Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 05:10

General

  • Target

    a81b54183962d320b915383292f0f750_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a81b54183962d320b915383292f0f750

  • SHA1

    cc2c84c9f066dde2366ab449105447a8cae78344

  • SHA256

    f73a49608e21884caf0716fdfe24f2df54c105e30906971a5ecee65da5c9e869

  • SHA512

    e2431728209cd5974f9e6353870400e7ed84b4b5450734b8416a9162e052b2d6957c3599516161e08a07d47da2e1ac9a4d42cf6ca87f6f32d343eb4da4e4a5fb

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6g:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5x

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\SysWOW64\dvxnsgsmlh.exe
      dvxnsgsmlh.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\SysWOW64\ogzbujjx.exe
        C:\Windows\system32\ogzbujjx.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2964
    • C:\Windows\SysWOW64\ddesmzanjwpiaey.exe
      ddesmzanjwpiaey.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2368
    • C:\Windows\SysWOW64\ogzbujjx.exe
      ogzbujjx.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2816
    • C:\Windows\SysWOW64\dajnsgqydykma.exe
      dajnsgqydykma.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2820
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2892

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      d45a2927096c3aed6e76cf12e1cf38d5

      SHA1

      97c17e71daa2940d319c4dfd6c601403661809de

      SHA256

      c045a34620f5c885935c72e0b5e0f6e6da8ae76d93895db66782977e88a2218d

      SHA512

      43fa8d9d7a4625ee9030da24894d7e6e67e3c8e404096046e64de207f86414e14e50f23708b5291709a6e1006f3fae2702aca7add2deb3af7d3ca63be6b663b8

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      a06d6a87cb182aa76c37b2aac97ac856

      SHA1

      07ed1d4ae2d2b4e4820451974e8fae9513f97f09

      SHA256

      0473f0c325ec4757c380f7477041041a4e83edf68b0a1145fb5bdf3ba7d3998a

      SHA512

      c08315e7d422f9aa6c3ea7a99b3fe10890ec7a9f9ec57726eb614adc40db89a0a76c4d19f028aa7176ca2c575b2f253f84bd866d21dc725a070109419eb4324f

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      64B

      MD5

      c926ba39a643f83c53888eee74b96320

      SHA1

      2bad2e32ab12d4552ca916d84cf6e0f016cc99dc

      SHA256

      27ab99c0b4149309d8c3c65446ec6f2b68e176fc7ece2e70f890024f8d3a4735

      SHA512

      b345b28a88a32e27269c60283852ebf3486897d1be4414508ba1e974d17d57748854a67a02f0bac0f71fc6b3d35847539ad548c316b03f0222318fcfc4b90374

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      c1e2993b97c610bd21284e08cd219264

      SHA1

      cd61d8ddba7cde15f28d307472062098349eda8e

      SHA256

      5967b6932e899adab7ee834e860d0c3b9d6be26fb46465b8eb7214ec4d1b1649

      SHA512

      831102ba60d0c18de440ea5009df97671fb38441bbc0567d7bbc55529d1eaa09fd45d1fa3d588ea9409e034d6f5e2c5003a570c5c4d62dd60288e0435e3036c3

    • C:\Windows\SysWOW64\dajnsgqydykma.exe

      Filesize

      512KB

      MD5

      772dbb34b62767db6fa9a8805c37d431

      SHA1

      003591d11bee7351a1b154cfedfde293e2320f57

      SHA256

      ea0c33806c2629ce5bf5b6582bfa16393bf9dd8101b1bf82241cc1cb0cac9eee

      SHA512

      a4f4125114561bd8b4c2e275e725cef7e65780c8baafe2d5ee79b9996ec9ce35730e14695e3f7f50c17f8c11b5b499624df9751b727ab8c4385f82ef78c9d17e

    • C:\Windows\SysWOW64\ddesmzanjwpiaey.exe

      Filesize

      512KB

      MD5

      1ffd9f5613a6eb41657c522a1fcb870d

      SHA1

      787b43b2b61b92fd9d78dfe57a9f866047c83d82

      SHA256

      702b1781fb58d26477678878ac1ece4cc046d5a7fb778731c47a08a2162b06fc

      SHA512

      49af1f9a17a56b153f9178219588ed7998b706c4eada6d5b6f1eef46462b401912f129675c72efdd06b0b16dc874b87946d0c8e4d4f1272b7b39ea14050d4d00

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\dvxnsgsmlh.exe

      Filesize

      512KB

      MD5

      fb46b48ff584bc4c38f14d4f5421bf2b

      SHA1

      7f9343c8688ee6387978e84a257097149eb0805c

      SHA256

      8c2826f6962a313929ba27d38a191edb11d6cfefaefe8582816d88257b65b1c4

      SHA512

      992ac7a213c7b6432723e3a4f052ca65abe42b2f07615e13daa3b01fe2ffc8acf4aa9a1eb0c90ed22b610ed7e6592a8d37ad86d330cb9186c67869312324c693

    • \Windows\SysWOW64\ogzbujjx.exe

      Filesize

      512KB

      MD5

      fc1937a83b2c273df3c8dcc87ef8006e

      SHA1

      16e517167ef46e1bb3a4fbcec8368272913889d3

      SHA256

      0fdcc5b9215834f3abe0d4efeb55c8624cfc6800c49a503594daca4022f751af

      SHA512

      86e6a5fe28a0d72735d7d38a44245090e147f90a684ab29724e3844285cb7217bbed35b958ba2e06f69a41a4fd2f0c791bb9153b06b849a0ca7c2af27e21889a

    • memory/2736-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2736-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/3052-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB