Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 16:37
Static task
static1
Behavioral task
behavioral1
Sample
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe
Resource
win10v2004-20231215-en
General
-
Target
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe
-
Size
512KB
-
MD5
e55fdbfbab5a2d31ae484ae950d93920
-
SHA1
6d08f719353b8d01c6abe393839d6102f7e59b7b
-
SHA256
fb46af467e44e6c24e3cccf407daeb4c03e657829205345c2b77a6954ec87b7e
-
SHA512
34884f4e79670950df8c7f3ac7367feb6a1db3c1d2b24de4117132c333db1dfeffe454322af55afdb2b4824c78e18617966e185067ba544f4ff69e2b26299ac0
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6N:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
wimlfaqlao.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wimlfaqlao.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
wimlfaqlao.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wimlfaqlao.exe -
Processes:
wimlfaqlao.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wimlfaqlao.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wimlfaqlao.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wimlfaqlao.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wimlfaqlao.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wimlfaqlao.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
wimlfaqlao.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wimlfaqlao.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
wimlfaqlao.exeazajxdyfmhzyrvo.exeqngdyrdh.exeetzyztlyjygre.exeqngdyrdh.exepid Process 2656 wimlfaqlao.exe 3484 azajxdyfmhzyrvo.exe 2868 qngdyrdh.exe 3248 etzyztlyjygre.exe 2252 qngdyrdh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
wimlfaqlao.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wimlfaqlao.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wimlfaqlao.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wimlfaqlao.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wimlfaqlao.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wimlfaqlao.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wimlfaqlao.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
azajxdyfmhzyrvo.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "etzyztlyjygre.exe" azajxdyfmhzyrvo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tgnbtzde = "wimlfaqlao.exe" azajxdyfmhzyrvo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wvchnfch = "azajxdyfmhzyrvo.exe" azajxdyfmhzyrvo.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
qngdyrdh.exeqngdyrdh.exewimlfaqlao.exedescription ioc Process File opened (read-only) \??\v: qngdyrdh.exe File opened (read-only) \??\x: qngdyrdh.exe File opened (read-only) \??\s: wimlfaqlao.exe File opened (read-only) \??\i: qngdyrdh.exe File opened (read-only) \??\r: qngdyrdh.exe File opened (read-only) \??\m: qngdyrdh.exe File opened (read-only) \??\g: qngdyrdh.exe File opened (read-only) \??\i: qngdyrdh.exe File opened (read-only) \??\z: qngdyrdh.exe File opened (read-only) \??\e: qngdyrdh.exe File opened (read-only) \??\p: qngdyrdh.exe File opened (read-only) \??\k: wimlfaqlao.exe File opened (read-only) \??\m: wimlfaqlao.exe File opened (read-only) \??\n: wimlfaqlao.exe File opened (read-only) \??\z: wimlfaqlao.exe File opened (read-only) \??\w: qngdyrdh.exe File opened (read-only) \??\g: wimlfaqlao.exe File opened (read-only) \??\k: qngdyrdh.exe File opened (read-only) \??\u: qngdyrdh.exe File opened (read-only) \??\a: qngdyrdh.exe File opened (read-only) \??\n: qngdyrdh.exe File opened (read-only) \??\k: qngdyrdh.exe File opened (read-only) \??\l: qngdyrdh.exe File opened (read-only) \??\r: qngdyrdh.exe File opened (read-only) \??\e: wimlfaqlao.exe File opened (read-only) \??\l: wimlfaqlao.exe File opened (read-only) \??\u: wimlfaqlao.exe File opened (read-only) \??\e: qngdyrdh.exe File opened (read-only) \??\o: qngdyrdh.exe File opened (read-only) \??\m: qngdyrdh.exe File opened (read-only) \??\y: qngdyrdh.exe File opened (read-only) \??\w: qngdyrdh.exe File opened (read-only) \??\r: wimlfaqlao.exe File opened (read-only) \??\z: qngdyrdh.exe File opened (read-only) \??\x: qngdyrdh.exe File opened (read-only) \??\u: qngdyrdh.exe File opened (read-only) \??\v: wimlfaqlao.exe File opened (read-only) \??\h: qngdyrdh.exe File opened (read-only) \??\j: qngdyrdh.exe File opened (read-only) \??\h: qngdyrdh.exe File opened (read-only) \??\q: qngdyrdh.exe File opened (read-only) \??\o: wimlfaqlao.exe File opened (read-only) \??\b: qngdyrdh.exe File opened (read-only) \??\q: qngdyrdh.exe File opened (read-only) \??\y: qngdyrdh.exe File opened (read-only) \??\a: wimlfaqlao.exe File opened (read-only) \??\y: wimlfaqlao.exe File opened (read-only) \??\n: qngdyrdh.exe File opened (read-only) \??\s: qngdyrdh.exe File opened (read-only) \??\i: wimlfaqlao.exe File opened (read-only) \??\p: wimlfaqlao.exe File opened (read-only) \??\a: qngdyrdh.exe File opened (read-only) \??\s: qngdyrdh.exe File opened (read-only) \??\j: qngdyrdh.exe File opened (read-only) \??\v: qngdyrdh.exe File opened (read-only) \??\j: wimlfaqlao.exe File opened (read-only) \??\q: wimlfaqlao.exe File opened (read-only) \??\t: wimlfaqlao.exe File opened (read-only) \??\x: wimlfaqlao.exe File opened (read-only) \??\g: qngdyrdh.exe File opened (read-only) \??\t: qngdyrdh.exe File opened (read-only) \??\b: wimlfaqlao.exe File opened (read-only) \??\w: wimlfaqlao.exe File opened (read-only) \??\t: qngdyrdh.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
wimlfaqlao.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wimlfaqlao.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wimlfaqlao.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3200-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000231f0-10.dat autoit_exe behavioral2/files/0x000f00000002314e-18.dat autoit_exe behavioral2/files/0x00090000000231eb-22.dat autoit_exe behavioral2/files/0x00070000000231f1-31.dat autoit_exe behavioral2/files/0x000600000001d8b8-76.dat autoit_exe behavioral2/files/0x000600000001d9f8-81.dat autoit_exe behavioral2/files/0x000300000001e5ab-101.dat autoit_exe behavioral2/files/0x000300000001e5ab-103.dat autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exeqngdyrdh.exeqngdyrdh.exewimlfaqlao.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\qngdyrdh.exe e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qngdyrdh.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qngdyrdh.exe File created C:\Windows\SysWOW64\qngdyrdh.exe e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wimlfaqlao.exe e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe File created C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\azajxdyfmhzyrvo.exe e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe File created C:\Windows\SysWOW64\etzyztlyjygre.exe e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\etzyztlyjygre.exe e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wimlfaqlao.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qngdyrdh.exe File created C:\Windows\SysWOW64\wimlfaqlao.exe e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
qngdyrdh.exeqngdyrdh.exedescription ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qngdyrdh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qngdyrdh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qngdyrdh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qngdyrdh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qngdyrdh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qngdyrdh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qngdyrdh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qngdyrdh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qngdyrdh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qngdyrdh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qngdyrdh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qngdyrdh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qngdyrdh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qngdyrdh.exe -
Drops file in Windows directory 19 IoCs
Processes:
qngdyrdh.exeqngdyrdh.exeWINWORD.EXEe55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exedescription ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qngdyrdh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qngdyrdh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qngdyrdh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qngdyrdh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qngdyrdh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qngdyrdh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qngdyrdh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qngdyrdh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qngdyrdh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qngdyrdh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qngdyrdh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qngdyrdh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qngdyrdh.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qngdyrdh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qngdyrdh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qngdyrdh.exe File opened for modification C:\Windows\mydoc.rtf e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
wimlfaqlao.exee55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" wimlfaqlao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf wimlfaqlao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wimlfaqlao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FC834F2A82189032D6587DE0BCE4E141583767406245D791" e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC70C15E1DAB3B8CA7CE2EDE434BA" e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wimlfaqlao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" wimlfaqlao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" wimlfaqlao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wimlfaqlao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" wimlfaqlao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4F9BEF917F19384783B4581EB3997B0F902FC4262024BE2CC45E608A5" e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F56BB2FE6A21DAD10FD1A48A7D9116" e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wimlfaqlao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wimlfaqlao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wimlfaqlao.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB15D4790399F52BEB9D032EAD7CE" e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442C089C2483536A4376D177272CAB7D8F64D6" e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh wimlfaqlao.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid Process 4156 WINWORD.EXE 4156 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exeazajxdyfmhzyrvo.exewimlfaqlao.exeetzyztlyjygre.exeqngdyrdh.exeqngdyrdh.exepid Process 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3484 azajxdyfmhzyrvo.exe 3484 azajxdyfmhzyrvo.exe 3484 azajxdyfmhzyrvo.exe 3484 azajxdyfmhzyrvo.exe 3484 azajxdyfmhzyrvo.exe 3484 azajxdyfmhzyrvo.exe 3484 azajxdyfmhzyrvo.exe 3484 azajxdyfmhzyrvo.exe 3484 azajxdyfmhzyrvo.exe 3484 azajxdyfmhzyrvo.exe 2656 wimlfaqlao.exe 2656 wimlfaqlao.exe 2656 wimlfaqlao.exe 2656 wimlfaqlao.exe 2656 wimlfaqlao.exe 2656 wimlfaqlao.exe 2656 wimlfaqlao.exe 2656 wimlfaqlao.exe 2656 wimlfaqlao.exe 2656 wimlfaqlao.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 2868 qngdyrdh.exe 2868 qngdyrdh.exe 2868 qngdyrdh.exe 2868 qngdyrdh.exe 2868 qngdyrdh.exe 2868 qngdyrdh.exe 2868 qngdyrdh.exe 2868 qngdyrdh.exe 3484 azajxdyfmhzyrvo.exe 3484 azajxdyfmhzyrvo.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 2252 qngdyrdh.exe 2252 qngdyrdh.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exeazajxdyfmhzyrvo.exewimlfaqlao.exeetzyztlyjygre.exeqngdyrdh.exeqngdyrdh.exepid Process 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3484 azajxdyfmhzyrvo.exe 3484 azajxdyfmhzyrvo.exe 3484 azajxdyfmhzyrvo.exe 2656 wimlfaqlao.exe 2656 wimlfaqlao.exe 2656 wimlfaqlao.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 2868 qngdyrdh.exe 2868 qngdyrdh.exe 2868 qngdyrdh.exe 2252 qngdyrdh.exe 2252 qngdyrdh.exe 2252 qngdyrdh.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exeazajxdyfmhzyrvo.exewimlfaqlao.exeetzyztlyjygre.exeqngdyrdh.exeqngdyrdh.exepid Process 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 3484 azajxdyfmhzyrvo.exe 3484 azajxdyfmhzyrvo.exe 3484 azajxdyfmhzyrvo.exe 2656 wimlfaqlao.exe 2656 wimlfaqlao.exe 2656 wimlfaqlao.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 3248 etzyztlyjygre.exe 2868 qngdyrdh.exe 2868 qngdyrdh.exe 2868 qngdyrdh.exe 2252 qngdyrdh.exe 2252 qngdyrdh.exe 2252 qngdyrdh.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid Process 4156 WINWORD.EXE 4156 WINWORD.EXE 4156 WINWORD.EXE 4156 WINWORD.EXE 4156 WINWORD.EXE 4156 WINWORD.EXE 4156 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exewimlfaqlao.exedescription pid Process procid_target PID 3200 wrote to memory of 2656 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 85 PID 3200 wrote to memory of 2656 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 85 PID 3200 wrote to memory of 2656 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 85 PID 3200 wrote to memory of 3484 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 86 PID 3200 wrote to memory of 3484 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 86 PID 3200 wrote to memory of 3484 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 86 PID 3200 wrote to memory of 2868 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 87 PID 3200 wrote to memory of 2868 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 87 PID 3200 wrote to memory of 2868 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 87 PID 3200 wrote to memory of 3248 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 88 PID 3200 wrote to memory of 3248 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 88 PID 3200 wrote to memory of 3248 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 88 PID 3200 wrote to memory of 4156 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 89 PID 3200 wrote to memory of 4156 3200 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 89 PID 2656 wrote to memory of 2252 2656 wimlfaqlao.exe 91 PID 2656 wrote to memory of 2252 2656 wimlfaqlao.exe 91 PID 2656 wrote to memory of 2252 2656 wimlfaqlao.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\wimlfaqlao.exewimlfaqlao.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\qngdyrdh.exeC:\Windows\system32\qngdyrdh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2252
-
-
-
C:\Windows\SysWOW64\azajxdyfmhzyrvo.exeazajxdyfmhzyrvo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3484
-
-
C:\Windows\SysWOW64\qngdyrdh.exeqngdyrdh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868
-
-
C:\Windows\SysWOW64\etzyztlyjygre.exeetzyztlyjygre.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3248
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4156
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD59505118601fa7bc6ea0c38cc8ae7ed48
SHA1e5fed845cf8d9e700567ad2a937f19af143a8fc9
SHA2561442921b2aabb1bb2420a87c6bc342213799ce6ae4bde525f08bacb37d4b7de2
SHA5124d1de0211c265f117a77eee03a668927d1503faa22766c56e1826d6a6ee626c5ffc050ac5cfbc2aabea65e79cdcaa78ab45f58d478754475c67ef8b87f0ea372
-
Filesize
512KB
MD5e5e6a11bd5b77b7718e5622b97a9f760
SHA1803778c2022eba9642af20e288199c32248b0fa6
SHA256469fc7cefbabf8a14391b27b2ab93e814132ee84838caa25fc9c60175c767860
SHA512d6641d9281ab9f54af459eeb788dafe0c019665f6ea1a625c90af9835cb5125a530ef3f641f7e602851532d8c1fd8388e62855fdae7e52346c02466a1d42567a
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e9a4dc0ff09ee3e14f890f69efab32c0
SHA199e3fce9ab2e090faa2635a3a0d3dfef52866539
SHA256161854919612b9241fe411ff2a30926ef655f838f7ad156edf157ed2fa70ecde
SHA5126aef5ab94fc574ff6bd7058690e7aebbf518aad7aada9b05a38ee6c58fc42d3272e43425993909ab6e64deffe8b535a92172bb5c37bc65472201c0d690c60168
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD50e70f6489aede499a007869054eff81e
SHA1b0ffa38f07abd3d9f2d22c74ebe73ce2f667a410
SHA25639c6280843003b1eea756d5c5dc6db41e0bc4389a3ae488a57aa4ec567201ebe
SHA512e47045caa74786d04b05a3754bf5c850be3b104b21ea821514e7a1bd63caf3b59ac5133f88d19f8e56f5c2c20233dfbf729a6e01871a58226a7295923da2e8ae
-
Filesize
512KB
MD518eaee2ba00f9de5399f8d658aee3901
SHA1566240e2af1c6fd017c7b9456a187179da9e5683
SHA256a58c3dd8146fccf65e2c6f529bfb170cde223eaa13a9323458d756579f01a2b2
SHA5129bbb64065969d424a69888b54e9040845d74a603d5f12438887c04a6514ab236be1456b774028a9d33e4cf0048215f70ccffb5f71354916f0d5b8b2a3864d824
-
Filesize
512KB
MD5b590ebcdbcea0fb73a5cda19c726b27d
SHA180d6a6467b1ff19173cb1ae095e8556ddec0fa7f
SHA256eb9e7cc6ac0ea6ee89ba0db05f09edcb69f7a54add72fbe7b8dc71cd91270773
SHA5127af9c7b2b7a289bd7ca80cfeb06c3542b5f246da64d7a400a6afab35e3989ba471da058020f9e171cc5b21fae2a92f7813ca45375d8724c0bbe4d90ccde1e24a
-
Filesize
512KB
MD5b4e0e249209ca52c144bb2401662177d
SHA18439630068fb2a4be95533e7464668075897f57e
SHA256dce90f91701f6a0a80f582d8c7c9bb232d7ea036d7d65c7eceeed2995a5316ce
SHA51207d50444f016ef50c23f71c146385181b6057aeecb5fa82e093cbb9b5c29a9419e37c85e22f86724414961b08ea11b0f5635ed8b7229a5522a9a54c406dc3382
-
Filesize
512KB
MD50359e95ca9cab0d440e3aa2c8be792aa
SHA18be9c0b301c1ee11b6063a326d7bded1d04b289e
SHA256759b3b1f4fe2bd4a6a212d285b6c0634db8390489e5712016ac1e4eb99ea3398
SHA512407311d6cb6ec5b4263a81e2095f870c14e5aaf52f470be39d5ab0da0d241d23a50eb4ad2ada1d582973f480aeca34d142beb39557c3a73121aeed6219e36c22
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD578eea428e7c67130f1948aace9698429
SHA1169e62540caa20c29156688e7f46013155c76507
SHA256ab21a4f40132f79c434a11ef0021f9d635027bea7dd19c35b692bc8c75e3aa3d
SHA512b73bacc4d3622b7aa800732941e5150d71b699c95dc964c76bf268650f11b7900a70cee1dd16834dcebad01f462b2bb90814528a95d13afe5ce323bb52124313
-
Filesize
512KB
MD55c03015e09d0ff4da0cda323d4468c6f
SHA1fa10d6c28cb5d1447f9b4bc49c483ebd462c68c1
SHA256eba77538551e80207e7312b207b0e1c50dba091795d312153f50e44539aaa944
SHA512d0f10f78f5f1e856769acf666d47a7330c7c6def8964e04265dc248b23fca9242ca38f3852ce6fb3974bfbbbe7dd76038d7a2acaf78dc3cd6879338b675a39ec