Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14/06/2024, 20:47

General

  • Target

    ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    ab62eae5f5ab1247553f9e43c703b05a

  • SHA1

    bf3c54fe6ee69d0a854e27ab1a9fb195edebfdfe

  • SHA256

    762ba6421a898f1929e1a2ebfdcb3bd6872e0e6ce1f2ecd698b176542e6677c9

  • SHA512

    6a32b7057e2e2e82506680d249bae0a675006598671cfef8e613e18d621c24810b07d5e6bf64bc9d4d0af32f33632be9dec887d1f61effe3edbed456b4ab3664

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6T:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5g

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\SysWOW64\cpnaibpudi.exe
      cpnaibpudi.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\SysWOW64\piujclyl.exe
        C:\Windows\system32\piujclyl.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2088
    • C:\Windows\SysWOW64\rmlsqoxmjmptacf.exe
      rmlsqoxmjmptacf.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2132
    • C:\Windows\SysWOW64\piujclyl.exe
      piujclyl.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2680
    • C:\Windows\SysWOW64\mlzstnahcltyx.exe
      mlzstnahcltyx.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2636
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2812

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      0bd0689f44a4e33c87f04633478c571d

      SHA1

      f6eb7a9826c3e6964a669a42b7a5c07d7bd91411

      SHA256

      68cc02dd45614a586707f71e0f1f030f65393dd889602fef405ad5837a818790

      SHA512

      a734e0b8e8ac2a947e7e4809d745e2bda45a3070b70b630374f7d539abf531acc670998af3bc80d07a350f7100ec8e6b484a03bd53473323596842064142e8e6

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      a9f4d558572c3a841b84915be2b01897

      SHA1

      ea05563406ea5b2b08d985b1deb187c146020770

      SHA256

      10ed55ae2df6642e0685d5d1b4a3168dd5a045ac2c598eaf3536e4e51bba3eb4

      SHA512

      bd87b5e8fedbb1930cec83a73f7ed1adb3332d74d421a29f905941005381d3ad6b0d75f7f9bc7bcee8a687ab1ee92940af76c484edf268d172c9098ca3408fa3

    • C:\Windows\SysWOW64\piujclyl.exe

      Filesize

      512KB

      MD5

      27391b0c1bd8ae76fd67ab43c158aa97

      SHA1

      d0f38e3682b24aa09c0fe2a60749639000069232

      SHA256

      7619ca56920c233509b4dfb480a3fd62995292c0741955129343d51d77ca37cb

      SHA512

      133f721041b8f22f44adb94511a56bc4a1a44df563f34f5e62c88d68e357ad0d138681f82ad28cc1edfe8eb2e14fb6525a0451464ff2a87c62b8e81702ba397f

    • C:\Windows\SysWOW64\rmlsqoxmjmptacf.exe

      Filesize

      512KB

      MD5

      34bde89a1317a2472b460b49e9940e79

      SHA1

      181e9e27191aac2a77af31db82101b42ea4fd5df

      SHA256

      ac7b5434370aff720bbba0b809b59d1848188f5409be4ba555961594d35e984d

      SHA512

      d47fd1058d7124f8c1ecfd02880a35e0b56444780931c6d9dcfa9554d11c30080807b18fd56272d318f48178fc23cf2e95412261410aca7afa64a37f37fb9055

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\cpnaibpudi.exe

      Filesize

      512KB

      MD5

      dcccc41e1b55806a27b529fb759d9ee6

      SHA1

      16d55a23409ccf1861d810426d4b68d1fe156bca

      SHA256

      e426e6ac4920090516d0d8be4ea71c47d622c4c3fd8620500ea2dfd958153df1

      SHA512

      94abc80911aee004e11fdb0703441d930147a8ce2180b2ca8b7501d9f49bb96f366eb176e783a5cebc42f3934857916831ab5a2223522247e1e03a3684094b3f

    • \Windows\SysWOW64\mlzstnahcltyx.exe

      Filesize

      512KB

      MD5

      9eebbbe3115e5ce0d43359dd6a9926c9

      SHA1

      702d3d255aa5847bde10ce8d6274c9778d971691

      SHA256

      9477eed36f6f39086a8b90db732e50ce4bd6ccf46f7ab3dcd8093e2fc22ca7de

      SHA512

      8a8b96ec207bd0187a71a28138a06822d2569c8da22caad2ec093640ac6af9110183f30856f5d1b568d853fd21fe72b64b189c9279a7c3648e67e6306560c77f

    • memory/2188-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2628-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2628-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB