Analysis
-
max time kernel
150s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 16:04
Static task
static1
Behavioral task
behavioral1
Sample
05906c39cad698da162ccf37f3964228_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
05906c39cad698da162ccf37f3964228_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
05906c39cad698da162ccf37f3964228_JaffaCakes118.exe
-
Size
512KB
-
MD5
05906c39cad698da162ccf37f3964228
-
SHA1
0cf0214a3cb6a32e5bc139d6dcff6b7cbb2bcd88
-
SHA256
e1d59c5b329a280bc03ddc31f57e993eb14fb4afa7d80c4feb7b99c787699065
-
SHA512
3654a9d697e49d2c245d6dd82c49e5e5db9eedb347e7349d443e9a2247115a15fc27294f3def10a83a71a241fc4266e50d84b4d6633eb5304e139c3b9869c26b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6i:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm51
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
ljrlmpiefk.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ljrlmpiefk.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
ljrlmpiefk.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ljrlmpiefk.exe -
Processes:
ljrlmpiefk.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ljrlmpiefk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ljrlmpiefk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ljrlmpiefk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ljrlmpiefk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ljrlmpiefk.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ljrlmpiefk.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ljrlmpiefk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
05906c39cad698da162ccf37f3964228_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
ljrlmpiefk.exeuvostvkzzhpxfpk.exeturokmtt.exeldvcoxopsgxmi.exeturokmtt.exepid process 1520 ljrlmpiefk.exe 512 uvostvkzzhpxfpk.exe 2480 turokmtt.exe 3656 ldvcoxopsgxmi.exe 944 turokmtt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ljrlmpiefk.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ljrlmpiefk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ljrlmpiefk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ljrlmpiefk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ljrlmpiefk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ljrlmpiefk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ljrlmpiefk.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
uvostvkzzhpxfpk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dbtcskte = "ljrlmpiefk.exe" uvostvkzzhpxfpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kejhvhtz = "uvostvkzzhpxfpk.exe" uvostvkzzhpxfpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ldvcoxopsgxmi.exe" uvostvkzzhpxfpk.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
turokmtt.exeljrlmpiefk.exeturokmtt.exedescription ioc process File opened (read-only) \??\e: turokmtt.exe File opened (read-only) \??\l: turokmtt.exe File opened (read-only) \??\m: ljrlmpiefk.exe File opened (read-only) \??\u: ljrlmpiefk.exe File opened (read-only) \??\w: ljrlmpiefk.exe File opened (read-only) \??\j: turokmtt.exe File opened (read-only) \??\q: turokmtt.exe File opened (read-only) \??\r: turokmtt.exe File opened (read-only) \??\z: turokmtt.exe File opened (read-only) \??\k: ljrlmpiefk.exe File opened (read-only) \??\r: ljrlmpiefk.exe File opened (read-only) \??\x: ljrlmpiefk.exe File opened (read-only) \??\h: turokmtt.exe File opened (read-only) \??\m: turokmtt.exe File opened (read-only) \??\l: turokmtt.exe File opened (read-only) \??\p: turokmtt.exe File opened (read-only) \??\t: turokmtt.exe File opened (read-only) \??\e: ljrlmpiefk.exe File opened (read-only) \??\s: turokmtt.exe File opened (read-only) \??\t: turokmtt.exe File opened (read-only) \??\y: turokmtt.exe File opened (read-only) \??\s: ljrlmpiefk.exe File opened (read-only) \??\b: turokmtt.exe File opened (read-only) \??\h: ljrlmpiefk.exe File opened (read-only) \??\n: turokmtt.exe File opened (read-only) \??\z: turokmtt.exe File opened (read-only) \??\i: turokmtt.exe File opened (read-only) \??\s: turokmtt.exe File opened (read-only) \??\q: ljrlmpiefk.exe File opened (read-only) \??\w: turokmtt.exe File opened (read-only) \??\a: turokmtt.exe File opened (read-only) \??\v: turokmtt.exe File opened (read-only) \??\a: ljrlmpiefk.exe File opened (read-only) \??\n: ljrlmpiefk.exe File opened (read-only) \??\o: ljrlmpiefk.exe File opened (read-only) \??\p: ljrlmpiefk.exe File opened (read-only) \??\v: ljrlmpiefk.exe File opened (read-only) \??\u: turokmtt.exe File opened (read-only) \??\p: turokmtt.exe File opened (read-only) \??\b: ljrlmpiefk.exe File opened (read-only) \??\j: ljrlmpiefk.exe File opened (read-only) \??\b: turokmtt.exe File opened (read-only) \??\i: turokmtt.exe File opened (read-only) \??\z: ljrlmpiefk.exe File opened (read-only) \??\h: turokmtt.exe File opened (read-only) \??\g: turokmtt.exe File opened (read-only) \??\k: turokmtt.exe File opened (read-only) \??\n: turokmtt.exe File opened (read-only) \??\o: turokmtt.exe File opened (read-only) \??\x: turokmtt.exe File opened (read-only) \??\l: ljrlmpiefk.exe File opened (read-only) \??\x: turokmtt.exe File opened (read-only) \??\w: turokmtt.exe File opened (read-only) \??\a: turokmtt.exe File opened (read-only) \??\g: turokmtt.exe File opened (read-only) \??\k: turokmtt.exe File opened (read-only) \??\y: turokmtt.exe File opened (read-only) \??\v: turokmtt.exe File opened (read-only) \??\u: turokmtt.exe File opened (read-only) \??\g: ljrlmpiefk.exe File opened (read-only) \??\t: ljrlmpiefk.exe File opened (read-only) \??\e: turokmtt.exe File opened (read-only) \??\q: turokmtt.exe File opened (read-only) \??\r: turokmtt.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ljrlmpiefk.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ljrlmpiefk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ljrlmpiefk.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4488-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\uvostvkzzhpxfpk.exe autoit_exe C:\Windows\SysWOW64\ljrlmpiefk.exe autoit_exe C:\Windows\SysWOW64\turokmtt.exe autoit_exe C:\Windows\SysWOW64\ldvcoxopsgxmi.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Music\ApproveEdit.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
05906c39cad698da162ccf37f3964228_JaffaCakes118.exeturokmtt.exeljrlmpiefk.exeturokmtt.exedescription ioc process File opened for modification C:\Windows\SysWOW64\turokmtt.exe 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe turokmtt.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ljrlmpiefk.exe File created C:\Windows\SysWOW64\ljrlmpiefk.exe 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ljrlmpiefk.exe 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File created C:\Windows\SysWOW64\uvostvkzzhpxfpk.exe 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uvostvkzzhpxfpk.exe 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File created C:\Windows\SysWOW64\turokmtt.exe 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File created C:\Windows\SysWOW64\ldvcoxopsgxmi.exe 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ldvcoxopsgxmi.exe 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe turokmtt.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe turokmtt.exe -
Drops file in Program Files directory 14 IoCs
Processes:
turokmtt.exeturokmtt.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe turokmtt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe turokmtt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal turokmtt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe turokmtt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal turokmtt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal turokmtt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe turokmtt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe turokmtt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe turokmtt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe turokmtt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal turokmtt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe turokmtt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe turokmtt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe turokmtt.exe -
Drops file in Windows directory 19 IoCs
Processes:
WINWORD.EXEturokmtt.exeturokmtt.exe05906c39cad698da162ccf37f3964228_JaffaCakes118.exedescription ioc process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe turokmtt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe turokmtt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe turokmtt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe turokmtt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe turokmtt.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe turokmtt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe turokmtt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe turokmtt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe turokmtt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe turokmtt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe turokmtt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe turokmtt.exe File opened for modification C:\Windows\mydoc.rtf 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe turokmtt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe turokmtt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe turokmtt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe turokmtt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
05906c39cad698da162ccf37f3964228_JaffaCakes118.exeljrlmpiefk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFF834F2685129137D62F7DE1BC94E6315940664F6333D79D" 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ljrlmpiefk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ljrlmpiefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ljrlmpiefk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ljrlmpiefk.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFF9C9F962F2E384743A4786E93EE2B3FC02FC42680248E1C8459908A1" 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ljrlmpiefk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ljrlmpiefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2C0D9D5283536A3177D0702F2CDB7DF164AD" 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC6741591DAB3B9B97C95ECE537BC" 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ljrlmpiefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ljrlmpiefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ljrlmpiefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ljrlmpiefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B02F449739ED53C5BAA633EAD4BB" 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BB7FF1B21DBD173D0A58B7D9116" 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ljrlmpiefk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ljrlmpiefk.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 440 WINWORD.EXE 440 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
05906c39cad698da162ccf37f3964228_JaffaCakes118.exeuvostvkzzhpxfpk.exeljrlmpiefk.exeldvcoxopsgxmi.exeturokmtt.exeturokmtt.exepid process 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 512 uvostvkzzhpxfpk.exe 512 uvostvkzzhpxfpk.exe 512 uvostvkzzhpxfpk.exe 1520 ljrlmpiefk.exe 512 uvostvkzzhpxfpk.exe 1520 ljrlmpiefk.exe 512 uvostvkzzhpxfpk.exe 1520 ljrlmpiefk.exe 1520 ljrlmpiefk.exe 512 uvostvkzzhpxfpk.exe 1520 ljrlmpiefk.exe 1520 ljrlmpiefk.exe 512 uvostvkzzhpxfpk.exe 512 uvostvkzzhpxfpk.exe 1520 ljrlmpiefk.exe 1520 ljrlmpiefk.exe 1520 ljrlmpiefk.exe 1520 ljrlmpiefk.exe 512 uvostvkzzhpxfpk.exe 512 uvostvkzzhpxfpk.exe 3656 ldvcoxopsgxmi.exe 3656 ldvcoxopsgxmi.exe 2480 turokmtt.exe 2480 turokmtt.exe 2480 turokmtt.exe 3656 ldvcoxopsgxmi.exe 2480 turokmtt.exe 3656 ldvcoxopsgxmi.exe 2480 turokmtt.exe 2480 turokmtt.exe 3656 ldvcoxopsgxmi.exe 2480 turokmtt.exe 3656 ldvcoxopsgxmi.exe 2480 turokmtt.exe 3656 ldvcoxopsgxmi.exe 3656 ldvcoxopsgxmi.exe 3656 ldvcoxopsgxmi.exe 3656 ldvcoxopsgxmi.exe 3656 ldvcoxopsgxmi.exe 3656 ldvcoxopsgxmi.exe 512 uvostvkzzhpxfpk.exe 512 uvostvkzzhpxfpk.exe 944 turokmtt.exe 944 turokmtt.exe 944 turokmtt.exe 944 turokmtt.exe 944 turokmtt.exe 944 turokmtt.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
05906c39cad698da162ccf37f3964228_JaffaCakes118.exeljrlmpiefk.exeuvostvkzzhpxfpk.exeturokmtt.exeldvcoxopsgxmi.exeturokmtt.exepid process 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 1520 ljrlmpiefk.exe 1520 ljrlmpiefk.exe 1520 ljrlmpiefk.exe 512 uvostvkzzhpxfpk.exe 512 uvostvkzzhpxfpk.exe 512 uvostvkzzhpxfpk.exe 2480 turokmtt.exe 3656 ldvcoxopsgxmi.exe 2480 turokmtt.exe 3656 ldvcoxopsgxmi.exe 2480 turokmtt.exe 3656 ldvcoxopsgxmi.exe 944 turokmtt.exe 944 turokmtt.exe 944 turokmtt.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
05906c39cad698da162ccf37f3964228_JaffaCakes118.exeljrlmpiefk.exeuvostvkzzhpxfpk.exeturokmtt.exeldvcoxopsgxmi.exeturokmtt.exepid process 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe 1520 ljrlmpiefk.exe 1520 ljrlmpiefk.exe 1520 ljrlmpiefk.exe 512 uvostvkzzhpxfpk.exe 512 uvostvkzzhpxfpk.exe 512 uvostvkzzhpxfpk.exe 2480 turokmtt.exe 3656 ldvcoxopsgxmi.exe 2480 turokmtt.exe 3656 ldvcoxopsgxmi.exe 2480 turokmtt.exe 3656 ldvcoxopsgxmi.exe 944 turokmtt.exe 944 turokmtt.exe 944 turokmtt.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 440 WINWORD.EXE 440 WINWORD.EXE 440 WINWORD.EXE 440 WINWORD.EXE 440 WINWORD.EXE 440 WINWORD.EXE 440 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
05906c39cad698da162ccf37f3964228_JaffaCakes118.exeljrlmpiefk.exedescription pid process target process PID 4488 wrote to memory of 1520 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe ljrlmpiefk.exe PID 4488 wrote to memory of 1520 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe ljrlmpiefk.exe PID 4488 wrote to memory of 1520 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe ljrlmpiefk.exe PID 4488 wrote to memory of 512 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe uvostvkzzhpxfpk.exe PID 4488 wrote to memory of 512 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe uvostvkzzhpxfpk.exe PID 4488 wrote to memory of 512 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe uvostvkzzhpxfpk.exe PID 4488 wrote to memory of 2480 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe turokmtt.exe PID 4488 wrote to memory of 2480 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe turokmtt.exe PID 4488 wrote to memory of 2480 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe turokmtt.exe PID 4488 wrote to memory of 3656 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe ldvcoxopsgxmi.exe PID 4488 wrote to memory of 3656 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe ldvcoxopsgxmi.exe PID 4488 wrote to memory of 3656 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe ldvcoxopsgxmi.exe PID 4488 wrote to memory of 440 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe WINWORD.EXE PID 4488 wrote to memory of 440 4488 05906c39cad698da162ccf37f3964228_JaffaCakes118.exe WINWORD.EXE PID 1520 wrote to memory of 944 1520 ljrlmpiefk.exe turokmtt.exe PID 1520 wrote to memory of 944 1520 ljrlmpiefk.exe turokmtt.exe PID 1520 wrote to memory of 944 1520 ljrlmpiefk.exe turokmtt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05906c39cad698da162ccf37f3964228_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05906c39cad698da162ccf37f3964228_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ljrlmpiefk.exeljrlmpiefk.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\turokmtt.exeC:\Windows\system32\turokmtt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\uvostvkzzhpxfpk.exeuvostvkzzhpxfpk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\turokmtt.exeturokmtt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ldvcoxopsgxmi.exeldvcoxopsgxmi.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD56dfb9f7b23fea494fa95398fe131937c
SHA1c38a710fca6ec71d97b301467b657bfe98e536dc
SHA256ac433f103dca495c8228f701b5a8dc2cbee4f785f48617bdc1d290a865e031f4
SHA5122167c50e1024dd60e8f70c6bf5d52e7c87e73872a9c25a3120a0178359e74c691017b7d3cc07dcd36fa1aa63fcc96f1c88d0b7d294cfb057998084c377455204
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5b59eb885e096374d6f354a02e37c7242
SHA155eccc81768748b8f0efcc4fb92c541d2b0a6839
SHA2561d2367773614edf5dd309c22972bc24fd849badbf554a3a3104c2cfb12903a4e
SHA5128330c3a1f3d7b6211a0aa28f8295f01cbb9d4f1eb4743ce0cb614e62749a9a929f1c4ecd07fb1cc5749d6cf1b372396fc488ba75251da4e42d426ada31a8e4e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5bbeb647d37b6221366cedce234b19b34
SHA1eff6ecc5704b3df1e1e8d6c1388a7fb4c9ba10a5
SHA256c5a1bdf72fcbddc7b9797f14a1376f3158b794eb9cae745bf0893477361aab46
SHA5120c868f96e0e31d8cdb52d333993930209c980472fed6b39c48215cc910764e87f885636f17a98dd1071dd2f72a5ea5c8e1cb50491a9799dfbd9631ed23b84284
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD52453a389b50dab93a7894d66b95a55ca
SHA127c9eed271a8dcc1a387eb689f7b7de1cf71524c
SHA25635c5bf58fe7a0f868de446d864e7e4f77f9665325e773c0b67d4664429c4345e
SHA512d1a07b82f3906c0702795240311b10fc88725528ddc1cafe3ed1f44b8102c79232ed54aeefd33e23a0941ab46276ef26c049bbeee80f594edb5f89ca5a8b1693
-
C:\Users\Admin\Music\ApproveEdit.doc.exeFilesize
512KB
MD5a1a60686076bd6818df60cb263822cf6
SHA1ca96d13221e8040b146ad45630a4c43f5c744dd0
SHA2561d94737a6963eed637edcfc3266fa2eda701f5251ce3507f7581f86f2e72c08e
SHA512006028d038028f0605098cdcde5ab2e42390ea22b1448887fbfb5e680d380d5b192d5dd32142528c7db3f3e1a041e054e2e55234490af0c04d21dee6791f5c5d
-
C:\Windows\SysWOW64\ldvcoxopsgxmi.exeFilesize
512KB
MD55bbafa3d59b4ed326d189a0c8b186568
SHA11c6146306c0ee003dba7f44c8d007fd5e3bcd959
SHA256ca7f714789a1f6a69c7eed29e5271312701f3c80158df2fd171ce1e7cb6dbbde
SHA512bcb8df770b5599c23909f9f2e9958ab5abeb2dc5ab3cf585be3a6e9c9b8bc0e8e08fb119482b1008c00aa5e6b0dc6ee50b5a7b9c7796f1d3a100c5ee186f6bb7
-
C:\Windows\SysWOW64\ljrlmpiefk.exeFilesize
512KB
MD5d75b7281a37518226e1a0c39b84e2ed8
SHA158f200ae7490719db108426f57d99cb273705da9
SHA25664210180d9e6656ad67697385a1a0f1ddbf4bca93d32bd8f86af1bc8be8e0aa1
SHA512e6af6fb6f1121951cabb2b9e97809492a1b7d99907b985170218f42c9a92b095edc6a6291319c52f3d1c200bb7fa1f7f9cdcbc3f6da478008556648cb2bc2bcd
-
C:\Windows\SysWOW64\turokmtt.exeFilesize
512KB
MD55e8bc11468e1c5f0403c7f7771869c84
SHA1809540f2e38e59f3d6e6a138940e084330ed8b52
SHA256ada15f1fe1362a1f2ea67abac3a00d7a255a769975427b38c512e19d990807aa
SHA51238a611d2174e8dd1c1164d74514d53041e3910170929ba90c211947a1138137f70fa99d0bcfe16ece1b12ae21e502b4e193d943d9ba186dc6f1ffbf284ffd8d5
-
C:\Windows\SysWOW64\uvostvkzzhpxfpk.exeFilesize
512KB
MD5577d51740981eaea378f57184b3cd7bd
SHA1db1a3c306991d8b7c424379310f538967c53963f
SHA256b23162cd6b060bb4b51fd524c6d03fe63083100871dcf3fe41a700147e83d9d2
SHA51283cd74d17f4aed37f149ac3c0046bfd438563186f8766e190f054cbad26533dbf78a05dd2d4b3046b90c5d3879de818d846a317e96cda2db3d6d2744bc4dbe91
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5e6ebf4a706c553c314983978779543f7
SHA17ba0a8e2e955f196f8f0581838196a5ba0bbdcf0
SHA256ce8df38d99226d2eb0a233167ba88257c3a03e833db45018934ec320b714429b
SHA51223337f04b9b37232601df8c1837228538c08ce19979f7fbc3762d550979a52076dbfd090085b8de51265616b48ea273304d76ad2144f60e81a51f364c736bb3d
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD56fdf2b409eb6e2df15f485415f4ac224
SHA117f5c7fdf3fe68b72ef696123f76873fc524306c
SHA256a4d18126589fef6174bb7ad18bfc26974b088ec2c5bce25319e01b3f0437d230
SHA512e76e0a18a6337b12b75ed441b5c892d012d9af938165156451b3ce19a18952d01ce26dea51549331f7a50962350a7ef53515bad155108f29ff945d8982fdbb79
-
memory/440-39-0x00007FFF03E30000-0x00007FFF03E40000-memory.dmpFilesize
64KB
-
memory/440-43-0x00007FFF01A20000-0x00007FFF01A30000-memory.dmpFilesize
64KB
-
memory/440-38-0x00007FFF03E30000-0x00007FFF03E40000-memory.dmpFilesize
64KB
-
memory/440-36-0x00007FFF03E30000-0x00007FFF03E40000-memory.dmpFilesize
64KB
-
memory/440-37-0x00007FFF03E30000-0x00007FFF03E40000-memory.dmpFilesize
64KB
-
memory/440-35-0x00007FFF03E30000-0x00007FFF03E40000-memory.dmpFilesize
64KB
-
memory/440-40-0x00007FFF01A20000-0x00007FFF01A30000-memory.dmpFilesize
64KB
-
memory/440-117-0x00007FFF03E30000-0x00007FFF03E40000-memory.dmpFilesize
64KB
-
memory/440-119-0x00007FFF03E30000-0x00007FFF03E40000-memory.dmpFilesize
64KB
-
memory/440-120-0x00007FFF03E30000-0x00007FFF03E40000-memory.dmpFilesize
64KB
-
memory/440-118-0x00007FFF03E30000-0x00007FFF03E40000-memory.dmpFilesize
64KB
-
memory/4488-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB