Analysis

  • max time kernel
    149s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 04:26

General

  • Target

    a80146d37720556f31322741b751257a_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a80146d37720556f31322741b751257a

  • SHA1

    e2ebcdcccc2fd8a6f16aba4162665aadce49ae82

  • SHA256

    0dbc72585b456a451d16e64a461fd6c44af43948ad9e9301ac9e52ea061aaf98

  • SHA512

    9a0b66c4a4ded4dd16338110d98f5b42bee4c96498f6c2beb73042ed9818f3fc38e14043ceedada9aa7ef4cf5a8ec94b2aa47978741f160881064efae59c224a

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6U:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5b

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Windows\SysWOW64\kkzvzpvypz.exe
      kkzvzpvypz.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\SysWOW64\vlrcxhud.exe
        C:\Windows\system32\vlrcxhud.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:976
    • C:\Windows\SysWOW64\eiimyumrfuwzziz.exe
      eiimyumrfuwzziz.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2368
    • C:\Windows\SysWOW64\vlrcxhud.exe
      vlrcxhud.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1596
    • C:\Windows\SysWOW64\kqycnkylakphq.exe
      kqycnkylakphq.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2828
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    cfd6230f88f2f44543605b8a6a7652f6

    SHA1

    dc91354b537ad999b095b9510c20e4fffc56bd98

    SHA256

    c22821fa4cabe3a9c4b7cee357f42c23f88eab6905bfa3385bab0cb58253ab66

    SHA512

    ae1f55076f18e2610294e7b0c52c8182f3678b39422f2a79c4240f9a3f37bc41600c6e3c9f9e349350fb7bdb0f78df0da4d9a6aa048dcffbc8d84b6f9b6fd936

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    2ec3eae643e0211c845255c0ec06bd41

    SHA1

    712535bee177afe54dbb54f852f772cceb92649c

    SHA256

    c74bf335ccbfdfc1e368193852b27e8f4d6c179f2c539d8e35ae6c09ce5cf89a

    SHA512

    8ef5de4e59e14dc435947203d6432553b4053da2d84c3e36e39788a389954afc2323a11a170573e37cbe9076fee4dad3294027a78bfdcfb4a591936b26ec184e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    2fae0fe44fb67ed515b21a2b6fba40e3

    SHA1

    d39c4cb134c596851c157406149129a69844613b

    SHA256

    bd528b67c4e7b5924426cb6edc6bd85896db3a43e596bc76d32632d33eccc2b1

    SHA512

    9902e514810847d11b83ceb64209c7a363f3b482f5444474673988fa0729295d8612ae6aa0d81a09d9adeb958f7e0251b414ef808f82f279df504bc04a347087

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    7f9c03bfc42c9f5938a54a1a5353f207

    SHA1

    25ffe0d8b4779489cd60ce09d613a8650ef89272

    SHA256

    5bda12c80537a3975da478856118c421c6b626397eb8a5f5c3c7aca89d5ab6ab

    SHA512

    f84a898931d2c8aaad7c5ba95280df046d30d185a541147173b14618631c21302bb8f4bbbcb51f53d5e6cdd5e94bec607256320d69164da153649813efac6681

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    ea50d1cbad35b9671f32685deb6a73dd

    SHA1

    16a3bfc4f4963b99dd7d416e01aa2f9ebedc6fcc

    SHA256

    c9564961661a31014837a9ce74d9aeb4726dff575edb9a3f6257f22eb4b4c448

    SHA512

    202f3ffc021ff9a8cd16afb9b05dc55adbbf489ae3f2a615b098322cd6955d57a18da215063c0010db83ae127ddf228ae723ceb2269a0082c62d9fb14182cef5

  • C:\Windows\SysWOW64\eiimyumrfuwzziz.exe

    Filesize

    512KB

    MD5

    71fba7b1f7612ce86eea08193fc869b1

    SHA1

    4e22b1bf793b5543b38f4f714cd87d0b0b3efef3

    SHA256

    4dc1f336e1485bb917bc3d286c65b77d2c9bd7100303b934e3544e3b5f4cca4f

    SHA512

    ff87274716f7d866924eca64039774751c0e67c9acb3aa6858f6462088c716c13d98a1a8eee4328143fc427ba036e3b734b3e844bae0cfd3262872564e2d1ff2

  • C:\Windows\SysWOW64\kkzvzpvypz.exe

    Filesize

    512KB

    MD5

    38933ec4fffbde6e6a547cb0b7a45d70

    SHA1

    a1ce56c75af303bf17b4b1d91bb870d3d0354166

    SHA256

    0fc2ca4691dfe22b1dcc5735b8a29909997ef3229f1af7b180e11036fd39d122

    SHA512

    23173988f2b12e12d5ee914f393379e539aa17deaa785508cb70d74cecc4067909f56562a2569196db48417a88c0906f7542fe34edbf59982203372d2104d6b1

  • C:\Windows\SysWOW64\kqycnkylakphq.exe

    Filesize

    512KB

    MD5

    45dfcee772e69309e612717f3d102af6

    SHA1

    c2008dd6e7e6c5c41fa86728b68bca39ebaa58f8

    SHA256

    e65df76ec5dd585732d5da294d2026571f9d62877bcd7843d02248cadc926cae

    SHA512

    82dba300f6198a4a7188903b5959f0aa1fb314a714f55fccdc762fad48e4a34bd729ed186387121d8dc8973bfd72f4b2963f9ac8b47bb09e4aa49ead474da9a1

  • C:\Windows\SysWOW64\vlrcxhud.exe

    Filesize

    512KB

    MD5

    10c670b1b105d0aa723911d98547547d

    SHA1

    c5beac3fe522be1865b0bbd9340531f93f70b176

    SHA256

    d0bf0a261776a72aa6e5e1358664330449bbef9048c90318bd02e0bcbaf3c15d

    SHA512

    23a57427d50360dcfec2e81d1991a66dbe690d09e412a84d8a629e412b3ee6356e778fafa6c0744ca13d7b1de8987ad9969dc3fc18ec57e3e425b1463fa949ed

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    9b0dabe092af07a81b47d9050d2adf2a

    SHA1

    f4d411065bf67b5c1b3a964ae876ad6cb8a0b4e4

    SHA256

    2429a93f4506ea66ab8d81a30d6d203629e8c1c4f73db37a9d8f605414494fb3

    SHA512

    0bd0cecbd9ead3afc3c36f4cd6e92f7f56da5a92ca903178a832f956b3d5307f87a9a52dd5306dc068154a8e89449ea6c7556a7bb4392175294f63254e2cfaf0

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    bb40f35315b85f40d67777158c2cc7f3

    SHA1

    436209bffac45603f993548a957a00566f602ae7

    SHA256

    d23d4afd41f19ae79f96ff8c5f01bc9dda0e0f1b7c8b2c72debcd42835d2fed1

    SHA512

    cf83369b12b541eee015aa88fb67766d8334907a6365bf84690fd2eb047d8b3b12b06b5067a288e4c24049d6673763e52e3fffd6f6d735751f1719b0e9381e85

  • memory/116-35-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

    Filesize

    64KB

  • memory/116-39-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

    Filesize

    64KB

  • memory/116-38-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

    Filesize

    64KB

  • memory/116-37-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

    Filesize

    64KB

  • memory/116-36-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

    Filesize

    64KB

  • memory/116-42-0x00007FFD3CB80000-0x00007FFD3CB90000-memory.dmp

    Filesize

    64KB

  • memory/116-40-0x00007FFD3CB80000-0x00007FFD3CB90000-memory.dmp

    Filesize

    64KB

  • memory/116-116-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

    Filesize

    64KB

  • memory/116-115-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

    Filesize

    64KB

  • memory/116-114-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

    Filesize

    64KB

  • memory/116-113-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

    Filesize

    64KB

  • memory/4944-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB