Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 05:10

General

  • Target

    a81b54183962d320b915383292f0f750_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a81b54183962d320b915383292f0f750

  • SHA1

    cc2c84c9f066dde2366ab449105447a8cae78344

  • SHA256

    f73a49608e21884caf0716fdfe24f2df54c105e30906971a5ecee65da5c9e869

  • SHA512

    e2431728209cd5974f9e6353870400e7ed84b4b5450734b8416a9162e052b2d6957c3599516161e08a07d47da2e1ac9a4d42cf6ca87f6f32d343eb4da4e4a5fb

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6g:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5x

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Windows\SysWOW64\rcbjccjowo.exe
      rcbjccjowo.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Windows\SysWOW64\edixjzfk.exe
        C:\Windows\system32\edixjzfk.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3368
    • C:\Windows\SysWOW64\ngopygqdgwwunad.exe
      ngopygqdgwwunad.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3776
    • C:\Windows\SysWOW64\edixjzfk.exe
      edixjzfk.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3692
    • C:\Windows\SysWOW64\iyliqdhuvnsov.exe
      iyliqdhuvnsov.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1100
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    869d04908f5534d31eb5871fa0df5f5f

    SHA1

    6ee65eb1db8b3ab997189db2050e6c331e72071a

    SHA256

    0cfa3044411d726d08e9efcabe016fc4495077476916726786982733c0f8c134

    SHA512

    3bfd77ad8ca7885415b43fc36d43c78614073f8e0a582648c0e580abcee1ca40f22b2ae3528f29c0d8b23f8628fe1bb0767818a132daa455bbedf0ef9658070c

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    263fb6267154a40bc067c78749f78a44

    SHA1

    63fba2b8850137780f7a90be74e9a63b6ee40f88

    SHA256

    2e2f66ef0a8f3894bdf8846fc5ad0d98307698fba5fbdbf9eba151e983a58a56

    SHA512

    85006c4a5620245828bcf339f4f2e24bc8d8061d14ce3e65b540d24aec161e0b4097abf9b616665362d908d2599765503eae2c7ae09b75f996c83ec93072bcba

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    42033c511bcc7e1970e3c45cb786f794

    SHA1

    85fd47e439588b9c25090a0b4e80708c70652403

    SHA256

    62d541335dd2c855f8cf2c10b799aa5b4462fb9d799282a6a6acf5a747bdbfc6

    SHA512

    c121ce2191dd3d934458ca89f7c2a9b533081e0675d1deaa703539b61424a3c47b8c2138bda3b31ecfcd05c520a5a23010e4c6d6b0e2d4c629ac76b22b163b26

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    e05de15160188acef7ccd511140668bc

    SHA1

    c6ff773ec37e4e3157604ea4c46b335d67dacce4

    SHA256

    d507bcff08f00b14f8e2353bc13b5c961d7bfcd2965a0498c4cae5c6145a8ed9

    SHA512

    cc57c9c94705fd6b2eba4a1f7041a2dc59b9d40f9c491c20af8ad063e06d0b1d032f9ae680da271fedd4e732a9cbcac41418dc75725d5ff7240e4c99600a537a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    3fa8393a19e5bb7bb2ca21f609cb8f48

    SHA1

    d21c8bb86fe108f21bed5647656c2af6aa6dd0e5

    SHA256

    2db368e1aa4316efb897e4cd4a55ef2669ecccac6bb2becccb0cc3fe946e386c

    SHA512

    b11615dad1648757d755a73da90268e2cf8051262fb3b13537d7b236e9905668093e7e117bb922e7004dd711e21dafb4ceb9de2a797fab8c95a9b7d8b82c3c41

  • C:\Windows\SysWOW64\edixjzfk.exe

    Filesize

    512KB

    MD5

    e0fd02d6537ce46e72bddf928c784233

    SHA1

    763bc8495c1e13c1542b9e43d281b08612cb6afb

    SHA256

    350c020fcc96ac3153ff97551a61d7303a9b19109c1610d456a55e8678d7bcf4

    SHA512

    dea7492c1df090d44453bf9cde7314a376bd8195a50b55fdc5f79314e4b811e4debe191dd34a00240f092aa2bc08f97b49b1fe9ef65de72fbadcef46c2ea4352

  • C:\Windows\SysWOW64\iyliqdhuvnsov.exe

    Filesize

    512KB

    MD5

    7695ffe8c73a0fa20616095fc195a075

    SHA1

    df8c99fc4a726aae9c680703b9d42bf9732d908a

    SHA256

    531067e90506abbe561fcc0644bb46c03c555d62243dcaf75835013b6f1a22d1

    SHA512

    43d4e0f93d8adb09c93cf62a8f9ed43f703081f489bb4ca237916e4cf58f99c1cd490da783351bcab5aef71a321e96452a39f65262acac0ea5227082a99f18ee

  • C:\Windows\SysWOW64\ngopygqdgwwunad.exe

    Filesize

    512KB

    MD5

    6837e77de8e8a2bf86432ee6e28511c8

    SHA1

    61e683d9049ec0e8c0850b5d01947d53ef2e5c71

    SHA256

    008548db3685e1bdd320954feca031526ced02cdf88b00ac1b8775369a96ea8f

    SHA512

    9f5b6ea14afb2e0532b32312d70fa1e499c454c55f3c027164d9330f62477d60748dbd0d95e465a749c32c2b919c3f5c0f6c68795fb9609345ddf5c2d3e4f568

  • C:\Windows\SysWOW64\rcbjccjowo.exe

    Filesize

    512KB

    MD5

    abfc6f7d5767ebbffb413ff52b08418a

    SHA1

    33128ca0160cf2666d8f75440eb2544cf816c09d

    SHA256

    421f9bcd574a9df3862b0f44f39962d1207c9dce0f174fa5b3d72803a17e5af1

    SHA512

    e3cc05dd425d2e4987a88765c71b3b9580d37912caf69910f9ed1f168cd6ad00bcbac830fe74f26882c8bbd449d7c2725481833255d7d375ac49c1660b787a43

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    60488a002d34c5dac332c54471729600

    SHA1

    47626fb35dd4d0f0c1ec0b1cd72a7459a36d3e03

    SHA256

    84ce0379359ae08745acd34c6e6042284ab5ce5c53db748ff941a8caa074e8c7

    SHA512

    526fa79016f906766bccd5cd59e7280f20978f44b8851050503490f7301fe9452da00e9459789b502ac8ef07079fb4ee47288cb57015b038450a7db265771102

  • memory/1152-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/3668-37-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

    Filesize

    64KB

  • memory/3668-43-0x00007FF90F790000-0x00007FF90F7A0000-memory.dmp

    Filesize

    64KB

  • memory/3668-42-0x00007FF90F790000-0x00007FF90F7A0000-memory.dmp

    Filesize

    64KB

  • memory/3668-41-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

    Filesize

    64KB

  • memory/3668-40-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

    Filesize

    64KB

  • memory/3668-38-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

    Filesize

    64KB

  • memory/3668-39-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

    Filesize

    64KB

  • memory/3668-108-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

    Filesize

    64KB

  • memory/3668-109-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

    Filesize

    64KB

  • memory/3668-110-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

    Filesize

    64KB

  • memory/3668-107-0x00007FF9117F0000-0x00007FF911800000-memory.dmp

    Filesize

    64KB