be7bd7fa3f4c060fc16aedd148a53521bb89c77f61cb62ed98a9931f63ea9bb2460ba3b4080926f093d431a9e49ee81dc5cc7dcabeaaab0a63

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    8e6e5bc910b9911bd4d38b06f6ba19b6

    SHA1

    aa0d589796ac6dfa3969930f35c1aaac97ad317d

    SHA256

    989e457fd7c88c88392d5d40ff8e9c62657f2d889117a2c41fdb21c9469f5f71

    SHA512

    5b6c82fb3cff042454d4fc460b0917105735c1b2c4c02dcb4ebd889f80ffb73723a897da4f8169a8a59ed79430da7ef21311ef55c052db637a2c9c382d8aa176

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    d2aa39f3e8d9eccc12128c53e4c428a4

    SHA1

    8d6cf827cf5e62dc31a468c860eb92a5573c0294

    SHA256

    b3ba80098f3eb6b6c597e6c1c525b7eff5e0df9db5de510713786882b587c41e

    SHA512

    d28f625e9639bcb835fa2174e226a80879206a3fbf162ca775290d3b7075aa5bb2444f752c08a3528c0d5f559c6bd6ff4883e4f3b9c4cefe4421d26de3d78d50

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    e9c4bc67e190134c3a96709ba0be93cc

    SHA1

    422ec2f478b9ec6f798d92c86bc25708976baba4

    SHA256

    3acfe6b16d12349232d290eeeb40a800015a14a27c6a431b6ff9f3c71481534f

    SHA512

    0500c74b18dc38f40fddac67aed69310d75562dc967ee22ad67f6e87b5122852c205d94df3739196d92414dc55d1cf0253f057ba87950221fb799d7c7a2b2b2c

  • C:\Windows\SysWOW64\chyirpliscvridn.exe

    Filesize

    512KB

    MD5

    00b855f298e0f772b744a81f02195776

    SHA1

    a4c7ecd3c46fb973909a13968c2502cb3bb16d7a

    SHA256

    5101bc7379bfd040d796496974cd8b7f0dc9a79428a93bd7d19114a11298efad

    SHA512

    14529f4e8d7985b962076a564d208a2912fcb184be4a4b05fb96a19526141ee0f243cd7fd6409f4b86acedd3ca621cd80daf474b9f9113a915baec71de270515

  • C:\Windows\SysWOW64\gkbxbblfpu.exe

    Filesize

    512KB

    MD5

    410fb8b91113eec7e362e71d9133b8a8

    SHA1

    4a04f040d1808118176a53ba59e1a67174e1183c

    SHA256

    572e59f5ed2991215dc5c49c2870e5d877d962a9d24d0fae9892a4402c3ddf1f

    SHA512

    80d1ec4bf3c576a2f0d2b9cc3614a5e0bfae8c88427aa869b0b5a6c30cdb7cb57ff99dcbe4ea0805879aec8500868e5c9f8a6c8266c7988802dbf49aec0c7fea

  • C:\Windows\SysWOW64\kagcvjkayfinl.exe

    Filesize

    512KB

    MD5

    d0498a7e1c5790c226b712220979dca4

    SHA1

    f9e59a88c6d582c138c908ef1810f39a8c60f9ed

    SHA256

    a29f19f5544fbb3158ba9301b7d11f8384cd85ace0bc34f3eaec5821e785b8f2

    SHA512

    5d5c1e5212250ef0cc843d74cbb764886cfc05f56ee2670777f8991a551579cd422ee1389187074d8ce13c1ad5876c2d348afe5d95c4024b5514d7312e36bd5a

  • C:\Windows\SysWOW64\zetofspu.exe

    Filesize

    512KB

    MD5

    be9298a812c66637a2139c9cf434cd55

    SHA1

    084b6dd49f37cb159482ce7794e9191385ef0bf9

    SHA256

    6574432d01c0e63dfec7f7b228576accb58d310373b8322a9db1c02d7511bec1

    SHA512

    7fdd1bc061208b9202be5d811dfc3b7ce1ed88e1a6ac92c7175cb2c9163018ebf547dc7010cf7803d22993b00777a623323f40283ca92e3b94a97662bdce7642

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    1a0bd2069e74c29c2fd9ce81736debae

    SHA1

    ae914d28c721ca21640f468cac7aab73cb3c7d60

    SHA256

    7f523d9a4c6a7d850e6c29101930208b214b43f2bdd63f3daab816b2c8b04075

    SHA512

    0def22fbad98e6aa99fdc743f5f38b49b9c1f9e2eb918ab2cfd511140ce9fe578aec4dcda2cb02d2b5978e9362d691432766aab7b749fefe85cc2062583f170a

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    bde0b944d12eca94441e1754bee52f1d

    SHA1

    6fa50b00da72e3571b32eeb6dcdbe17e763dbf98

    SHA256

    673699d5083b76afc6dd4a609e1933941e7ed04f0ddc34b0bc403b057310a854

    SHA512

    567de4439869f4f928845f6cceb760c6e91006f1eb9daba271d05d7f8b727edb5b290b343fbbc3c07fd7d3ca14c8e36c7063864057180294e7a1031494a1c956

  • memory/1284-37-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

    Filesize

    64KB

  • memory/1284-41-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

    Filesize

    64KB

  • memory/1284-40-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

    Filesize

    64KB

  • memory/1284-39-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

    Filesize

    64KB

  • memory/1284-38-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

    Filesize

    64KB

  • memory/1284-43-0x00007FFED4BE0000-0x00007FFED4BF0000-memory.dmp

    Filesize

    64KB

  • memory/1284-42-0x00007FFED4BE0000-0x00007FFED4BF0000-memory.dmp

    Filesize

    64KB

  • memory/1284-111-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

    Filesize

    64KB

  • memory/1284-112-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

    Filesize

    64KB

  • memory/1284-110-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

    Filesize

    64KB

  • memory/1284-113-0x00007FFED6CD0000-0x00007FFED6CE0000-memory.dmp

    Filesize

    64KB

  • memory/5076-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB