Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 04:54

General

  • Target

    a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a810642456b82b8f2207a3aa5f33cdee

  • SHA1

    9513981b92e4e011b0d1b7cdaf88e6730130e371

  • SHA256

    f236c7797ba80626f23048c995d7109c1de3dbd9474b07933efeac5abca711b1

  • SHA512

    caf89e03b0b5683af886a7de9a69d9a0ee61407f07c10e3025e58424ad0259744e7cc2306af005daec6414070b95d193eff706fa7fc7df561ba9a80ce2a2b613

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6w:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5B

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a810642456b82b8f2207a3aa5f33cdee_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Windows\SysWOW64\qrwqthkqqu.exe
      qrwqthkqqu.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\SysWOW64\wweryzty.exe
        C:\Windows\system32\wweryzty.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2948
    • C:\Windows\SysWOW64\xidomtmniciiejk.exe
      xidomtmniciiejk.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3912
    • C:\Windows\SysWOW64\wweryzty.exe
      wweryzty.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1548
    • C:\Windows\SysWOW64\agctnxpnsgeaz.exe
      agctnxpnsgeaz.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5056
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3736
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3852,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:8
    1⤵
      PID:3392

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      99faf9a69d3cc29c3f509e62e3e710fe

      SHA1

      7dbe191a020d6912802af38c99db60647c17485b

      SHA256

      3b16033f2b77417f32827ac90734ec4197e947b2e5f512fca3e8d9912806060f

      SHA512

      d269d2cf99c178b0f26a53b49425e6ebceacaed3ae2906bc86c83cd90fc2747180480da0d2af88378d96b02b2e6e61e559cac56a239e549496b6a731d589d7b4

    • C:\Users\Admin\AppData\Local\Temp\TCD2D4E.tmp\gb.xsl

      Filesize

      262KB

      MD5

      51d32ee5bc7ab811041f799652d26e04

      SHA1

      412193006aa3ef19e0a57e16acf86b830993024a

      SHA256

      6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

      SHA512

      5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      239B

      MD5

      12b138a5a40ffb88d1850866bf2959cd

      SHA1

      57001ba2de61329118440de3e9f8a81074cb28a2

      SHA256

      9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

      SHA512

      9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

      Filesize

      3KB

      MD5

      c441a5875e1b53ba06b59c06351b1f2e

      SHA1

      aa0139fc39b53514841466340ee20d074bff4ad1

      SHA256

      96a2fd11685a0675ed04cff59331dea7ddfa18e6f13de500ddb6231aaea2f70d

      SHA512

      d7228600487f19aa67592b01812d1ffb862018d55b926eeb42abe563f475efee48ae2a258d1aeb270c0807d9cab7537ea8867726b3b5d4a7b7f178cfab028d9f

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

      Filesize

      3KB

      MD5

      cdfb4dd464c9b36426041ccac8036ab8

      SHA1

      2351a265c186643e6c771d6c019873a7c6e4dfcd

      SHA256

      bcbaa0be4e42cda3c788731fba120b4aee19be69b380c42307360cc9f6fec379

      SHA512

      d3d1e860e042c676cc8907e0be3b169568c4d6d581d5354c0b13ab099ebe24b28ce6a740cdaa2026abad46d37ce95588ef10571154ca553ab01fd35c7044e3b3

    • C:\Users\Admin\Documents\CheckpointSplit.doc.exe

      Filesize

      512KB

      MD5

      f1945245ab348f0eaefe1488dbef4c9f

      SHA1

      86db08f0952c7a6857be1bbad5ad7a8af1880ca3

      SHA256

      32f7c9c20aa4c7c8653b973d5f8c53cb99d166d858b899a67ef53817fe227a42

      SHA512

      5dfe03e4e36ad1b626893a6955027355b61f92cee7c819fa50384e8b9240f28bb167840f516b162218babbbaaf6ef3d4e7aa27ab62b3398de26e94732d07f122

    • C:\Users\Admin\Documents\SendStart.doc.exe

      Filesize

      512KB

      MD5

      fe078d20d9f25e2f4181bbd30025f3a2

      SHA1

      81771e8def8815037233bac1f46c27d867a4bfa4

      SHA256

      1a57dd9eea0d60fd4cb379345bf63fef208c709c4bdd7b5eaef22603c95ba4b1

      SHA512

      d090981096990fd6a1321101fc3a4e2ba22483c2c70a787ad6f948cd8950ce116b7e8f345749bc81b92cdd68f1f13e75f98d728800dde403eeaafc94cd1de860

    • C:\Windows\SysWOW64\agctnxpnsgeaz.exe

      Filesize

      512KB

      MD5

      2ec3584f78700385cd549ca69f1d1577

      SHA1

      4f4f46291d66345d62cbf8888874257842da7074

      SHA256

      bc2db8aa09375027cae7de6615786d86fe6ba13b9490512675e7cac657450ec1

      SHA512

      b31df70f13a77ef04a026bff2b9546b660af03c314a8514f0e5d83f551df67091adb3458f2364c1cf47a8250ca08ecd9f991de30fb24e83a8a542c7c1ddd53cb

    • C:\Windows\SysWOW64\qrwqthkqqu.exe

      Filesize

      512KB

      MD5

      cce95e58b13ad2712508ed6ebe06db5d

      SHA1

      7e9d83c73e2904c934e318bcb88e756ee04609be

      SHA256

      f0de4a0f2a7ec9d2b56a4e48b7b0251647d0ee322477025f66bc97ecaa10e85a

      SHA512

      4d968ec97a4d3c13d254ed6aee9f64407f021b1c9359b1701efe2cb099d268b4ea7d4619868b91ea5c38cd1c18a96cf3c322c0394c01d5386f12d21fc994dbd1

    • C:\Windows\SysWOW64\wweryzty.exe

      Filesize

      512KB

      MD5

      c751c6fb65dd04bfa8967ff107dcfd1e

      SHA1

      19b584c3562da0291f33e53f987192fd08046c4a

      SHA256

      cc0e083928f22297dfb99635e5a6a79388a158f119cb8dae1fcfdc357c5a5490

      SHA512

      e1e11c5b9e7846c9a914a849ad5213d601c47400d16255b93aba85839255f172d0beed997b2334679eb24a9379c5e8756919f4046633a30bcc9e096d74054a1f

    • C:\Windows\SysWOW64\xidomtmniciiejk.exe

      Filesize

      512KB

      MD5

      21d097d2aa435fb1477f44c33b19f340

      SHA1

      4728650e9a4d4de4546f7f5760661a9e8351e3f9

      SHA256

      7ec77dc2f7980466ff5d0b404f597c0e0acc377a79464d51c19949ffb868989b

      SHA512

      106c4a4013f516bf42555caa1226ce73c04a4f94396e35851fb229099eb34983a81812ecbf60898a2a26bd4e3168a3656358963546709f8c24618aacabc0ff09

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      ace697b7cd59eb1643a6847fba065594

      SHA1

      511ac4f9123cabb832ccfc2826d6f426843cb922

      SHA256

      a9ab5e18d45e4662d3d3b3d6bcf0a9a6a655d344f013b56328b5aec2ffc5ddf8

      SHA512

      b5c4e2c3c44ca6b2a845156ecb2148ee7c79508eeb668d078213ada4c7f98bbee94b8fe5d4f13c3bc34ebbcdcf9397e635cf0f698b3a4cdce786ff22d5763d96

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

      Filesize

      512KB

      MD5

      4ad8649b625570bbd7e723a6d65f0abc

      SHA1

      1eef6155bc9b2055a4ecfaa6fb3764d16c42fda9

      SHA256

      919a345b63afcb81681c8be0f099ec90ed40a5da3c7827e8d1f989f07262d140

      SHA512

      d485b92898e0dff89b2aace0064acd8d481bee7679c250482e40c6564fca34466df3a10d464ee0a23b3f5d96b7ec583ee371c3a8fc0bb3b8c5396b93746ab033

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

      Filesize

      512KB

      MD5

      99f84c98cf8a0e15a814c54874cc9281

      SHA1

      2e142eb8d98f9b7bd5d791de73341a8ba55e78ed

      SHA256

      4290058335ee1df72cd27c89e176855ec7a9fde776e6efcb70fdaf2e89bf63c2

      SHA512

      298de5e9b11443ea204dcf6a1207d22b0613f5409cf473449351b6c797ba3622c3ec52cbc3b5a1fff73eac0da73d4a35317acbfe7db00a8310bc4c870c3b9a77

    • memory/3736-39-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

      Filesize

      64KB

    • memory/3736-38-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

      Filesize

      64KB

    • memory/3736-40-0x00007FFD2FD90000-0x00007FFD2FDA0000-memory.dmp

      Filesize

      64KB

    • memory/3736-36-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

      Filesize

      64KB

    • memory/3736-37-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

      Filesize

      64KB

    • memory/3736-43-0x00007FFD2FD90000-0x00007FFD2FDA0000-memory.dmp

      Filesize

      64KB

    • memory/3736-35-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

      Filesize

      64KB

    • memory/3736-604-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

      Filesize

      64KB

    • memory/3736-605-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

      Filesize

      64KB

    • memory/3736-606-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

      Filesize

      64KB

    • memory/3736-603-0x00007FFD326F0000-0x00007FFD32700000-memory.dmp

      Filesize

      64KB

    • memory/4588-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB