Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 20:17
Static task
static1
Behavioral task
behavioral1
Sample
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe
-
Size
512KB
-
MD5
e5c5edde770bc5b229112f11f43f5019
-
SHA1
d6d44d7f15069d4cfac2ab87b868ad0c63ce5644
-
SHA256
42bfaa077ffeb81706e21042ac4f55b206b9409be8f0c907b1d34e256652f080
-
SHA512
a3301dbcfff1b7be416a333050379b70cd1d6c6032155e0e118d582e2f8563235eb47f0903e915ce8a9a5d5eb587c642f000c7a192336f111ece26a2cfa019cc
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6n:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm56
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
wpijilmnxq.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wpijilmnxq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
wpijilmnxq.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wpijilmnxq.exe -
Processes:
wpijilmnxq.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wpijilmnxq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wpijilmnxq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wpijilmnxq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wpijilmnxq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wpijilmnxq.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
wpijilmnxq.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wpijilmnxq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
wpijilmnxq.exeuvtkocelygoyxfs.execzkawrrg.exeihxtsmgulyllt.execzkawrrg.exepid process 2236 wpijilmnxq.exe 3068 uvtkocelygoyxfs.exe 2700 czkawrrg.exe 3788 ihxtsmgulyllt.exe 4404 czkawrrg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
wpijilmnxq.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wpijilmnxq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wpijilmnxq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wpijilmnxq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wpijilmnxq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wpijilmnxq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wpijilmnxq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
uvtkocelygoyxfs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bmupxxxj = "wpijilmnxq.exe" uvtkocelygoyxfs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wxlakjtz = "uvtkocelygoyxfs.exe" uvtkocelygoyxfs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ihxtsmgulyllt.exe" uvtkocelygoyxfs.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
czkawrrg.exewpijilmnxq.execzkawrrg.exedescription ioc process File opened (read-only) \??\n: czkawrrg.exe File opened (read-only) \??\y: czkawrrg.exe File opened (read-only) \??\h: wpijilmnxq.exe File opened (read-only) \??\u: czkawrrg.exe File opened (read-only) \??\m: wpijilmnxq.exe File opened (read-only) \??\z: wpijilmnxq.exe File opened (read-only) \??\h: czkawrrg.exe File opened (read-only) \??\w: czkawrrg.exe File opened (read-only) \??\j: czkawrrg.exe File opened (read-only) \??\o: czkawrrg.exe File opened (read-only) \??\v: czkawrrg.exe File opened (read-only) \??\u: wpijilmnxq.exe File opened (read-only) \??\b: czkawrrg.exe File opened (read-only) \??\k: wpijilmnxq.exe File opened (read-only) \??\y: wpijilmnxq.exe File opened (read-only) \??\q: czkawrrg.exe File opened (read-only) \??\q: wpijilmnxq.exe File opened (read-only) \??\i: czkawrrg.exe File opened (read-only) \??\p: czkawrrg.exe File opened (read-only) \??\t: czkawrrg.exe File opened (read-only) \??\e: wpijilmnxq.exe File opened (read-only) \??\i: wpijilmnxq.exe File opened (read-only) \??\m: czkawrrg.exe File opened (read-only) \??\n: czkawrrg.exe File opened (read-only) \??\s: czkawrrg.exe File opened (read-only) \??\x: czkawrrg.exe File opened (read-only) \??\g: czkawrrg.exe File opened (read-only) \??\t: czkawrrg.exe File opened (read-only) \??\h: czkawrrg.exe File opened (read-only) \??\s: czkawrrg.exe File opened (read-only) \??\z: czkawrrg.exe File opened (read-only) \??\v: wpijilmnxq.exe File opened (read-only) \??\v: czkawrrg.exe File opened (read-only) \??\g: czkawrrg.exe File opened (read-only) \??\b: czkawrrg.exe File opened (read-only) \??\j: czkawrrg.exe File opened (read-only) \??\y: czkawrrg.exe File opened (read-only) \??\k: czkawrrg.exe File opened (read-only) \??\t: wpijilmnxq.exe File opened (read-only) \??\l: czkawrrg.exe File opened (read-only) \??\b: wpijilmnxq.exe File opened (read-only) \??\s: wpijilmnxq.exe File opened (read-only) \??\e: czkawrrg.exe File opened (read-only) \??\m: czkawrrg.exe File opened (read-only) \??\a: wpijilmnxq.exe File opened (read-only) \??\g: wpijilmnxq.exe File opened (read-only) \??\n: wpijilmnxq.exe File opened (read-only) \??\a: czkawrrg.exe File opened (read-only) \??\k: czkawrrg.exe File opened (read-only) \??\o: czkawrrg.exe File opened (read-only) \??\p: czkawrrg.exe File opened (read-only) \??\r: czkawrrg.exe File opened (read-only) \??\r: czkawrrg.exe File opened (read-only) \??\w: wpijilmnxq.exe File opened (read-only) \??\a: czkawrrg.exe File opened (read-only) \??\e: czkawrrg.exe File opened (read-only) \??\j: wpijilmnxq.exe File opened (read-only) \??\w: czkawrrg.exe File opened (read-only) \??\l: wpijilmnxq.exe File opened (read-only) \??\o: wpijilmnxq.exe File opened (read-only) \??\r: wpijilmnxq.exe File opened (read-only) \??\x: wpijilmnxq.exe File opened (read-only) \??\l: czkawrrg.exe File opened (read-only) \??\q: czkawrrg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
wpijilmnxq.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wpijilmnxq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wpijilmnxq.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2188-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\uvtkocelygoyxfs.exe autoit_exe C:\Windows\SysWOW64\wpijilmnxq.exe autoit_exe C:\Windows\SysWOW64\czkawrrg.exe autoit_exe C:\Windows\SysWOW64\ihxtsmgulyllt.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\UninstallWrite.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
wpijilmnxq.execzkawrrg.execzkawrrg.exee5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wpijilmnxq.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe czkawrrg.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe czkawrrg.exe File created C:\Windows\SysWOW64\wpijilmnxq.exe e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ihxtsmgulyllt.exe e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe czkawrrg.exe File opened for modification C:\Windows\SysWOW64\wpijilmnxq.exe e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File created C:\Windows\SysWOW64\czkawrrg.exe e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\czkawrrg.exe e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File created C:\Windows\SysWOW64\uvtkocelygoyxfs.exe e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uvtkocelygoyxfs.exe e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File created C:\Windows\SysWOW64\ihxtsmgulyllt.exe e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe czkawrrg.exe -
Drops file in Program Files directory 14 IoCs
Processes:
czkawrrg.execzkawrrg.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe czkawrrg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal czkawrrg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe czkawrrg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe czkawrrg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal czkawrrg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe czkawrrg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe czkawrrg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal czkawrrg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe czkawrrg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe czkawrrg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe czkawrrg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal czkawrrg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe czkawrrg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe czkawrrg.exe -
Drops file in Windows directory 19 IoCs
Processes:
czkawrrg.execzkawrrg.exee5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exeWINWORD.EXEdescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe czkawrrg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe czkawrrg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe czkawrrg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe czkawrrg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe czkawrrg.exe File opened for modification C:\Windows\mydoc.rtf e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe czkawrrg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe czkawrrg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe czkawrrg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe czkawrrg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe czkawrrg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe czkawrrg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe czkawrrg.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe czkawrrg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe czkawrrg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe czkawrrg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe czkawrrg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
wpijilmnxq.exee5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh wpijilmnxq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wpijilmnxq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wpijilmnxq.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442D789C2083556A3576DC70542CA97C8665D8" e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" wpijilmnxq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wpijilmnxq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" wpijilmnxq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B02047E539E352C9B9D033E8D7BE" e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F36BB8FF1822D8D178D1A68B0E9160" e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf wpijilmnxq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" wpijilmnxq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" wpijilmnxq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC7791597DAC5B8CF7C97ECE537BC" e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wpijilmnxq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wpijilmnxq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wpijilmnxq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFF9C9FE10F192837F3B42869E39E4B3FD02884367024BE2BD42E609A9" e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FF8F4F28826E9042D72A7D92BC93E147583767346332D690" e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4736 WINWORD.EXE 4736 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exewpijilmnxq.exeuvtkocelygoyxfs.execzkawrrg.exeihxtsmgulyllt.execzkawrrg.exepid process 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2236 wpijilmnxq.exe 2236 wpijilmnxq.exe 2236 wpijilmnxq.exe 2236 wpijilmnxq.exe 3068 uvtkocelygoyxfs.exe 3068 uvtkocelygoyxfs.exe 2236 wpijilmnxq.exe 2236 wpijilmnxq.exe 2236 wpijilmnxq.exe 3068 uvtkocelygoyxfs.exe 2236 wpijilmnxq.exe 3068 uvtkocelygoyxfs.exe 3068 uvtkocelygoyxfs.exe 3068 uvtkocelygoyxfs.exe 3068 uvtkocelygoyxfs.exe 3068 uvtkocelygoyxfs.exe 2236 wpijilmnxq.exe 2236 wpijilmnxq.exe 3068 uvtkocelygoyxfs.exe 3068 uvtkocelygoyxfs.exe 2700 czkawrrg.exe 2700 czkawrrg.exe 2700 czkawrrg.exe 2700 czkawrrg.exe 2700 czkawrrg.exe 2700 czkawrrg.exe 2700 czkawrrg.exe 2700 czkawrrg.exe 3788 ihxtsmgulyllt.exe 3788 ihxtsmgulyllt.exe 3788 ihxtsmgulyllt.exe 3788 ihxtsmgulyllt.exe 3788 ihxtsmgulyllt.exe 3788 ihxtsmgulyllt.exe 3788 ihxtsmgulyllt.exe 3788 ihxtsmgulyllt.exe 3788 ihxtsmgulyllt.exe 3788 ihxtsmgulyllt.exe 3788 ihxtsmgulyllt.exe 3788 ihxtsmgulyllt.exe 3068 uvtkocelygoyxfs.exe 3068 uvtkocelygoyxfs.exe 4404 czkawrrg.exe 4404 czkawrrg.exe 4404 czkawrrg.exe 4404 czkawrrg.exe 4404 czkawrrg.exe 4404 czkawrrg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exewpijilmnxq.exeuvtkocelygoyxfs.execzkawrrg.exeihxtsmgulyllt.execzkawrrg.exepid process 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2236 wpijilmnxq.exe 2236 wpijilmnxq.exe 2236 wpijilmnxq.exe 3068 uvtkocelygoyxfs.exe 3068 uvtkocelygoyxfs.exe 3068 uvtkocelygoyxfs.exe 2700 czkawrrg.exe 2700 czkawrrg.exe 2700 czkawrrg.exe 3788 ihxtsmgulyllt.exe 3788 ihxtsmgulyllt.exe 3788 ihxtsmgulyllt.exe 4404 czkawrrg.exe 4404 czkawrrg.exe 4404 czkawrrg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exewpijilmnxq.exeuvtkocelygoyxfs.execzkawrrg.exeihxtsmgulyllt.execzkawrrg.exepid process 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2236 wpijilmnxq.exe 2236 wpijilmnxq.exe 2236 wpijilmnxq.exe 3068 uvtkocelygoyxfs.exe 3068 uvtkocelygoyxfs.exe 3068 uvtkocelygoyxfs.exe 2700 czkawrrg.exe 2700 czkawrrg.exe 2700 czkawrrg.exe 3788 ihxtsmgulyllt.exe 3788 ihxtsmgulyllt.exe 3788 ihxtsmgulyllt.exe 4404 czkawrrg.exe 4404 czkawrrg.exe 4404 czkawrrg.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exewpijilmnxq.exedescription pid process target process PID 2188 wrote to memory of 2236 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe wpijilmnxq.exe PID 2188 wrote to memory of 2236 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe wpijilmnxq.exe PID 2188 wrote to memory of 2236 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe wpijilmnxq.exe PID 2188 wrote to memory of 3068 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe uvtkocelygoyxfs.exe PID 2188 wrote to memory of 3068 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe uvtkocelygoyxfs.exe PID 2188 wrote to memory of 3068 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe uvtkocelygoyxfs.exe PID 2188 wrote to memory of 2700 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe czkawrrg.exe PID 2188 wrote to memory of 2700 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe czkawrrg.exe PID 2188 wrote to memory of 2700 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe czkawrrg.exe PID 2188 wrote to memory of 3788 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe ihxtsmgulyllt.exe PID 2188 wrote to memory of 3788 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe ihxtsmgulyllt.exe PID 2188 wrote to memory of 3788 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe ihxtsmgulyllt.exe PID 2188 wrote to memory of 4736 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe WINWORD.EXE PID 2188 wrote to memory of 4736 2188 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe WINWORD.EXE PID 2236 wrote to memory of 4404 2236 wpijilmnxq.exe czkawrrg.exe PID 2236 wrote to memory of 4404 2236 wpijilmnxq.exe czkawrrg.exe PID 2236 wrote to memory of 4404 2236 wpijilmnxq.exe czkawrrg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\wpijilmnxq.exewpijilmnxq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\czkawrrg.exeC:\Windows\system32\czkawrrg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4404 -
C:\Windows\SysWOW64\uvtkocelygoyxfs.exeuvtkocelygoyxfs.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3068 -
C:\Windows\SysWOW64\czkawrrg.execzkawrrg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2700 -
C:\Windows\SysWOW64\ihxtsmgulyllt.exeihxtsmgulyllt.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3788 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1940 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:81⤵PID:4468
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5169b02413ba48322b6fbad4f3a77f80a
SHA170507bdd7cf26cb72d2b8fd9a6a688ca6fe7961a
SHA256f61ec79f6a628709fa5caffdb983268d7e5d616242e964965eedeeb8ce489d8b
SHA512e3cd1e93d3db222bfa35013e7ebca482f6568beb67dde2117de8566faa1dc0b9af6b8706888d942aba7da6ff097b90fc390462ecd787ade8c302da6536d6a8c3
-
Filesize
512KB
MD59f33644aebafe704ea95f56d15bcce4f
SHA1efdd69d96aa4c3f4dbc850dd7760900b1f176657
SHA256783b66292bfdc9896840aba8ddaedf0b54a891a2ca6494d0ab46403caa95bc82
SHA512717ee9517d6443c72f3ad5fa7d7ab543cfea8878bc1f514293571c0dea991f1ea36baa3147e9e9d884c7b9ee54fea489260acc8a03bb3c4a326065666c4810a9
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD515105f90ccc57fd963ae0bf164d07bb2
SHA18e0d0227cbe9daf86563a8eded658e00bdb50148
SHA256c1550ea2de43c494fcc05fbd7419a3e91e75f1b2c02b1ed3875e7fc4a02db09b
SHA512c6a247d4ae6128852d6ae597ed3d8df06fc2353d2e6c32d85efb54a89a3ace4b34a5427c10a8e95d25b7ae8d6e2eb6fea41fda75030cb8b63f0251a964bc02d7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD506949f63080ff619c3dac11cf7f3bf26
SHA15d6d81413550f989dbfac1733e8b4dab46828c5c
SHA256a98927b59d2e69e96f5b3b719acca5aa30b9d93794741217e062af864605f4e7
SHA512961d2cf1a63f1e3a64f970a26caae48e8cd5d9ae23d2aeaf893ccecee181a1dbf7f066dc282ba1bdcc241d79335bf0e0bec28ac6bda630b31f56fc0d7ba79854
-
Filesize
512KB
MD5c445709d072026beb02f3a329d3f4076
SHA196cde023ceebcf6044ffdc73d6d7dea5418d76f6
SHA2561af1d4bf518ccee3decd4220bd56e771e7e855f13fd1a2550a960f429dc849fa
SHA51219e14b939eac462ff1269e5a41699a09770fff90688fb6b8a96e3625c6043186d5f3c09403450fcf0a240508d50179fed78514f48dd83a3febfa0dd22e5fd167
-
Filesize
512KB
MD5531dba11c4de6f4bcf60d6c8addb2897
SHA19599d02999b0f5620597272b2af9392abfde8f2b
SHA256d107a53cc3ee14dc0cfdedd9fe98d8c12e44bcced447a2470ce98f38634b8fda
SHA512970ab458e1f043f5af32728b2b5d3b80bfab87b7e993188897e2ce12ad7fc2f72ce6e032489ba7cd73d452f99f55af74364f0bbd7ce454e175c1f60749b33ce1
-
Filesize
512KB
MD565b6821c31726e2003a990f0846bb1d0
SHA1e24885ea7a313026790217e5cba9c086318d6e88
SHA256b61890874fbb8a6f6c4e1f592a07b1545572726112dc1c25ad01efbdbcb74a6c
SHA5129505835662c7b35874438bc86b8e1f6c4dd8b8d52bbf3ba3b346215b2af2f3e00e68693bc036451ce2fe1a5ea7c360abf307ba584500a2c9f70dd916c320ed57
-
Filesize
512KB
MD5c73d623ecbcb297479cdbc36e550c4da
SHA1f7e8c2ceef4a60f93ef1f4f604a0169c2eb1c96c
SHA256a45485c669a8f4a188ce1c43d000391951e194661cd22382973c6db53992bf1a
SHA5129a7c94bdb9fb0d12352d58f6caf46177bdca4358f24ee76f4079d5c52d875f6d0364adc365abb786379eb355a646d365634cb135efc3a309add33e3a295ef850
-
Filesize
512KB
MD5bed43b3ba39ab4ececacd0596a539dbf
SHA1c585860da282221f39c402b5bfdf792a1023dcc7
SHA25652983964ddde2753b6c27e03baba179618022410485cb0deb64e54aa543da945
SHA512289b419f817c16cad4e8d6a65a1c6b2abdcfc01e42c655f68a711146c6a97e52088de2a33469a8f15f1039724f3b5a982c7a5d04ca494f6d699161a1ae617c9a
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5fbda16ad4adeecfc76c0526ce11f2737
SHA142d31cc8794fdd47bf1dbe33ace2df1378a30e7a
SHA256946365efee5d1776a858d5a47914f65cc2ad6da44499d2f06e3344e2b25ee866
SHA512175c04d0bfdfd6af16bb44cb1b0c6cdcfc0c52376270caa26693b8201e3bc74ff395202ba7aade321e590f7b2e5adfb117c09854845c8330a6364dc1236447cb
-
Filesize
512KB
MD532813d72f93727704612da08cf30a1dd
SHA179f393790bfaac083117c82d5ca42fec7320c0bc
SHA256011a277e7ad57d06fba4dfc8b446b9c5da52663e545d4088da48cf22bb6a35c1
SHA512c72471288b49588648adf2139746f30e43baa41e432b0eb570df62f67e1dfe2db529ecff80d8cce2d66cdb19bdc4d923ca184062ab3f1502ce352b95d0773875