Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe
-
Size
512KB
-
MD5
03c0939221cc821ef6e2c3aba337b6b3
-
SHA1
8aa2dcf1b9fa074a4768b1e8f4cf8549cd23d574
-
SHA256
9c633bf015525e859c9eda2f617c57e186621a1aaf8425bc8b3957699fe3dcff
-
SHA512
199ef1ce49d1e1a7d2763d767d8463c0625bf402e70c53f9210259605c887edc943813c408d260c0d71dfeaaabc0c98ed253dfab7e8ac31788e85880073dbc5b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5a
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
hoqhndukez.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hoqhndukez.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
hoqhndukez.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hoqhndukez.exe -
Processes:
hoqhndukez.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hoqhndukez.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hoqhndukez.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hoqhndukez.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hoqhndukez.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hoqhndukez.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
hoqhndukez.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hoqhndukez.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
hoqhndukez.exetedgbewhtlxhtdn.exejxdrhqcs.exehhojiepeyhbap.exejxdrhqcs.exepid process 4916 hoqhndukez.exe 2592 tedgbewhtlxhtdn.exe 1528 jxdrhqcs.exe 2140 hhojiepeyhbap.exe 3580 jxdrhqcs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
hoqhndukez.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hoqhndukez.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hoqhndukez.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hoqhndukez.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hoqhndukez.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" hoqhndukez.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hoqhndukez.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
tedgbewhtlxhtdn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szjtixvy = "hoqhndukez.exe" tedgbewhtlxhtdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\czkgkyyv = "tedgbewhtlxhtdn.exe" tedgbewhtlxhtdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hhojiepeyhbap.exe" tedgbewhtlxhtdn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
jxdrhqcs.exehoqhndukez.exejxdrhqcs.exedescription ioc process File opened (read-only) \??\t: jxdrhqcs.exe File opened (read-only) \??\w: jxdrhqcs.exe File opened (read-only) \??\b: hoqhndukez.exe File opened (read-only) \??\w: hoqhndukez.exe File opened (read-only) \??\z: hoqhndukez.exe File opened (read-only) \??\s: jxdrhqcs.exe File opened (read-only) \??\z: jxdrhqcs.exe File opened (read-only) \??\s: hoqhndukez.exe File opened (read-only) \??\q: jxdrhqcs.exe File opened (read-only) \??\h: jxdrhqcs.exe File opened (read-only) \??\t: hoqhndukez.exe File opened (read-only) \??\a: jxdrhqcs.exe File opened (read-only) \??\g: jxdrhqcs.exe File opened (read-only) \??\h: jxdrhqcs.exe File opened (read-only) \??\m: jxdrhqcs.exe File opened (read-only) \??\h: hoqhndukez.exe File opened (read-only) \??\m: jxdrhqcs.exe File opened (read-only) \??\u: jxdrhqcs.exe File opened (read-only) \??\j: hoqhndukez.exe File opened (read-only) \??\l: jxdrhqcs.exe File opened (read-only) \??\z: jxdrhqcs.exe File opened (read-only) \??\g: jxdrhqcs.exe File opened (read-only) \??\i: jxdrhqcs.exe File opened (read-only) \??\k: jxdrhqcs.exe File opened (read-only) \??\o: jxdrhqcs.exe File opened (read-only) \??\y: jxdrhqcs.exe File opened (read-only) \??\p: jxdrhqcs.exe File opened (read-only) \??\y: jxdrhqcs.exe File opened (read-only) \??\b: jxdrhqcs.exe File opened (read-only) \??\q: jxdrhqcs.exe File opened (read-only) \??\m: hoqhndukez.exe File opened (read-only) \??\n: jxdrhqcs.exe File opened (read-only) \??\l: hoqhndukez.exe File opened (read-only) \??\s: jxdrhqcs.exe File opened (read-only) \??\u: jxdrhqcs.exe File opened (read-only) \??\e: jxdrhqcs.exe File opened (read-only) \??\a: hoqhndukez.exe File opened (read-only) \??\e: jxdrhqcs.exe File opened (read-only) \??\i: jxdrhqcs.exe File opened (read-only) \??\x: jxdrhqcs.exe File opened (read-only) \??\x: jxdrhqcs.exe File opened (read-only) \??\q: hoqhndukez.exe File opened (read-only) \??\t: jxdrhqcs.exe File opened (read-only) \??\n: hoqhndukez.exe File opened (read-only) \??\j: jxdrhqcs.exe File opened (read-only) \??\j: jxdrhqcs.exe File opened (read-only) \??\p: jxdrhqcs.exe File opened (read-only) \??\v: jxdrhqcs.exe File opened (read-only) \??\g: hoqhndukez.exe File opened (read-only) \??\y: hoqhndukez.exe File opened (read-only) \??\o: jxdrhqcs.exe File opened (read-only) \??\l: jxdrhqcs.exe File opened (read-only) \??\k: hoqhndukez.exe File opened (read-only) \??\p: hoqhndukez.exe File opened (read-only) \??\u: hoqhndukez.exe File opened (read-only) \??\b: jxdrhqcs.exe File opened (read-only) \??\a: jxdrhqcs.exe File opened (read-only) \??\r: hoqhndukez.exe File opened (read-only) \??\k: jxdrhqcs.exe File opened (read-only) \??\v: jxdrhqcs.exe File opened (read-only) \??\w: jxdrhqcs.exe File opened (read-only) \??\i: hoqhndukez.exe File opened (read-only) \??\e: hoqhndukez.exe File opened (read-only) \??\x: hoqhndukez.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
hoqhndukez.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" hoqhndukez.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" hoqhndukez.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3112-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\tedgbewhtlxhtdn.exe autoit_exe C:\Windows\SysWOW64\hoqhndukez.exe autoit_exe C:\Windows\SysWOW64\jxdrhqcs.exe autoit_exe C:\Windows\SysWOW64\hhojiepeyhbap.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exejxdrhqcs.exehoqhndukez.exejxdrhqcs.exedescription ioc process File opened for modification C:\Windows\SysWOW64\hoqhndukez.exe 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe File created C:\Windows\SysWOW64\jxdrhqcs.exe 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jxdrhqcs.exe 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hhojiepeyhbap.exe 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jxdrhqcs.exe File created C:\Windows\SysWOW64\hoqhndukez.exe 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tedgbewhtlxhtdn.exe 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe File created C:\Windows\SysWOW64\hhojiepeyhbap.exe 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll hoqhndukez.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jxdrhqcs.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jxdrhqcs.exe File created C:\Windows\SysWOW64\tedgbewhtlxhtdn.exe 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
jxdrhqcs.exejxdrhqcs.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jxdrhqcs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jxdrhqcs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jxdrhqcs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jxdrhqcs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jxdrhqcs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jxdrhqcs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jxdrhqcs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jxdrhqcs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jxdrhqcs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jxdrhqcs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jxdrhqcs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jxdrhqcs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jxdrhqcs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jxdrhqcs.exe -
Drops file in Windows directory 19 IoCs
Processes:
jxdrhqcs.exejxdrhqcs.exeWINWORD.EXE03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exedescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jxdrhqcs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jxdrhqcs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jxdrhqcs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jxdrhqcs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jxdrhqcs.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jxdrhqcs.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jxdrhqcs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jxdrhqcs.exe File opened for modification C:\Windows\mydoc.rtf 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jxdrhqcs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jxdrhqcs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jxdrhqcs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jxdrhqcs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jxdrhqcs.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jxdrhqcs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jxdrhqcs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jxdrhqcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exehoqhndukez.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F268C6FE6E22DCD279D1A68B7F9063" 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" hoqhndukez.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs hoqhndukez.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8FAB1F910F1E7830B3B44819C3999B38B02F842600348E2CA429D08A4" 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat hoqhndukez.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf hoqhndukez.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" hoqhndukez.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg hoqhndukez.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C779D5783576A3276D477232CAE7DF465AA" 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B05B4795389953BDB9D332EFD4C5" 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FF8F482F851B9131D75B7E95BD93E64059306745633FD6EB" 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC77B1596DAC7B8CF7F92EC9737CF" 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc hoqhndukez.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" hoqhndukez.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" hoqhndukez.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh hoqhndukez.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" hoqhndukez.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" hoqhndukez.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2112 WINWORD.EXE 2112 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exetedgbewhtlxhtdn.exejxdrhqcs.exehoqhndukez.exehhojiepeyhbap.exejxdrhqcs.exepid process 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2592 tedgbewhtlxhtdn.exe 2592 tedgbewhtlxhtdn.exe 2592 tedgbewhtlxhtdn.exe 2592 tedgbewhtlxhtdn.exe 2592 tedgbewhtlxhtdn.exe 2592 tedgbewhtlxhtdn.exe 2592 tedgbewhtlxhtdn.exe 2592 tedgbewhtlxhtdn.exe 1528 jxdrhqcs.exe 1528 jxdrhqcs.exe 1528 jxdrhqcs.exe 1528 jxdrhqcs.exe 1528 jxdrhqcs.exe 1528 jxdrhqcs.exe 1528 jxdrhqcs.exe 1528 jxdrhqcs.exe 2592 tedgbewhtlxhtdn.exe 2592 tedgbewhtlxhtdn.exe 4916 hoqhndukez.exe 4916 hoqhndukez.exe 4916 hoqhndukez.exe 4916 hoqhndukez.exe 4916 hoqhndukez.exe 4916 hoqhndukez.exe 4916 hoqhndukez.exe 4916 hoqhndukez.exe 4916 hoqhndukez.exe 4916 hoqhndukez.exe 2140 hhojiepeyhbap.exe 2140 hhojiepeyhbap.exe 2140 hhojiepeyhbap.exe 2140 hhojiepeyhbap.exe 2140 hhojiepeyhbap.exe 2140 hhojiepeyhbap.exe 2140 hhojiepeyhbap.exe 2140 hhojiepeyhbap.exe 2140 hhojiepeyhbap.exe 2140 hhojiepeyhbap.exe 2140 hhojiepeyhbap.exe 2140 hhojiepeyhbap.exe 2592 tedgbewhtlxhtdn.exe 2592 tedgbewhtlxhtdn.exe 3580 jxdrhqcs.exe 3580 jxdrhqcs.exe 3580 jxdrhqcs.exe 3580 jxdrhqcs.exe 3580 jxdrhqcs.exe 3580 jxdrhqcs.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exetedgbewhtlxhtdn.exejxdrhqcs.exehoqhndukez.exehhojiepeyhbap.exejxdrhqcs.exepid process 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2592 tedgbewhtlxhtdn.exe 1528 jxdrhqcs.exe 2592 tedgbewhtlxhtdn.exe 1528 jxdrhqcs.exe 2592 tedgbewhtlxhtdn.exe 1528 jxdrhqcs.exe 4916 hoqhndukez.exe 4916 hoqhndukez.exe 2140 hhojiepeyhbap.exe 4916 hoqhndukez.exe 2140 hhojiepeyhbap.exe 2140 hhojiepeyhbap.exe 3580 jxdrhqcs.exe 3580 jxdrhqcs.exe 3580 jxdrhqcs.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exetedgbewhtlxhtdn.exejxdrhqcs.exehoqhndukez.exehhojiepeyhbap.exejxdrhqcs.exepid process 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe 2592 tedgbewhtlxhtdn.exe 1528 jxdrhqcs.exe 2592 tedgbewhtlxhtdn.exe 1528 jxdrhqcs.exe 2592 tedgbewhtlxhtdn.exe 1528 jxdrhqcs.exe 4916 hoqhndukez.exe 4916 hoqhndukez.exe 4916 hoqhndukez.exe 2140 hhojiepeyhbap.exe 2140 hhojiepeyhbap.exe 2140 hhojiepeyhbap.exe 3580 jxdrhqcs.exe 3580 jxdrhqcs.exe 3580 jxdrhqcs.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2112 WINWORD.EXE 2112 WINWORD.EXE 2112 WINWORD.EXE 2112 WINWORD.EXE 2112 WINWORD.EXE 2112 WINWORD.EXE 2112 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exehoqhndukez.exedescription pid process target process PID 3112 wrote to memory of 4916 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe hoqhndukez.exe PID 3112 wrote to memory of 4916 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe hoqhndukez.exe PID 3112 wrote to memory of 4916 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe hoqhndukez.exe PID 3112 wrote to memory of 2592 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe tedgbewhtlxhtdn.exe PID 3112 wrote to memory of 2592 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe tedgbewhtlxhtdn.exe PID 3112 wrote to memory of 2592 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe tedgbewhtlxhtdn.exe PID 3112 wrote to memory of 1528 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe jxdrhqcs.exe PID 3112 wrote to memory of 1528 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe jxdrhqcs.exe PID 3112 wrote to memory of 1528 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe jxdrhqcs.exe PID 3112 wrote to memory of 2140 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe hhojiepeyhbap.exe PID 3112 wrote to memory of 2140 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe hhojiepeyhbap.exe PID 3112 wrote to memory of 2140 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe hhojiepeyhbap.exe PID 3112 wrote to memory of 2112 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe WINWORD.EXE PID 3112 wrote to memory of 2112 3112 03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe WINWORD.EXE PID 4916 wrote to memory of 3580 4916 hoqhndukez.exe jxdrhqcs.exe PID 4916 wrote to memory of 3580 4916 hoqhndukez.exe jxdrhqcs.exe PID 4916 wrote to memory of 3580 4916 hoqhndukez.exe jxdrhqcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\hoqhndukez.exehoqhndukez.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\jxdrhqcs.exeC:\Windows\system32\jxdrhqcs.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\tedgbewhtlxhtdn.exetedgbewhtlxhtdn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\jxdrhqcs.exejxdrhqcs.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\hhojiepeyhbap.exehhojiepeyhbap.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD54212f3b35083714e27745cb3d98300bf
SHA1a14212d5cfd561755afd4d71d916fc01bbe1c638
SHA256ef11027ba8284944a7e5d94964f0cd84223122e91e69218291fc3861dac3f379
SHA512b159e626c45bfbfc2a4762373d6db20afe343a3945d1a313aafa4fdcbcb9581acedff4b937cde6caf44340121ddf0fc6c0ecf7e99e6f649a574f80363cb68d88
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5cf10c47ef6cc0a051d6c73910b8314de
SHA1359d6447051289ce514d93ffd2e304adc5feb12b
SHA256aa8f77594d23808de4639d3e77dd9778205df82206660069998f96c0f9fbabed
SHA51262629d1d0f97ed9f92810e9c1e9ec7ea8894d4b2c56a869eef9dae4f304955d1512614bbbc6ec356588236b75f946078766226756c57f7dc126ea679d2918a99
-
C:\Users\Admin\AppData\Local\Temp\TCD7F6B.tmp\gb.xslFilesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD5b9e1c83ef2ca0d7502a22dab38c5c0d5
SHA1514b446026670de1d7fbfe390ffff7a6a47311cf
SHA256e374f4495b7d39c19d88d5303e45924b1330dfa17b231aee726f53f2572a811b
SHA51294251b72c4c0501a4612bef07e569947c681425330f9b2cd2358ce5083662bf8a79bd206e7ea9d2327b07eb71a190486027dafe43dd1313a9a1d0279694b2091
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5e0f4f22debdd7d43668a8637aa2df8f5
SHA165afb52f6e95b67c127c3ba2dd75168bd135ba1c
SHA256a0adb847a9110859c21bc667d73fb73fd7fbb59650abb9fbb7ae73bbf083efbb
SHA512cd03f642c67c70229035f90c9df1fe53e04c97db129fbf69175348287e6ebb8c2993723ee887abfb2bd8024ad1efd81a21645014706a6b3d7b7ed8a4cf07b494
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD598e77ed950a6b6d2e5a2bcb82bffc570
SHA119f49783b00d70dfc7306bf790533adec4e9707a
SHA25611a2302b104d347466390e0ce4db7169a6b66551e9c3b26ab48c47787f59e9be
SHA5128f7f2dca0fda466b13cfd5e081784291dbefcf32614717ed615369eafff462e0d064e3b1795223a4307438e01de6ea3bcd5b09a02b4e01748c42b814744804f4
-
C:\Windows\SysWOW64\hhojiepeyhbap.exeFilesize
512KB
MD5767f44e4bd35a198107e81eafa1ca34b
SHA111146042bcfbaf9b04c49d0d7f6ff901ac0acb9e
SHA256c0281c800ff91e2231f09ae4a03faf41b8fb46a8b67ba9851413135255e4e426
SHA5127052ace8b8058778d1a88c44be7ba6ac8bfdb2cd6358811af3671cd1bd250cd9a1900683f35acc5c08c1eaa69ce76873c9c52d37ea03fa6332c60e745959109b
-
C:\Windows\SysWOW64\hoqhndukez.exeFilesize
512KB
MD55466049bbba5dd7a807a24205aa1824b
SHA15d0f2bc9c73125b6b82b11381c9028ea7a195ded
SHA2560ef78ff75810497ecac5e5dbefb9d808759e4b1471bc2378de380c6281f26089
SHA51291ed35190a9fdfdd972dbf776320369ba0a3a3af67c800945b88c9da441ececdec2e5bd7f163f719230bb3a08d05a5c2a148880521f82c0f094f0f68ebcdcce9
-
C:\Windows\SysWOW64\jxdrhqcs.exeFilesize
512KB
MD571340d7c9f83f2f987436beb6b8c728b
SHA1817008e29934a5978123e751036227614b8fba10
SHA2564a9a3054105855ada899b1304e1b7eafe3b2f3e82b6472ac2945316b3b5d7845
SHA512101dc3a945d27a215e1bac3850ef536ce93b441e92ebb16610d0a14c4bd064f961f268ddaf7dce5423b568ed655239f17be12d5aaf955d7f97989b207e0b7f4c
-
C:\Windows\SysWOW64\tedgbewhtlxhtdn.exeFilesize
512KB
MD50f26f169d5b1dcf790d2c34bc151b324
SHA130d37ed4bbf48b7066f0ddefd7c1a49018389675
SHA25617d8bf625a6804b4b9a36ea2468a035a49966b6321f22e23c2810823372259c9
SHA5126be9718351c325dc87e895cfc13752bf1b1687413de526d260b447ddd7aa5d923fe10cd308f37126ec1b4d789f4c5273c5d770a691c7f92b59a227548f8c415e
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD570a20d80add471ad2b2673ec565c5272
SHA11b31011a6936f3a21d2d3dbfa575f378aef9e806
SHA256d78e2fa40b4035de6002f10f62f6df95f354762618c06b028757791a8b03785c
SHA512a67412e3218ba3fcbba8065396c55d5e9811384368f107b4123731485617327be980737a1a9241428433a541c73c45bea2a8d5c36ea80567844c7d737088b7f4
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD52c21a4e6af97c6df1deecfaf28beaf54
SHA16dc75ac3c1f8e9aea62ce940b8b40911db7e32c4
SHA256660d27d786455a9b81c5b3b16e1edbc356fd8de4b49eeb47888bc31ac45735ca
SHA5128357432e6c1ced90f14207b934549f866d003850eca31f8c50b84163a837ed924a0f26ee7d82c338ef2972dbe35301fb11d8586fee6cd4b5d7c93d622faafee7
-
memory/2112-587-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmpFilesize
64KB
-
memory/2112-39-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmpFilesize
64KB
-
memory/2112-38-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmpFilesize
64KB
-
memory/2112-36-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmpFilesize
64KB
-
memory/2112-37-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmpFilesize
64KB
-
memory/2112-40-0x00007FFCB5250000-0x00007FFCB5260000-memory.dmpFilesize
64KB
-
memory/2112-35-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmpFilesize
64KB
-
memory/2112-41-0x00007FFCB5250000-0x00007FFCB5260000-memory.dmpFilesize
64KB
-
memory/2112-588-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmpFilesize
64KB
-
memory/2112-589-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmpFilesize
64KB
-
memory/2112-586-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmpFilesize
64KB
-
memory/3112-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB