Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 04:26

General

  • Target

    a80146d37720556f31322741b751257a_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a80146d37720556f31322741b751257a

  • SHA1

    e2ebcdcccc2fd8a6f16aba4162665aadce49ae82

  • SHA256

    0dbc72585b456a451d16e64a461fd6c44af43948ad9e9301ac9e52ea061aaf98

  • SHA512

    9a0b66c4a4ded4dd16338110d98f5b42bee4c96498f6c2beb73042ed9818f3fc38e14043ceedada9aa7ef4cf5a8ec94b2aa47978741f160881064efae59c224a

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6U:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5b

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\SysWOW64\jtmoqdlhbv.exe
      jtmoqdlhbv.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\SysWOW64\rkdxhkri.exe
        C:\Windows\system32\rkdxhkri.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2864
    • C:\Windows\SysWOW64\nafazwvwzrtodpa.exe
      nafazwvwzrtodpa.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2856
    • C:\Windows\SysWOW64\rkdxhkri.exe
      rkdxhkri.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2568
    • C:\Windows\SysWOW64\pjrcaggwrkgsz.exe
      pjrcaggwrkgsz.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2732
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2596
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    d6205d491d20cdd4db161941997b9912

    SHA1

    f169ca4e83fbb34bf8f33e9155a95258e0faee1c

    SHA256

    f2808779322d1e0252119f335e426dec7319dce4b6abaf84a3e8dc52d2f63095

    SHA512

    05aa7419391a3966bbec86b41ee7e6fa78e73d07819c85e40a42938f1bae4fd23f4d8c5a99f75843ac701aa857da79136265801a781e237594d0cda285dbb84a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    68B

    MD5

    92f6005c94e7e7cd97a0f4f01b533e3a

    SHA1

    623885b37b22498362658f7d6287b721b07405dd

    SHA256

    22080aceaafd79b42372e17bd7e498bcf00acd20b804649de41a6b7efe8a2236

    SHA512

    62540186746ca9d1b4e7af4a6bcadcc8934f69673497c8f92c77f48f40912d1da2b922ebd980fae0e38eef87103c369d497ff3e1fc2dc4b69edbbb451e19208a

  • C:\Windows\SysWOW64\nafazwvwzrtodpa.exe

    Filesize

    512KB

    MD5

    3485b4b1d4cbc82c994c4ec79b085a0d

    SHA1

    4a2d07134eebc5a913a91b994ad05623f3afd562

    SHA256

    fe44ba77d77ca580efd210c63ba6800d20e3ec0a6bade520cc899750fb4e4a6f

    SHA512

    7d205cfa53d4c7bf4272cdc24df5dbd2f9257e45006fd98c84a7548d986ea1b8db5f3470d533afd20a47c7f2be149eff1bfb079e4923d84e3193af14b964a157

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \Windows\SysWOW64\jtmoqdlhbv.exe

    Filesize

    512KB

    MD5

    8b3c0f6977193d3b3c035166b13d13ea

    SHA1

    0a3ca770fe8c55c1e7a039a799dc0fa0d55122e3

    SHA256

    0836dbca46bb358db21a6d441aa14bce41807606991bc17564a2a3a60dd8ff13

    SHA512

    ab0c4a0cc7608a202c0e58c84934d0578c6e353b3a712aea5fbf89d04e062b2e58e52906667c880da1dea53992d7bec55d894c18067524307837f73406e2895f

  • \Windows\SysWOW64\pjrcaggwrkgsz.exe

    Filesize

    512KB

    MD5

    cd9f30612480793a6dd1e4728173068a

    SHA1

    7aee0c472f87a4707f953a709e65450bc83ec5cd

    SHA256

    89beee5672a94371aaee7eca295acf4058e7fcd8a12e07d9ed485b68703767c5

    SHA512

    e2558f1072b5aafa76bdd84fedd1299f34384c79e2c478a8d2dea218717828d857ab8916fcd3217cd69a9d3b6c2e149e6355bb1c917443b50ab66dd7015a8c93

  • \Windows\SysWOW64\rkdxhkri.exe

    Filesize

    512KB

    MD5

    56b12549e08a180b57a3c82c3303f14e

    SHA1

    7a60e212c3434ca3cfd5cda7b0dbc3d3fbe1c0e9

    SHA256

    81904fe2e2435a1300e56bf1905002284016a4809a16386733fd0eb1d112fe37

    SHA512

    76ae4b4aba90f4281121c2b036200c15a6ba9aa715e1cb3f4c44ad5b0344647422dd8eeccbd9676b081677836dc5cf34d3fd0d2b776d3aa7ad1023754e70f986

  • memory/1752-79-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

  • memory/2596-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2784-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB