Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:16
Static task
static1
Behavioral task
behavioral1
Sample
e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe
-
Size
512KB
-
MD5
e616af1d52ca2271af70c2b9f973894d
-
SHA1
3c870883d02cd6cec366022d1c619b73a15e2c4f
-
SHA256
3468f34b8f72a76cff295420bc5693ef6a072df4e03a3b727b49fdffb3291ab5
-
SHA512
ca76ee66ca3be007f18ba95d4ddb2ca9eff2646c4bf5777cad989575bf5eda41f1075c70764ae3be11051ac17e8a3048b49585bf0f5b9c6feade576e35753795
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5M
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
busypuolpd.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" busypuolpd.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
busypuolpd.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" busypuolpd.exe -
Processes:
busypuolpd.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" busypuolpd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" busypuolpd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" busypuolpd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" busypuolpd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" busypuolpd.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
busypuolpd.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" busypuolpd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
busypuolpd.exepcdfoonstjqnfsq.exezxrhzygl.exefffosxigyvdct.exezxrhzygl.exepid process 4972 busypuolpd.exe 2888 pcdfoonstjqnfsq.exe 4008 zxrhzygl.exe 5052 fffosxigyvdct.exe 3740 zxrhzygl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
busypuolpd.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" busypuolpd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" busypuolpd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" busypuolpd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" busypuolpd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" busypuolpd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" busypuolpd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
pcdfoonstjqnfsq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jplildod = "busypuolpd.exe" pcdfoonstjqnfsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tllsqfqx = "pcdfoonstjqnfsq.exe" pcdfoonstjqnfsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fffosxigyvdct.exe" pcdfoonstjqnfsq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
busypuolpd.exezxrhzygl.exezxrhzygl.exedescription ioc process File opened (read-only) \??\n: busypuolpd.exe File opened (read-only) \??\q: busypuolpd.exe File opened (read-only) \??\a: zxrhzygl.exe File opened (read-only) \??\q: zxrhzygl.exe File opened (read-only) \??\s: zxrhzygl.exe File opened (read-only) \??\j: zxrhzygl.exe File opened (read-only) \??\v: zxrhzygl.exe File opened (read-only) \??\z: zxrhzygl.exe File opened (read-only) \??\m: busypuolpd.exe File opened (read-only) \??\t: zxrhzygl.exe File opened (read-only) \??\a: zxrhzygl.exe File opened (read-only) \??\y: zxrhzygl.exe File opened (read-only) \??\l: busypuolpd.exe File opened (read-only) \??\z: busypuolpd.exe File opened (read-only) \??\w: zxrhzygl.exe File opened (read-only) \??\e: zxrhzygl.exe File opened (read-only) \??\u: busypuolpd.exe File opened (read-only) \??\g: zxrhzygl.exe File opened (read-only) \??\n: zxrhzygl.exe File opened (read-only) \??\b: busypuolpd.exe File opened (read-only) \??\e: busypuolpd.exe File opened (read-only) \??\y: busypuolpd.exe File opened (read-only) \??\o: zxrhzygl.exe File opened (read-only) \??\s: zxrhzygl.exe File opened (read-only) \??\a: busypuolpd.exe File opened (read-only) \??\l: zxrhzygl.exe File opened (read-only) \??\m: zxrhzygl.exe File opened (read-only) \??\h: busypuolpd.exe File opened (read-only) \??\j: busypuolpd.exe File opened (read-only) \??\o: busypuolpd.exe File opened (read-only) \??\l: zxrhzygl.exe File opened (read-only) \??\g: zxrhzygl.exe File opened (read-only) \??\q: zxrhzygl.exe File opened (read-only) \??\t: zxrhzygl.exe File opened (read-only) \??\g: busypuolpd.exe File opened (read-only) \??\i: busypuolpd.exe File opened (read-only) \??\s: busypuolpd.exe File opened (read-only) \??\v: busypuolpd.exe File opened (read-only) \??\k: zxrhzygl.exe File opened (read-only) \??\p: zxrhzygl.exe File opened (read-only) \??\k: busypuolpd.exe File opened (read-only) \??\x: busypuolpd.exe File opened (read-only) \??\o: zxrhzygl.exe File opened (read-only) \??\t: busypuolpd.exe File opened (read-only) \??\i: zxrhzygl.exe File opened (read-only) \??\n: zxrhzygl.exe File opened (read-only) \??\r: zxrhzygl.exe File opened (read-only) \??\u: zxrhzygl.exe File opened (read-only) \??\r: busypuolpd.exe File opened (read-only) \??\w: busypuolpd.exe File opened (read-only) \??\b: zxrhzygl.exe File opened (read-only) \??\e: zxrhzygl.exe File opened (read-only) \??\y: zxrhzygl.exe File opened (read-only) \??\w: zxrhzygl.exe File opened (read-only) \??\j: zxrhzygl.exe File opened (read-only) \??\p: zxrhzygl.exe File opened (read-only) \??\u: zxrhzygl.exe File opened (read-only) \??\z: zxrhzygl.exe File opened (read-only) \??\h: zxrhzygl.exe File opened (read-only) \??\p: busypuolpd.exe File opened (read-only) \??\m: zxrhzygl.exe File opened (read-only) \??\x: zxrhzygl.exe File opened (read-only) \??\i: zxrhzygl.exe File opened (read-only) \??\k: zxrhzygl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
busypuolpd.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" busypuolpd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" busypuolpd.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4560-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\zxrhzygl.exe autoit_exe C:\Windows\SysWOW64\busypuolpd.exe autoit_exe C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe autoit_exe C:\Windows\SysWOW64\fffosxigyvdct.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exezxrhzygl.exezxrhzygl.exebusypuolpd.exedescription ioc process File opened for modification C:\Windows\SysWOW64\busypuolpd.exe e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zxrhzygl.exe e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fffosxigyvdct.exe e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zxrhzygl.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zxrhzygl.exe File created C:\Windows\SysWOW64\busypuolpd.exe e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe File created C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pcdfoonstjqnfsq.exe e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe File created C:\Windows\SysWOW64\zxrhzygl.exe e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe File created C:\Windows\SysWOW64\fffosxigyvdct.exe e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zxrhzygl.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll busypuolpd.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zxrhzygl.exe -
Drops file in Program Files directory 14 IoCs
Processes:
zxrhzygl.exezxrhzygl.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zxrhzygl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zxrhzygl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zxrhzygl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zxrhzygl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zxrhzygl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zxrhzygl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zxrhzygl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zxrhzygl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zxrhzygl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zxrhzygl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zxrhzygl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zxrhzygl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zxrhzygl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zxrhzygl.exe -
Drops file in Windows directory 19 IoCs
Processes:
zxrhzygl.exezxrhzygl.exee616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zxrhzygl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zxrhzygl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zxrhzygl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zxrhzygl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zxrhzygl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zxrhzygl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zxrhzygl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zxrhzygl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zxrhzygl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zxrhzygl.exe File opened for modification C:\Windows\mydoc.rtf e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zxrhzygl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zxrhzygl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zxrhzygl.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zxrhzygl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zxrhzygl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zxrhzygl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
busypuolpd.exee616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" busypuolpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg busypuolpd.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B05B449739EA52C4B9A23292D7CA" e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78068B5FE6821D1D27CD0D18A0F9111" e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" busypuolpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc busypuolpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs busypuolpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" busypuolpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412D7D9D5182566D4577D570522CAB7C8E64DD" e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C67D1597DBC3B9BC7CE2EC9F37BA" e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat busypuolpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf busypuolpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" busypuolpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFFF84826851E9042D62F7D9CBD95E640584167436346D690" e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh busypuolpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" busypuolpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5FACEF910F1E4837F3B3786EE3E92B38B02FE4269034EE1C8459C09D2" e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" busypuolpd.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3264 WINWORD.EXE 3264 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exepcdfoonstjqnfsq.exebusypuolpd.exezxrhzygl.exefffosxigyvdct.exezxrhzygl.exepid process 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 2888 pcdfoonstjqnfsq.exe 2888 pcdfoonstjqnfsq.exe 2888 pcdfoonstjqnfsq.exe 2888 pcdfoonstjqnfsq.exe 4972 busypuolpd.exe 4972 busypuolpd.exe 4972 busypuolpd.exe 4972 busypuolpd.exe 4008 zxrhzygl.exe 4008 zxrhzygl.exe 4008 zxrhzygl.exe 2888 pcdfoonstjqnfsq.exe 4008 zxrhzygl.exe 2888 pcdfoonstjqnfsq.exe 4008 zxrhzygl.exe 4008 zxrhzygl.exe 4008 zxrhzygl.exe 4008 zxrhzygl.exe 2888 pcdfoonstjqnfsq.exe 2888 pcdfoonstjqnfsq.exe 4972 busypuolpd.exe 4972 busypuolpd.exe 4972 busypuolpd.exe 4972 busypuolpd.exe 5052 fffosxigyvdct.exe 5052 fffosxigyvdct.exe 5052 fffosxigyvdct.exe 5052 fffosxigyvdct.exe 5052 fffosxigyvdct.exe 5052 fffosxigyvdct.exe 5052 fffosxigyvdct.exe 5052 fffosxigyvdct.exe 2888 pcdfoonstjqnfsq.exe 2888 pcdfoonstjqnfsq.exe 4972 busypuolpd.exe 5052 fffosxigyvdct.exe 4972 busypuolpd.exe 5052 fffosxigyvdct.exe 5052 fffosxigyvdct.exe 5052 fffosxigyvdct.exe 3740 zxrhzygl.exe 3740 zxrhzygl.exe 3740 zxrhzygl.exe 3740 zxrhzygl.exe 3740 zxrhzygl.exe 3740 zxrhzygl.exe 3740 zxrhzygl.exe 3740 zxrhzygl.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exebusypuolpd.exepcdfoonstjqnfsq.exezxrhzygl.exefffosxigyvdct.exezxrhzygl.exepid process 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4972 busypuolpd.exe 4972 busypuolpd.exe 4972 busypuolpd.exe 2888 pcdfoonstjqnfsq.exe 2888 pcdfoonstjqnfsq.exe 2888 pcdfoonstjqnfsq.exe 4008 zxrhzygl.exe 4008 zxrhzygl.exe 4008 zxrhzygl.exe 5052 fffosxigyvdct.exe 5052 fffosxigyvdct.exe 5052 fffosxigyvdct.exe 3740 zxrhzygl.exe 3740 zxrhzygl.exe 3740 zxrhzygl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exebusypuolpd.exepcdfoonstjqnfsq.exezxrhzygl.exefffosxigyvdct.exezxrhzygl.exepid process 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe 4972 busypuolpd.exe 4972 busypuolpd.exe 4972 busypuolpd.exe 2888 pcdfoonstjqnfsq.exe 2888 pcdfoonstjqnfsq.exe 2888 pcdfoonstjqnfsq.exe 4008 zxrhzygl.exe 4008 zxrhzygl.exe 4008 zxrhzygl.exe 5052 fffosxigyvdct.exe 5052 fffosxigyvdct.exe 5052 fffosxigyvdct.exe 3740 zxrhzygl.exe 3740 zxrhzygl.exe 3740 zxrhzygl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3264 WINWORD.EXE 3264 WINWORD.EXE 3264 WINWORD.EXE 3264 WINWORD.EXE 3264 WINWORD.EXE 3264 WINWORD.EXE 3264 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exebusypuolpd.exedescription pid process target process PID 4560 wrote to memory of 4972 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe busypuolpd.exe PID 4560 wrote to memory of 4972 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe busypuolpd.exe PID 4560 wrote to memory of 4972 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe busypuolpd.exe PID 4560 wrote to memory of 2888 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe pcdfoonstjqnfsq.exe PID 4560 wrote to memory of 2888 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe pcdfoonstjqnfsq.exe PID 4560 wrote to memory of 2888 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe pcdfoonstjqnfsq.exe PID 4560 wrote to memory of 4008 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe zxrhzygl.exe PID 4560 wrote to memory of 4008 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe zxrhzygl.exe PID 4560 wrote to memory of 4008 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe zxrhzygl.exe PID 4560 wrote to memory of 5052 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe fffosxigyvdct.exe PID 4560 wrote to memory of 5052 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe fffosxigyvdct.exe PID 4560 wrote to memory of 5052 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe fffosxigyvdct.exe PID 4972 wrote to memory of 3740 4972 busypuolpd.exe zxrhzygl.exe PID 4972 wrote to memory of 3740 4972 busypuolpd.exe zxrhzygl.exe PID 4972 wrote to memory of 3740 4972 busypuolpd.exe zxrhzygl.exe PID 4560 wrote to memory of 3264 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe WINWORD.EXE PID 4560 wrote to memory of 3264 4560 e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e616af1d52ca2271af70c2b9f973894d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\busypuolpd.exebusypuolpd.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\zxrhzygl.exeC:\Windows\system32\zxrhzygl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3740 -
C:\Windows\SysWOW64\pcdfoonstjqnfsq.exepcdfoonstjqnfsq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2888 -
C:\Windows\SysWOW64\zxrhzygl.exezxrhzygl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4008 -
C:\Windows\SysWOW64\fffosxigyvdct.exefffosxigyvdct.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5052 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3636 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:81⤵PID:3052
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5867139a0427b9057c5042c0a70a827c5
SHA1fe562bfc4b1c3f1a60fe9be12012df3c0cde2faa
SHA256aafc6362e00f13caeaf735a4df3b9c88726c9d4528f9f4c8773b2dedf7a18997
SHA512ff3bb752fd7471ef86daf9120b24eadde424002f94dbf661d17485c8a7f38217735f690aa62ca21c6852217ae2383c0ac59819b8f98534037dda8005a08cc8b0
-
Filesize
512KB
MD5b7002784497c4ff5178e181a3764bc66
SHA1287dbc44b83c32fe929e4b367ff9c3c54f643b98
SHA2560c619c259e6d56be62eb8c39927c495d55183c9be35abca52abe6069179971d3
SHA512de0bac78cf48dc0094a2a94523d5496188ebd0e703dcd3ca393660532cd95ed8baca6e050adf67b93b719c073f5d4fcdbac96ce3249a4bccc78f350c6760ff36
-
Filesize
239B
MD52fae0fe44fb67ed515b21a2b6fba40e3
SHA1d39c4cb134c596851c157406149129a69844613b
SHA256bd528b67c4e7b5924426cb6edc6bd85896db3a43e596bc76d32632d33eccc2b1
SHA5129902e514810847d11b83ceb64209c7a363f3b482f5444474673988fa0729295d8612ae6aa0d81a09d9adeb958f7e0251b414ef808f82f279df504bc04a347087
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD54779e301c01cafbec0ddd5af89df7bb5
SHA13260c750b8b399f8f4c060bf1163b710e9787f7f
SHA256c3bc8bf9b4278ff8f7873d85e0180e64b735526e341b2a9deda788c53c134602
SHA5120de336723c20ee8bc19afc3d092ab6d8ec042427036e4f85250e891c5c94e96d554d102653079a36641260f0f6ce06dab82abac4a916b71e2420aeaff645f813
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD56bb8aa5a12e7d06c632fd7aae5b23c90
SHA142d6d84cd1c17519d4ec8e233c950854973e08da
SHA256adee2a1e981fb7f79dbffccf175fe7cdc9e604831ba108a6bb0484277d23c85b
SHA512b96bf1f184e746d554a637567a32bbaf770ed9d05eebf5dc1ddb13d8bc44432beeb38a109896c49bd7a80231d92f2529eea4729eb7b99e718679c84ec24ee3ee
-
Filesize
512KB
MD57e165ca3979142f5e6dcea9a7751106e
SHA13ad46d04fff8cb75c23c19f4ac8405dd62aacefc
SHA2568a6fc35f5ba650ebda5e6022036ccebe8909c40735e57c0e1e9bb2bb4366d37e
SHA512a23cdc82556cf0b0b2b182ecbf2688ed2e6d033389bc9631db5f073d40c8897b3f0fc0d187ba7be9b3679d2cd243f806c70fa4ff88ca9b3c9feaf18cc3c44165
-
Filesize
512KB
MD5702617163fecbb371e3ee89b0cca16be
SHA1ce76324de39234220568223c20532166b55b5181
SHA256271c5c25ca03a7967b845dc6e7909be0a5cc09ea182b424465a554dad66641ac
SHA512ff0ed5ba24d426c0872f3836212f3e34f2c4bf2d9c39f207f123ae1fc1f22a735af2a0345150af1a2014ac99d76a1a9c81051f988af50f3ca9cb2d808154de27
-
Filesize
512KB
MD524b2fd703a3abd8c81a82a2ccbad97ba
SHA108a570e9d75796a7a98343e7e669efb6212f4140
SHA256eceb3cf417bc55895cfc77e7020be4b27ec41f6948a7f84adf43da1039c57e97
SHA512b3a3612980e35d98876b59168842479a9369f751604b1927a4bdd8678274f4b2a3bc6720759c8c4aa002aa293f140476d1255c0998e45d33b1ea1214a93697a0
-
Filesize
512KB
MD54ea8aaee976e7fc829dc6d9a34d980b6
SHA10977509c8db972f3e0856fa8466c4834af6133c4
SHA256ab7cfa9407db95db99a8816b3b3ddff3cf8e5d6223f1dff096032d025190dc5d
SHA512b644631d4446f8757cbc1a7f10aa7cb8d3b8674696cb794108772e7d9737ff1c34f5a752f1fed546813570fdeffcf909a0a567b05bc51c310035cf3effefff51
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD58363bccc9a7fc2e89bebb45cf20f5c0b
SHA188246690fddee29811b45a31a7f934eb07d26776
SHA256dc4fa9b5d88e2422c5eea1f326e83cb5472ba463cec69dce16137e883c8571e5
SHA5121bf336a6a0de7eaff65f6002e342029eabfae5b056b37c068d772e90ef63a89fcae36e3afe0f7aaed30875a88b8ce2cba9a92dc1e999ce946bf42329c81ac3ba
-
Filesize
512KB
MD5b87291fb2d96a794c658157275055f3e
SHA137c4d01e090657aefda6e4f02f581e43b85cb663
SHA256a6e096a9cd049ea8ff1e3f622c4a19e57eafbde496108dd16263a140312577ac
SHA512874c389104c58febc3b105a36f8fbf21d4c786e29c08c869b88c6b939a22bea866d9923f71ab5875de554f184e8f902900b79c54d639642125a980a261a2a1ac