Analysis

  • max time kernel
    150s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 04:47

General

  • Target

    a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a3de7251d0458eb2be565d7d8fa507b5

  • SHA1

    91b1fc30a6d24762041c6480a54556a61fd4651b

  • SHA256

    d35754568c165dbe399f20e5783bed3a45196b1b864ad8ed76892f56dafbfcb5

  • SHA512

    7fab8cf478068812cb25d44e39987989d921aa2e7ca02cec1c52491bded48a3ff58037ebe32430267c1c695fecfe83dda1ea378ff574e0da0c12b3c7aae21802

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5R

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:972
    • C:\Windows\SysWOW64\jmuanrtted.exe
      jmuanrtted.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3344
      • C:\Windows\SysWOW64\bnvpakjt.exe
        C:\Windows\system32\bnvpakjt.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4544
    • C:\Windows\SysWOW64\vzocqspvvuegchu.exe
      vzocqspvvuegchu.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3312
    • C:\Windows\SysWOW64\bnvpakjt.exe
      bnvpakjt.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3596
    • C:\Windows\SysWOW64\cbisjjfmrzuia.exe
      cbisjjfmrzuia.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1608
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    5fd079560259c99fa2e8c7ce26a9a9c3

    SHA1

    0f4be585acbbf7acbf3538cbeabfbe72237738d7

    SHA256

    2060f39d45395d6e36251d28ff8e173ee6528111316db3cdc9de7073bfedad38

    SHA512

    0f5ab3a1e9fd93126d09fc0330c695f41422a6ad47b02e7554307b155bddb77d8bf94f1d94dd1d931d5878c4e2049e7c9ecabf8bc7c7a5b10667cd9cb3f45b12

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    52c0d1d70562d836c33eb8f11bb6a44f

    SHA1

    e7a9c86c317597ef79a4ef99bcb513e0d3fd0531

    SHA256

    29ad5e1e50e64a6570455bac227418a03f3ed15d131fc85d605b847fa9e66f15

    SHA512

    f571e34461d3e889a6e09cb5c8c3b9426373280d3aefa8db944f793f3671f9a14b9cbb5387a1c1a52015feae8642c4b2201d6ba06042105f38b73dec432cb060

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    c7667c3371d5d84c2c3d9801baa3dc0f

    SHA1

    25838b0056cd399422f492754b6437a95f318e52

    SHA256

    5596446f922d237efed146d488ec6e529f0d66a064960eeb6013773cfa45ab9d

    SHA512

    7e42fc3aad97260c7973eb4adb8dca390a207f2f8dee0c45f74e7e91441d9f548aa8ae03f7f6109e772bc67a8e6124e74bc37a0496120a0200f58d9e96451a09

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    572e32a6eeb59d8b39bb6c8adb3fad88

    SHA1

    9fa0d9577a50954cfdbf4451079a95e8e075f944

    SHA256

    88cb066e83a2b63ecf91f3eb6e2c44c6e5fa85872504ce33d18bf2d27d84ab75

    SHA512

    99e7e567ee0d14ef3ff07b8b39c97ae36d13851976bb1c9583e2d1d1b1d1a4f89994b89aff5d3343195e44ce2245a59fe58d34624e794ed75bd0c88600acec96

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    4bc6f56ff8351d6f6134c65cd8f50526

    SHA1

    4e70609de0d4373aad79b69e69d831546a45c064

    SHA256

    cd09358de2d7a02a3699e49168c2cbeef3fff0c8603a4a7da037c0e115a303d6

    SHA512

    872dfc910df9ab64a4b72208cab7b1046c15752610969373db2d39dac5fdf87571cbc0c42e109c2c8fa7d570e30017eb0cc5b939f3d5a531c65459aa5e3ba33b

  • C:\Users\Admin\Documents\CopyRead.doc.exe

    Filesize

    512KB

    MD5

    7417b59e219b3201e39920be3f819003

    SHA1

    8f941ed282726f80eb6e8347de24f3bc7df92e00

    SHA256

    a5cda9f8e10c80c8806e08fc2f3d2a5a36c58201d6317ca6f60bc1e877fcfa79

    SHA512

    6f8217226f07e171b30ac3999025a2a75efcf1f1f2bfd131aa2e03814bd44f4755e3cf00db8c6891d83ec593d11e39ddecbe6af30ddecfb36a9e9ad0e2342235

  • C:\Windows\SysWOW64\bnvpakjt.exe

    Filesize

    512KB

    MD5

    e68d4bab895a85a6d99fadfd857006e4

    SHA1

    81d64cb60cd8c428025e4d4b304885be0363e4a6

    SHA256

    0058b8c3160aff7dc8f5d62969e82185f5d59845cb8bf59f1ef84572a980197c

    SHA512

    59c760ceb35744521724054c098906a14b0c25b608d783e22b36065b2cf4970406d04c2955af5028eed909d30c59323cdacdf94b73e2c32ccadbfcac89927f2c

  • C:\Windows\SysWOW64\cbisjjfmrzuia.exe

    Filesize

    512KB

    MD5

    e915394999bcf77d6f10ecd1993dab02

    SHA1

    04e344d18dabcfef8b53cc994400f6edf6d596f6

    SHA256

    58be5b03b23678f44e3cc5e7b0695bdbba838fae63a3401c2a52b11fbac91644

    SHA512

    fe167cb9c2f3d5019e2ef98f31620fa86cedff9563283146556f0686fd6d2dd433e5bc5cbf454eaf96b8155681b882bfc4c61e329faf137737b13ac188b00f95

  • C:\Windows\SysWOW64\jmuanrtted.exe

    Filesize

    512KB

    MD5

    b0b5795b78f341b74a5f3e03cf8750ac

    SHA1

    55da1f5a7f09a0383929a233a480407e27ca855a

    SHA256

    e7b64efbb8c98151ef77f498bb67befeddbb5ff8dbad0b08245535e2d6968a20

    SHA512

    c474fe6fe8d358f3102d3c68bcb40b5b1661b5a4b5c5aa716bbae79e784314107820704cb94f35d47ae0229389bf6ad28e0486c5ae40f0e6aeb6b5532271bb09

  • C:\Windows\SysWOW64\vzocqspvvuegchu.exe

    Filesize

    512KB

    MD5

    b4fed0cd0bec5b6e467ba52e251898f6

    SHA1

    735be4416fc460abcaea2e56f46d25ffc14a2c0c

    SHA256

    3393cd76725ee88dadac0c9864b11a2d0c2a0ef9e2d6a89a6383a751139f0d10

    SHA512

    ae19c04c3fa2e05808f722ac5ee3a68214908ca8a7924d12ada4cb13f72d59d728455aecbc6f39d3324044d4484fee9ae007d15d043bd9a6d7200d1d47bff03d

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    09216370719345370b903ec2928f11de

    SHA1

    d44aafd417bb399b34635e6a5baf67d34e857c71

    SHA256

    c2d8de36cbba2566ce0504fac32d8a4fe8621b602f934491d8d4820129c3d67f

    SHA512

    e63245eb90c8c1f50a18bd694cba523a8677bbb6f602c0f331ecd7616553989476649aa9cdf7b26fb428f3e9bd51e6298dd871c8ea598caab76f4a7cff84d3d2

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    8625e2fed627b011717db9c18c658329

    SHA1

    b22bd00f8286b9a9b6c729a1b8a9fe0d50775fe8

    SHA256

    d4c6f13b27efbf0e66152b975af800e7a49efa47ff51859adfd82793737177fb

    SHA512

    6e5e5351a663ce622e703a7b54532de8bb0f205f2616f8872fe963f769a4572875756f3ff6ebb3127778c076d982295526a55e60cee9456e75f8fab9821562da

  • memory/972-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2444-41-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp

    Filesize

    64KB

  • memory/2444-37-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp

    Filesize

    64KB

  • memory/2444-40-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp

    Filesize

    64KB

  • memory/2444-36-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp

    Filesize

    64KB

  • memory/2444-38-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp

    Filesize

    64KB

  • memory/2444-43-0x00007FF8708E0000-0x00007FF8708F0000-memory.dmp

    Filesize

    64KB

  • memory/2444-42-0x00007FF8708E0000-0x00007FF8708F0000-memory.dmp

    Filesize

    64KB

  • memory/2444-121-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp

    Filesize

    64KB

  • memory/2444-122-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp

    Filesize

    64KB

  • memory/2444-120-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp

    Filesize

    64KB

  • memory/2444-123-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp

    Filesize

    64KB