Analysis
-
max time kernel
149s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 15:29
Static task
static1
Behavioral task
behavioral1
Sample
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe
-
Size
512KB
-
MD5
0580f46d13a54fe2a64a944f5208765c
-
SHA1
f143ec3e80757ec10a7a296e8ad575ab6234370b
-
SHA256
494160f303a008a58bbba3c70052761dbb2d5f83e07a027d1a2e54c839c231cd
-
SHA512
58379d29025cb6d10589a19e900b5e4b4a1f76eeb1575a825ad7a1debff3de05e2911db92e7a4c7596f8193be64a144ce475ce610f3268e515e41b95ca63a0dc
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6f:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5s
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
iwdhugatpf.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" iwdhugatpf.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
iwdhugatpf.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" iwdhugatpf.exe -
Processes:
iwdhugatpf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iwdhugatpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" iwdhugatpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iwdhugatpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" iwdhugatpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" iwdhugatpf.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
iwdhugatpf.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iwdhugatpf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
iwdhugatpf.exeykyazqrdegovqtk.exepxvwksge.exejzoqdbmgqalcb.exepxvwksge.exepid process 4344 iwdhugatpf.exe 2184 ykyazqrdegovqtk.exe 1064 pxvwksge.exe 1896 jzoqdbmgqalcb.exe 4360 pxvwksge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
iwdhugatpf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iwdhugatpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" iwdhugatpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" iwdhugatpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" iwdhugatpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iwdhugatpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" iwdhugatpf.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ykyazqrdegovqtk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gnvfpjnu = "iwdhugatpf.exe" ykyazqrdegovqtk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\anukfcrf = "ykyazqrdegovqtk.exe" ykyazqrdegovqtk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jzoqdbmgqalcb.exe" ykyazqrdegovqtk.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
iwdhugatpf.exepxvwksge.exepxvwksge.exedescription ioc process File opened (read-only) \??\q: iwdhugatpf.exe File opened (read-only) \??\o: pxvwksge.exe File opened (read-only) \??\q: pxvwksge.exe File opened (read-only) \??\u: pxvwksge.exe File opened (read-only) \??\a: iwdhugatpf.exe File opened (read-only) \??\m: iwdhugatpf.exe File opened (read-only) \??\w: iwdhugatpf.exe File opened (read-only) \??\r: pxvwksge.exe File opened (read-only) \??\g: pxvwksge.exe File opened (read-only) \??\o: iwdhugatpf.exe File opened (read-only) \??\b: pxvwksge.exe File opened (read-only) \??\l: pxvwksge.exe File opened (read-only) \??\x: pxvwksge.exe File opened (read-only) \??\j: pxvwksge.exe File opened (read-only) \??\n: pxvwksge.exe File opened (read-only) \??\p: pxvwksge.exe File opened (read-only) \??\z: pxvwksge.exe File opened (read-only) \??\i: iwdhugatpf.exe File opened (read-only) \??\g: pxvwksge.exe File opened (read-only) \??\v: pxvwksge.exe File opened (read-only) \??\y: pxvwksge.exe File opened (read-only) \??\g: iwdhugatpf.exe File opened (read-only) \??\l: iwdhugatpf.exe File opened (read-only) \??\e: pxvwksge.exe File opened (read-only) \??\i: pxvwksge.exe File opened (read-only) \??\m: pxvwksge.exe File opened (read-only) \??\l: pxvwksge.exe File opened (read-only) \??\r: pxvwksge.exe File opened (read-only) \??\t: pxvwksge.exe File opened (read-only) \??\h: pxvwksge.exe File opened (read-only) \??\s: iwdhugatpf.exe File opened (read-only) \??\v: iwdhugatpf.exe File opened (read-only) \??\z: iwdhugatpf.exe File opened (read-only) \??\a: pxvwksge.exe File opened (read-only) \??\n: pxvwksge.exe File opened (read-only) \??\b: iwdhugatpf.exe File opened (read-only) \??\x: iwdhugatpf.exe File opened (read-only) \??\z: pxvwksge.exe File opened (read-only) \??\m: pxvwksge.exe File opened (read-only) \??\e: iwdhugatpf.exe File opened (read-only) \??\j: iwdhugatpf.exe File opened (read-only) \??\u: pxvwksge.exe File opened (read-only) \??\i: pxvwksge.exe File opened (read-only) \??\k: pxvwksge.exe File opened (read-only) \??\s: pxvwksge.exe File opened (read-only) \??\h: iwdhugatpf.exe File opened (read-only) \??\k: iwdhugatpf.exe File opened (read-only) \??\n: iwdhugatpf.exe File opened (read-only) \??\p: iwdhugatpf.exe File opened (read-only) \??\y: iwdhugatpf.exe File opened (read-only) \??\o: pxvwksge.exe File opened (read-only) \??\q: pxvwksge.exe File opened (read-only) \??\t: pxvwksge.exe File opened (read-only) \??\t: iwdhugatpf.exe File opened (read-only) \??\k: pxvwksge.exe File opened (read-only) \??\s: pxvwksge.exe File opened (read-only) \??\h: pxvwksge.exe File opened (read-only) \??\j: pxvwksge.exe File opened (read-only) \??\u: iwdhugatpf.exe File opened (read-only) \??\v: pxvwksge.exe File opened (read-only) \??\w: pxvwksge.exe File opened (read-only) \??\e: pxvwksge.exe File opened (read-only) \??\p: pxvwksge.exe File opened (read-only) \??\w: pxvwksge.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
iwdhugatpf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" iwdhugatpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" iwdhugatpf.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1296-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\ykyazqrdegovqtk.exe autoit_exe C:\Windows\SysWOW64\iwdhugatpf.exe autoit_exe C:\Windows\SysWOW64\pxvwksge.exe autoit_exe C:\Windows\SysWOW64\jzoqdbmgqalcb.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exepxvwksge.exepxvwksge.exeiwdhugatpf.exedescription ioc process File opened for modification C:\Windows\SysWOW64\iwdhugatpf.exe 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ykyazqrdegovqtk.exe 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pxvwksge.exe 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pxvwksge.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pxvwksge.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pxvwksge.exe File created C:\Windows\SysWOW64\iwdhugatpf.exe 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File created C:\Windows\SysWOW64\ykyazqrdegovqtk.exe 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File created C:\Windows\SysWOW64\pxvwksge.exe 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File created C:\Windows\SysWOW64\jzoqdbmgqalcb.exe 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jzoqdbmgqalcb.exe 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll iwdhugatpf.exe -
Drops file in Program Files directory 14 IoCs
Processes:
pxvwksge.exepxvwksge.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pxvwksge.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pxvwksge.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pxvwksge.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal pxvwksge.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal pxvwksge.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pxvwksge.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pxvwksge.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal pxvwksge.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pxvwksge.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pxvwksge.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pxvwksge.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pxvwksge.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal pxvwksge.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pxvwksge.exe -
Drops file in Windows directory 19 IoCs
Processes:
pxvwksge.exepxvwksge.exeWINWORD.EXE0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exedescription ioc process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe pxvwksge.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe pxvwksge.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe pxvwksge.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe pxvwksge.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe pxvwksge.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe pxvwksge.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe pxvwksge.exe File opened for modification C:\Windows\mydoc.rtf 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe pxvwksge.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe pxvwksge.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe pxvwksge.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe pxvwksge.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe pxvwksge.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe pxvwksge.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe pxvwksge.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe pxvwksge.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe pxvwksge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exeiwdhugatpf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCFABFFE64F198847A3A4081993995B08A02884367023FE2CF459D08A1" 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat iwdhugatpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh iwdhugatpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" iwdhugatpf.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFC8D482F8269913CD75A7DE7BD95E633594667346346D7ED" 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" iwdhugatpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc iwdhugatpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" iwdhugatpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs iwdhugatpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg iwdhugatpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352D7F9C2D83576D4276D770272DDA7C8E64DF" 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F66BC2FF1D21DED10BD0A48A0C9016" 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" iwdhugatpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" iwdhugatpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" iwdhugatpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECBB05B4493389E53C5B9D13292D7B8" 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C67F14E7DAB0B8B97CE7ECE734CF" 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf iwdhugatpf.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2920 WINWORD.EXE 2920 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exeiwdhugatpf.exepxvwksge.exeykyazqrdegovqtk.exejzoqdbmgqalcb.exepxvwksge.exepid process 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 4344 iwdhugatpf.exe 4344 iwdhugatpf.exe 4344 iwdhugatpf.exe 4344 iwdhugatpf.exe 4344 iwdhugatpf.exe 4344 iwdhugatpf.exe 4344 iwdhugatpf.exe 4344 iwdhugatpf.exe 4344 iwdhugatpf.exe 4344 iwdhugatpf.exe 1064 pxvwksge.exe 1064 pxvwksge.exe 1064 pxvwksge.exe 1064 pxvwksge.exe 1064 pxvwksge.exe 1064 pxvwksge.exe 1064 pxvwksge.exe 1064 pxvwksge.exe 2184 ykyazqrdegovqtk.exe 2184 ykyazqrdegovqtk.exe 1896 jzoqdbmgqalcb.exe 2184 ykyazqrdegovqtk.exe 1896 jzoqdbmgqalcb.exe 2184 ykyazqrdegovqtk.exe 2184 ykyazqrdegovqtk.exe 2184 ykyazqrdegovqtk.exe 2184 ykyazqrdegovqtk.exe 2184 ykyazqrdegovqtk.exe 1896 jzoqdbmgqalcb.exe 1896 jzoqdbmgqalcb.exe 1896 jzoqdbmgqalcb.exe 1896 jzoqdbmgqalcb.exe 1896 jzoqdbmgqalcb.exe 1896 jzoqdbmgqalcb.exe 1896 jzoqdbmgqalcb.exe 1896 jzoqdbmgqalcb.exe 1896 jzoqdbmgqalcb.exe 1896 jzoqdbmgqalcb.exe 2184 ykyazqrdegovqtk.exe 2184 ykyazqrdegovqtk.exe 4360 pxvwksge.exe 4360 pxvwksge.exe 4360 pxvwksge.exe 4360 pxvwksge.exe 4360 pxvwksge.exe 4360 pxvwksge.exe 4360 pxvwksge.exe 4360 pxvwksge.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exeiwdhugatpf.exepxvwksge.exeykyazqrdegovqtk.exejzoqdbmgqalcb.exepxvwksge.exepid process 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 4344 iwdhugatpf.exe 4344 iwdhugatpf.exe 4344 iwdhugatpf.exe 1064 pxvwksge.exe 1064 pxvwksge.exe 1064 pxvwksge.exe 2184 ykyazqrdegovqtk.exe 1896 jzoqdbmgqalcb.exe 2184 ykyazqrdegovqtk.exe 1896 jzoqdbmgqalcb.exe 2184 ykyazqrdegovqtk.exe 1896 jzoqdbmgqalcb.exe 4360 pxvwksge.exe 4360 pxvwksge.exe 4360 pxvwksge.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exeiwdhugatpf.exepxvwksge.exeykyazqrdegovqtk.exejzoqdbmgqalcb.exepxvwksge.exepid process 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe 4344 iwdhugatpf.exe 4344 iwdhugatpf.exe 4344 iwdhugatpf.exe 1064 pxvwksge.exe 1064 pxvwksge.exe 1064 pxvwksge.exe 2184 ykyazqrdegovqtk.exe 1896 jzoqdbmgqalcb.exe 2184 ykyazqrdegovqtk.exe 1896 jzoqdbmgqalcb.exe 2184 ykyazqrdegovqtk.exe 1896 jzoqdbmgqalcb.exe 4360 pxvwksge.exe 4360 pxvwksge.exe 4360 pxvwksge.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2920 WINWORD.EXE 2920 WINWORD.EXE 2920 WINWORD.EXE 2920 WINWORD.EXE 2920 WINWORD.EXE 2920 WINWORD.EXE 2920 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exeiwdhugatpf.exedescription pid process target process PID 1296 wrote to memory of 4344 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe iwdhugatpf.exe PID 1296 wrote to memory of 4344 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe iwdhugatpf.exe PID 1296 wrote to memory of 4344 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe iwdhugatpf.exe PID 1296 wrote to memory of 2184 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe ykyazqrdegovqtk.exe PID 1296 wrote to memory of 2184 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe ykyazqrdegovqtk.exe PID 1296 wrote to memory of 2184 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe ykyazqrdegovqtk.exe PID 1296 wrote to memory of 1064 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe pxvwksge.exe PID 1296 wrote to memory of 1064 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe pxvwksge.exe PID 1296 wrote to memory of 1064 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe pxvwksge.exe PID 1296 wrote to memory of 1896 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe jzoqdbmgqalcb.exe PID 1296 wrote to memory of 1896 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe jzoqdbmgqalcb.exe PID 1296 wrote to memory of 1896 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe jzoqdbmgqalcb.exe PID 1296 wrote to memory of 2920 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe WINWORD.EXE PID 1296 wrote to memory of 2920 1296 0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe WINWORD.EXE PID 4344 wrote to memory of 4360 4344 iwdhugatpf.exe pxvwksge.exe PID 4344 wrote to memory of 4360 4344 iwdhugatpf.exe pxvwksge.exe PID 4344 wrote to memory of 4360 4344 iwdhugatpf.exe pxvwksge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0580f46d13a54fe2a64a944f5208765c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\iwdhugatpf.exeiwdhugatpf.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\pxvwksge.exeC:\Windows\system32\pxvwksge.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ykyazqrdegovqtk.exeykyazqrdegovqtk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\pxvwksge.exepxvwksge.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\jzoqdbmgqalcb.exejzoqdbmgqalcb.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5ecbc00b474742accf2545f19c505651d
SHA1f0ef7b29781de8bdf2ee213d0071bfbf00e0bfbf
SHA256f4e1dcd193849d838c840f06c911b2f35b323fb71a26606a2b29b67b6a64d071
SHA512271f646418d944bff2ccf46b53de93093a396081f26dd8dddcd4bd65837782d62cbbc6c74bb18ff6e95ae7d68032ee18743281236c53adab46fae6717133bd46
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD5cb7a94d02c814d42e0d36752d23604ff
SHA1a3dc9b99402aad1776c01d4ac787c4fa6336ed20
SHA256fc3e2de613545cf33019b5dce9be49db46e0f38b61012c7b81fefc396501e537
SHA5124b808c4adbfb0a918850a0c1fe548ae9dec14b3b6fdb60f0215f5863d79e1d420b338cb171b74195bedc714dd3a0bd301f36b7cca8583491dea8fc57c26346a5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD537e3057e2c13887efb9be5c375420642
SHA1917ff6ef66ad3bf58d330a4b2a32447105382534
SHA2566d73d2dd0127a6787e8578bb9df52cfe0013f5135d949721d621cb35c541e802
SHA5127d5d4ee7a84054298336b4ca3224a403d198d80f16bd827f6bfa79117aa5e41da009199b7e6551c727a1ac8adf0b9a4cd76419157f9d6d787b344625d03044d7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD56ee3d5028f6595c91c752766d56c0b69
SHA14bb250873a4703e4c637754050c5ffa58066df5e
SHA256399bc98bb6b0343b028fa7fbfddbbebd8184edeb8f8743d0f8ed670bad02c1ef
SHA5122d40bc9631d9c0a9a96d39b00174e3965e3622352178fd76ad16d50c63830388bcc416f222c8466e0a183294644c896ec865d944ed9f17cecca061491a619dcf
-
C:\Windows\SysWOW64\iwdhugatpf.exeFilesize
512KB
MD52ff6162c504d3f45c79d9697be73da17
SHA17db90b0751b9f858bb297463ccb7d9c1df69b6f7
SHA25625f5be6e498d701ee6350803acfc7146dfcc4d09a524f81640f7be6afc0776ef
SHA5121b5c455c999f450d82bf54e3e522b1d2c9891b5856f1a210bf603d7d8632a9330799f396f290aa415eab8074dd8799c9afced550efe2d030d84fc1e6dc03244a
-
C:\Windows\SysWOW64\jzoqdbmgqalcb.exeFilesize
512KB
MD5a20f0da29ca02cca62e82ef47f645f4c
SHA1b084b39d8c3db272837043da2647e5592257bf31
SHA256c2c1ccdf5dde74e4979b7def5d82dd4584a075442a176ce33fe158f11b2a0067
SHA5122a692796bdec1fa25d8659e356bc1dc43962e2702c6d9d94a3b3751225fc71edc4e8453fc1ad6f370e4d0dda4b6c606af7a93d1a7cacd581634e7ab07de80603
-
C:\Windows\SysWOW64\pxvwksge.exeFilesize
512KB
MD52a4dba985ebda86ef5af740443ac0c05
SHA1f618e5e8d3de15705e57b433ed36db2d217a9adf
SHA256ff45314600e040db31ccecc2d5cf4afed2966bc946564cda97d98437cb8ab372
SHA512dfdd901ed250254d4ae2ae2b3b8284f666061618d1adb570ee353774438858aef4396c748ac93fc5b07b15d805fedb8b7fe1a56842b6381bc2980f1865115963
-
C:\Windows\SysWOW64\ykyazqrdegovqtk.exeFilesize
512KB
MD5d0f00ac1c86b90238504c7b3e8d7d0f7
SHA163a64d0fa7b043d778d10d677444bb14acb6e971
SHA2568d2ee9afa135f0979100fdcfea1b69bb6266a9bc0f9e92d927f927cad4f0d182
SHA512e0b890e4c70d2212fc97b9f6b41c089caad499606012c8c1686b237c79414c3eaed9aed81307e990241a428f61ce632f71ca9b7f04554cb40e88675cff98cce5
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5fee046d9c5d7574179acab885e9679e4
SHA12eefe1b5e71e77903b9952a7f3c26b64547fa302
SHA256b779391205a6b5b3f7573df3e3aefd2a6a32e443db9a28308918923b67ba0a11
SHA512473421093f346b484a20d05625888225f3d468cf8c84869ae17228c631aacdbaad0bce0831d312e82d7c739adce497a26b4f38ccf737371bb2e9340e5ff0fb8b
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD51c442e360df49c451097a42c27d2834c
SHA128a85bd8a31cd2e9a95e509c15be6dc67025cc5c
SHA2563c4519b581623e782fc11c94ad50fbdd1ee2b7478a92cbc4c175d41f0a418df3
SHA5125fb30a108228e539603bceb630e256d6bdcaaa253dd2cc5f432c06a6c0fa97c0aa7dd912fa6dadbbd5a121768f18eeaad0909c540c94ad1beaef08ff1920343a
-
memory/1296-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2920-35-0x00007FFB16C10000-0x00007FFB16C20000-memory.dmpFilesize
64KB
-
memory/2920-43-0x00007FFB14610000-0x00007FFB14620000-memory.dmpFilesize
64KB
-
memory/2920-42-0x00007FFB14610000-0x00007FFB14620000-memory.dmpFilesize
64KB
-
memory/2920-39-0x00007FFB16C10000-0x00007FFB16C20000-memory.dmpFilesize
64KB
-
memory/2920-38-0x00007FFB16C10000-0x00007FFB16C20000-memory.dmpFilesize
64KB
-
memory/2920-36-0x00007FFB16C10000-0x00007FFB16C20000-memory.dmpFilesize
64KB
-
memory/2920-37-0x00007FFB16C10000-0x00007FFB16C20000-memory.dmpFilesize
64KB
-
memory/2920-114-0x00007FFB16C10000-0x00007FFB16C20000-memory.dmpFilesize
64KB
-
memory/2920-117-0x00007FFB16C10000-0x00007FFB16C20000-memory.dmpFilesize
64KB
-
memory/2920-116-0x00007FFB16C10000-0x00007FFB16C20000-memory.dmpFilesize
64KB
-
memory/2920-115-0x00007FFB16C10000-0x00007FFB16C20000-memory.dmpFilesize
64KB