Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 04:47

General

  • Target

    a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a3de7251d0458eb2be565d7d8fa507b5

  • SHA1

    91b1fc30a6d24762041c6480a54556a61fd4651b

  • SHA256

    d35754568c165dbe399f20e5783bed3a45196b1b864ad8ed76892f56dafbfcb5

  • SHA512

    7fab8cf478068812cb25d44e39987989d921aa2e7ca02cec1c52491bded48a3ff58037ebe32430267c1c695fecfe83dda1ea378ff574e0da0c12b3c7aae21802

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5R

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\SysWOW64\hygtxrkcds.exe
      hygtxrkcds.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Windows\SysWOW64\ymvfdpga.exe
        C:\Windows\system32\ymvfdpga.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2392
    • C:\Windows\SysWOW64\nngpkojufhhuplf.exe
      nngpkojufhhuplf.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3044
    • C:\Windows\SysWOW64\ymvfdpga.exe
      ymvfdpga.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2804
    • C:\Windows\SysWOW64\hbqrawwfhyygp.exe
      hbqrawwfhyygp.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2480
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2044

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      44f6def66812f7c6b9ca27c4804141b1

      SHA1

      5c8cac48baa288f2e4c5135e2dee846c3eca5b5b

      SHA256

      6fa1fdabb5ec8f6a97c0ffc9b9b2c599d1ac28a630d9dfd9878e3a17f065906c

      SHA512

      947dbc6f105760d6ce9c5fb7973c5bf78d94f54d775136c5b62ae46b2bbfa05a7261358ffbd97e0a136d4a39149ba01d1b88b539cd59703c26b5b058d8ce73aa

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      ac8204f7a8c3e8c63e19ababb8d026b4

      SHA1

      624e19d657080587d2a15828809545aa644018c7

      SHA256

      61c7fc6abbea8a0affe59d12867bb04716b39f8a468130beca818cd7f0aabc02

      SHA512

      4cbfe88b9931a1767fce14a4641707a78449d1d51f9d00534b7e0529e63754394cff55b70ef39cb868c24c1d009ba9965fb36137e9aa8c0024697f0d8bba20b5

    • C:\Windows\SysWOW64\hbqrawwfhyygp.exe

      Filesize

      512KB

      MD5

      e2a407c7e6d208755fd796d345cc6c1a

      SHA1

      fa4e17a72fbd90926b7e17a129e871b43d04c586

      SHA256

      57b903d9c284a91e96659d6a8b7db6748e00e26971e4b56282ea022948ee61ce

      SHA512

      6ea6cace7c8442dcc87e462d896958bce4c85abaa1670e439638202e97ff35e463f1e229ddbbf25aaa55a09b8b6db84647c2911c61d73901c3cc913db2658793

    • C:\Windows\SysWOW64\hygtxrkcds.exe

      Filesize

      512KB

      MD5

      0267f2d4d4e116591a18f1a13d464442

      SHA1

      cbbac35a1ee80c946ed63caae69bb4a8a14e7c86

      SHA256

      8ec515503cca2b6096cd6975465057a025b2ccc88dcdcf52fa02f573a298e7f7

      SHA512

      ff95f3e59d0fd7053eaa4068c750ab7c9c7592f1077a790ce31a51339e1ef28bcc0ca23496e51778593d7127b7b194578b03faee9ab18dabf41e48c48df35343

    • C:\Windows\SysWOW64\nngpkojufhhuplf.exe

      Filesize

      512KB

      MD5

      5a1f1ffa03d42288b8412dd69f6146e3

      SHA1

      66638c283896e8a6b22fcc8a1aae2f5bbb4bab6b

      SHA256

      1d713b04aa8145d3722eafad067576661288fd11538ff98b4461565e3deffdc1

      SHA512

      88a8557403f13d577e39630dc610e0b808a685f348960fae3628e6bfc6edc2f11b88243a72a2324b7e169bce5ad0040744bf04d138ed4669fe350f407c1425d3

    • C:\Windows\SysWOW64\ymvfdpga.exe

      Filesize

      512KB

      MD5

      50319c4cba3f9b0198b4f2bb6e4dba7d

      SHA1

      b56236071692b79f8071d7149ac430d66326231f

      SHA256

      4c7451578c633d354d6704effda029358a3eb9a3e9bccb46e8643ba9d9f0048b

      SHA512

      78fc3c2606170b8ffc918374be3d2d2687a66c7374adee6c24a9a25c42a6cdfb8c4a0c777b8681411b7c48247de8bfd03015f44e4ed2f0ddfa0a225c3908c6d3

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • memory/2160-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2524-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2524-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB