Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25-06-2024 09:13

General

  • Target

    0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe

  • Size

    224KB

  • MD5

    0d8007c628a5c009d3d2b6aa53e6cc0a

  • SHA1

    3ad7496a74762cae06b394a32dc8832611b20df8

  • SHA256

    d26dc3afdc474fc8170c92fabdab98bf97176635d36fc3a1c8a7f76e77f43b6a

  • SHA512

    6711b4bceda2396f63cc97b26e4884341bca1625a627044ce65195f0d787d8697fb8f550008b5e6ef9771a149aa010d96116dc9cae44728823014f70ec49c596

  • SSDEEP

    3072:1ma9v8Isvh3Tg93yDxkWD8bENk4Dy1lxeMV37q/LwmfYS:Up3Tg93yDxkWD8bERDy8MFq/Ldw

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Document created with cracked Office version 1 IoCs

    Office document contains Grizli777 string known to be caused by using a cracked version of the software.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Users\Admin\AppData\Local\Temp\rundll32.exe
      "C:\Users\Admin\AppData\Local\Temp\rundll32.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • Modifies registry key
          PID:2576
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SENARAI CALON BN PRU 13.doc"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:3064

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\SENARAI CALON BN PRU 13.doc

      Filesize

      82KB

      MD5

      7866ebcba567d0384a4173c44bde6163

      SHA1

      881da445f78b8ba92eddd7eb533dcb0027cd60f4

      SHA256

      ca193036f99a12ed1d89bc434d5b194631f83bc9bd6d4eba92e6403862c800ed

      SHA512

      c3fe4cbb393c72277855f8bbc657bbf6004b462a0ec9b2ca27c2a587055395b890b91a89a543ab33d058d864c636dc196b944ca1668515dd4f9bf2e9e8a4f9b5

    • C:\Users\Admin\AppData\Local\Temp\rundll32.exe

      Filesize

      73KB

      MD5

      716d1b5f9d25d9374208ace7bfda7494

      SHA1

      e27e3c9551952c6b16664138ea6393682161bb51

      SHA256

      2b9fd5444bf32bb57619496751620b6f03d044e6a7d6c1ec734be1dbcbb477e5

      SHA512

      6016aac7c48d7d4a3b322ff77461b229fd6ec2915e4187a0f0259de0cb21446813dfe68d82a7216a21ac28de211e75ff1f0968d3869b0c454c78716cf7d74146

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      aada3c138c52b61e44144116f98b4072

      SHA1

      f69251f21ee03cf47ad4e200f7b16b298ae2f436

      SHA256

      b46fd3bbef57bf177e8fb002c9592aa110490f9b718ff490c07deded84b20f57

      SHA512

      7dcf6c6b20348c945f4c899c08f9e701292c20838bf1467fbbdb74c0fb95f96bde611cef82c89067c898dacbe464c5d68123ee0713a0dfbea971e1cba8fa1c2b

    • memory/1056-15-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1056-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1056-28-0x000000006E77D000-0x000000006E788000-memory.dmp

      Filesize

      44KB

    • memory/1056-11-0x000000002FFB1000-0x000000002FFB2000-memory.dmp

      Filesize

      4KB

    • memory/1056-16-0x000000006E77D000-0x000000006E788000-memory.dmp

      Filesize

      44KB

    • memory/1632-14-0x00000000024B0000-0x00000000024F0000-memory.dmp

      Filesize

      256KB

    • memory/1632-12-0x0000000000C10000-0x0000000000C28000-memory.dmp

      Filesize

      96KB

    • memory/1632-26-0x000000007409E000-0x000000007409F000-memory.dmp

      Filesize

      4KB

    • memory/1632-27-0x00000000024B0000-0x00000000024F0000-memory.dmp

      Filesize

      256KB

    • memory/1632-10-0x000000007409E000-0x000000007409F000-memory.dmp

      Filesize

      4KB

    • memory/2824-0-0x000007FEF571E000-0x000007FEF571F000-memory.dmp

      Filesize

      4KB

    • memory/2824-13-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

      Filesize

      9.6MB

    • memory/2824-7-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

      Filesize

      9.6MB

    • memory/2824-2-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

      Filesize

      9.6MB