Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/04/2024, 23:54
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe
-
Size
512KB
-
MD5
e8bbf1d9e5467cc080d3f0890192f2a6
-
SHA1
1ca908e50ef1883b01250930302bb0ca4ae52b8b
-
SHA256
246281bcac841ed73d8a0da718e08f23e44c89aa979266ef2b6fb64a5c0cc057
-
SHA512
f30f29e6111ad2f0d23ae3a8023651a1208ad37f07dd3d001e925e2157ed1b3bac2117eca3876d9613ba4c9d636f4225c945d8ebff5af36f63c52cddcfc5c519
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6K:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5P
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pujaqicgxh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pujaqicgxh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pujaqicgxh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pujaqicgxh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pujaqicgxh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pujaqicgxh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pujaqicgxh.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pujaqicgxh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1784 pujaqicgxh.exe 4976 nudrtknxinrciry.exe 2848 teumqsbo.exe 3720 ezggzgrdggvan.exe 4952 teumqsbo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pujaqicgxh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pujaqicgxh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pujaqicgxh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pujaqicgxh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pujaqicgxh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pujaqicgxh.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gnoodgfe = "pujaqicgxh.exe" nudrtknxinrciry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gxnzgmes = "nudrtknxinrciry.exe" nudrtknxinrciry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ezggzgrdggvan.exe" nudrtknxinrciry.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: teumqsbo.exe File opened (read-only) \??\l: teumqsbo.exe File opened (read-only) \??\n: teumqsbo.exe File opened (read-only) \??\o: teumqsbo.exe File opened (read-only) \??\p: pujaqicgxh.exe File opened (read-only) \??\i: teumqsbo.exe File opened (read-only) \??\q: teumqsbo.exe File opened (read-only) \??\k: teumqsbo.exe File opened (read-only) \??\r: teumqsbo.exe File opened (read-only) \??\t: teumqsbo.exe File opened (read-only) \??\m: teumqsbo.exe File opened (read-only) \??\g: pujaqicgxh.exe File opened (read-only) \??\j: pujaqicgxh.exe File opened (read-only) \??\q: pujaqicgxh.exe File opened (read-only) \??\i: pujaqicgxh.exe File opened (read-only) \??\z: pujaqicgxh.exe File opened (read-only) \??\z: teumqsbo.exe File opened (read-only) \??\l: pujaqicgxh.exe File opened (read-only) \??\o: teumqsbo.exe File opened (read-only) \??\z: teumqsbo.exe File opened (read-only) \??\h: pujaqicgxh.exe File opened (read-only) \??\i: teumqsbo.exe File opened (read-only) \??\b: pujaqicgxh.exe File opened (read-only) \??\l: teumqsbo.exe File opened (read-only) \??\x: teumqsbo.exe File opened (read-only) \??\k: pujaqicgxh.exe File opened (read-only) \??\x: teumqsbo.exe File opened (read-only) \??\y: teumqsbo.exe File opened (read-only) \??\m: pujaqicgxh.exe File opened (read-only) \??\y: teumqsbo.exe File opened (read-only) \??\g: teumqsbo.exe File opened (read-only) \??\h: teumqsbo.exe File opened (read-only) \??\v: teumqsbo.exe File opened (read-only) \??\t: pujaqicgxh.exe File opened (read-only) \??\n: teumqsbo.exe File opened (read-only) \??\p: teumqsbo.exe File opened (read-only) \??\q: teumqsbo.exe File opened (read-only) \??\s: pujaqicgxh.exe File opened (read-only) \??\w: teumqsbo.exe File opened (read-only) \??\y: pujaqicgxh.exe File opened (read-only) \??\g: teumqsbo.exe File opened (read-only) \??\j: teumqsbo.exe File opened (read-only) \??\k: teumqsbo.exe File opened (read-only) \??\s: teumqsbo.exe File opened (read-only) \??\b: teumqsbo.exe File opened (read-only) \??\e: pujaqicgxh.exe File opened (read-only) \??\w: pujaqicgxh.exe File opened (read-only) \??\u: teumqsbo.exe File opened (read-only) \??\u: pujaqicgxh.exe File opened (read-only) \??\j: teumqsbo.exe File opened (read-only) \??\m: teumqsbo.exe File opened (read-only) \??\u: teumqsbo.exe File opened (read-only) \??\e: teumqsbo.exe File opened (read-only) \??\v: teumqsbo.exe File opened (read-only) \??\e: teumqsbo.exe File opened (read-only) \??\n: pujaqicgxh.exe File opened (read-only) \??\b: teumqsbo.exe File opened (read-only) \??\a: teumqsbo.exe File opened (read-only) \??\r: teumqsbo.exe File opened (read-only) \??\s: teumqsbo.exe File opened (read-only) \??\o: pujaqicgxh.exe File opened (read-only) \??\x: pujaqicgxh.exe File opened (read-only) \??\v: pujaqicgxh.exe File opened (read-only) \??\h: teumqsbo.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pujaqicgxh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pujaqicgxh.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3656-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023210-23.dat autoit_exe behavioral2/files/0x0007000000023212-32.dat autoit_exe behavioral2/files/0x0007000000023211-29.dat autoit_exe behavioral2/files/0x000a0000000231c4-19.dat autoit_exe behavioral2/files/0x000400000001d9f7-81.dat autoit_exe behavioral2/files/0x000500000001695a-75.dat autoit_exe behavioral2/files/0x000e00000001daca-90.dat autoit_exe behavioral2/files/0x000500000001da2b-84.dat autoit_exe behavioral2/files/0x000500000001e58f-108.dat autoit_exe behavioral2/files/0x000500000001e58f-114.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\nudrtknxinrciry.exe e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\nudrtknxinrciry.exe e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ezggzgrdggvan.exe e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe teumqsbo.exe File opened for modification C:\Windows\SysWOW64\teumqsbo.exe e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe teumqsbo.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe teumqsbo.exe File created C:\Windows\SysWOW64\pujaqicgxh.exe e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pujaqicgxh.exe e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe File created C:\Windows\SysWOW64\teumqsbo.exe e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe File created C:\Windows\SysWOW64\ezggzgrdggvan.exe e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll pujaqicgxh.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe teumqsbo.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal teumqsbo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe teumqsbo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe teumqsbo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal teumqsbo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe teumqsbo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe teumqsbo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal teumqsbo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe teumqsbo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe teumqsbo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe teumqsbo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe teumqsbo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe teumqsbo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe teumqsbo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal teumqsbo.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe teumqsbo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe teumqsbo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe teumqsbo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe teumqsbo.exe File opened for modification C:\Windows\mydoc.rtf e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe teumqsbo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe teumqsbo.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe teumqsbo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe teumqsbo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe teumqsbo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe teumqsbo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe teumqsbo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe teumqsbo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe teumqsbo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe teumqsbo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe teumqsbo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe teumqsbo.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pujaqicgxh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F66BC2FE6B21AED20FD0A98A7F9116" e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC77915ECDBB1B8BA7CE9EDE237CA" e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pujaqicgxh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pujaqicgxh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pujaqicgxh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pujaqicgxh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pujaqicgxh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pujaqicgxh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pujaqicgxh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pujaqicgxh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pujaqicgxh.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B12F449239EF52CFB9D132E8D7C9" e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FC8D4827856F9032D7207E97BD90E13559406641633FD79A" e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pujaqicgxh.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432D7D9C2383276D4676A070252CD97C8664A8" e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBF9B1F910F2E084743B4A86EE3E99B0FD02FA4211033AE1BE459B09A3" e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pujaqicgxh.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1448 WINWORD.EXE 1448 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 2848 teumqsbo.exe 2848 teumqsbo.exe 2848 teumqsbo.exe 2848 teumqsbo.exe 1784 pujaqicgxh.exe 2848 teumqsbo.exe 2848 teumqsbo.exe 1784 pujaqicgxh.exe 2848 teumqsbo.exe 2848 teumqsbo.exe 1784 pujaqicgxh.exe 1784 pujaqicgxh.exe 1784 pujaqicgxh.exe 1784 pujaqicgxh.exe 1784 pujaqicgxh.exe 1784 pujaqicgxh.exe 1784 pujaqicgxh.exe 1784 pujaqicgxh.exe 4976 nudrtknxinrciry.exe 4976 nudrtknxinrciry.exe 4976 nudrtknxinrciry.exe 4976 nudrtknxinrciry.exe 4976 nudrtknxinrciry.exe 4976 nudrtknxinrciry.exe 4976 nudrtknxinrciry.exe 4976 nudrtknxinrciry.exe 4976 nudrtknxinrciry.exe 4976 nudrtknxinrciry.exe 3720 ezggzgrdggvan.exe 3720 ezggzgrdggvan.exe 3720 ezggzgrdggvan.exe 3720 ezggzgrdggvan.exe 3720 ezggzgrdggvan.exe 3720 ezggzgrdggvan.exe 3720 ezggzgrdggvan.exe 3720 ezggzgrdggvan.exe 3720 ezggzgrdggvan.exe 3720 ezggzgrdggvan.exe 3720 ezggzgrdggvan.exe 3720 ezggzgrdggvan.exe 4976 nudrtknxinrciry.exe 4976 nudrtknxinrciry.exe 4952 teumqsbo.exe 4952 teumqsbo.exe 4952 teumqsbo.exe 4952 teumqsbo.exe 4952 teumqsbo.exe 4952 teumqsbo.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 2848 teumqsbo.exe 2848 teumqsbo.exe 2848 teumqsbo.exe 1784 pujaqicgxh.exe 1784 pujaqicgxh.exe 1784 pujaqicgxh.exe 4976 nudrtknxinrciry.exe 4976 nudrtknxinrciry.exe 4976 nudrtknxinrciry.exe 3720 ezggzgrdggvan.exe 3720 ezggzgrdggvan.exe 3720 ezggzgrdggvan.exe 4952 teumqsbo.exe 4952 teumqsbo.exe 4952 teumqsbo.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 2848 teumqsbo.exe 2848 teumqsbo.exe 2848 teumqsbo.exe 1784 pujaqicgxh.exe 1784 pujaqicgxh.exe 1784 pujaqicgxh.exe 4976 nudrtknxinrciry.exe 4976 nudrtknxinrciry.exe 4976 nudrtknxinrciry.exe 3720 ezggzgrdggvan.exe 3720 ezggzgrdggvan.exe 3720 ezggzgrdggvan.exe 4952 teumqsbo.exe 4952 teumqsbo.exe 4952 teumqsbo.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1448 WINWORD.EXE 1448 WINWORD.EXE 1448 WINWORD.EXE 1448 WINWORD.EXE 1448 WINWORD.EXE 1448 WINWORD.EXE 1448 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3656 wrote to memory of 1784 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 87 PID 3656 wrote to memory of 1784 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 87 PID 3656 wrote to memory of 1784 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 87 PID 3656 wrote to memory of 4976 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 88 PID 3656 wrote to memory of 4976 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 88 PID 3656 wrote to memory of 4976 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 88 PID 3656 wrote to memory of 2848 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 89 PID 3656 wrote to memory of 2848 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 89 PID 3656 wrote to memory of 2848 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 89 PID 3656 wrote to memory of 3720 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 90 PID 3656 wrote to memory of 3720 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 90 PID 3656 wrote to memory of 3720 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 90 PID 3656 wrote to memory of 1448 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 91 PID 3656 wrote to memory of 1448 3656 e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe 91 PID 1784 wrote to memory of 4952 1784 pujaqicgxh.exe 93 PID 1784 wrote to memory of 4952 1784 pujaqicgxh.exe 93 PID 1784 wrote to memory of 4952 1784 pujaqicgxh.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e8bbf1d9e5467cc080d3f0890192f2a6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\pujaqicgxh.exepujaqicgxh.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\teumqsbo.exeC:\Windows\system32\teumqsbo.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4952
-
-
-
C:\Windows\SysWOW64\nudrtknxinrciry.exenudrtknxinrciry.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4976
-
-
C:\Windows\SysWOW64\teumqsbo.exeteumqsbo.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2848
-
-
C:\Windows\SysWOW64\ezggzgrdggvan.exeezggzgrdggvan.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3720
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1448
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5e9aad8a89a274305d8479e1ee2f60371
SHA17e08c79f92a699505a02d97ebe20d49a8ed87001
SHA256a05248ccceae0d27928e03eff989b56d344885c88eab1de4b77056f967d491e3
SHA512652047c4e5dab9407311f812e23dbe8c1db90be3c071b54121beec58f8a7a9500331be699583dc62c42fa3c665b3787d13a154a5f03e97c58fb196d905e626fe
-
Filesize
512KB
MD575d5d38607b5cde23ff2aa520ac170ab
SHA15a5d89724565d4e8513780c83344745a27e44c31
SHA2565cd2512db0cb2091d71aa2fa3607431b332d17f6976e69e01f014988b31dca2a
SHA51209167c0e3066aeaf77857f08d13c4da31b26cd29c07446bf4b698f29e8918d3542a16342fb6d21229c5bee227bcd76548f9b3b2de28546b64d18cd93a51cbc2e
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5aaf1286fd91ca7c0df31c4cf69bc66da
SHA13bdcb10bc8ac166f964a7e13beeb119a2d39f9b4
SHA2563e577a56f7bc798f803d8a143c0392eb04f2aadf61a908ecb46579598f943cb3
SHA512ba7ec0c57f539a5e86f3b44d6d899c203998fbb6a394533a7ad2704246d730dce245e371ac62fa56244565a1ecb614b5693634e62e23dd7f74261fa2f75487f6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD523ad0fe0e4298db7d16e511d8eb4b004
SHA19ff7494d20aec5fd6756e91a45a64ffbae29f4e8
SHA25608d1e3fc68caaa939da61ac658213656bdc142d20575d5592557cb0eff934c61
SHA51283a0090d6cf8b8d11afa64fcf70b093a3b614c3325ccd10be82562359fc8d980db7aa22bc2ecfbd38e248d58a45f548e59458abae6e585673bb838c4d89e2345
-
Filesize
512KB
MD55d1975beb6b4599bd36711d0b42076ac
SHA1646c517f31219e4c84b40fd0c976725b8fb144e7
SHA256f14165484e4526f8d8e8f263fa4c0fa3f95d8ee3d845bde02067925fbb5929d1
SHA5122316af0168752010360bb3c55b56f27409fa9366a43e665e7abb0ca4bfc5e7dbe510ff2ebf595906a23bbf07b8c46d97eaa172a5b54c8370041680db55d7fa5c
-
Filesize
512KB
MD592704d1233a580f5fe5d194a9961102a
SHA1831cfa018a66fe7e6c69f1b3145d241a37299935
SHA2568618c3a848968f8ef114e71541a9e39b54c629d2bf46e6b0d13b79dd1eb74e8f
SHA5125034bbff187b86fe0f08667bc19e19940ef6ee5b49b392418dcb1b427ccb16669b8c2fbee53f9d5ba220ea7b22ccc1e2d091ac8cdc96ff22df7721a22583a5aa
-
Filesize
512KB
MD5807a51fecd133b3b462473640f79cb03
SHA117b1161655df79685a27ef5f01b6d74bbd7f8ce1
SHA256c0c0d8d0ae79d8480b077a455a40b91a0a43050d0fb583e4af340cb7086e930f
SHA512760a1201ee98980b3349a777457df6183ec110a304d0843391510c8a87e50df5fd7d9597a62b6de3cf4e486950b185711e19fda96e0dbfec27f539fa68b48dfa
-
Filesize
512KB
MD55501152c6516310a0ae2931f59fdee38
SHA1a0180c1c79e211642c2b7d632c53d9eb4b9c1dd7
SHA256fed8ca77b9ad43d61f49169df85764e3513d788c03ca255e960a89aa7a62be60
SHA512e29365c773d3549a86dddbb4ed744ad505b02bb91828d5103763c36310596d3fcefdeafd919144857346c7de08e19824e2869a5bedd3adc98b1344d7a929d7f9
-
Filesize
512KB
MD5cabb0b8e33d32c42ad165d114c90c94c
SHA1dc223ab4645267d84f521d6d69bce3d2b6ae4d52
SHA256f36a0f75c6d8b3d92444ba92f348665ffdb29e4d4fa4e9d689b3d02dc0745497
SHA512e48aa2b044b39d76f32b3ac5a39e8a3dfe44d5ccad175e680e80fd423b743ad0cc2903d4d1ec9294f783c3e1f5baeb94508b8ca5c9394b09e2c69a0201165599
-
Filesize
512KB
MD57aba6c1132169bcca2bd3d196e442f5d
SHA1178b7b62d409c8ee7ac26b83bc647ac46ba49063
SHA2565ef589a2b89bde81435089b619b808adaf9f150d32db855a58026e66a129eadb
SHA5125ce1e2edeebddeaa39dd9d95050404fbe1711cf2532a1d468ad9a4a42e2c108e4bf8902c26d785ec3b13fe7934968fba52826b29adfb7d8b3d2e3bd42291f76f
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD56ed2f720d2241cc6195471fff3a39e2a
SHA150e83f3de6ab6e534a52255577f3e0d4236da07d
SHA2566411eb99075b33eafc8272857629dbf6088af0df70b23cd1809d2bffda4a5fdf
SHA512bd31b1135ad30dde450950e71951ba91397b3da36aa0b3284065b545f7cd877a0b5e211a78c265d471402342ebd85521cc44debf298e574baf326b2b6c100dd9
-
Filesize
512KB
MD5f6a86896f48a4568f972327241657cd2
SHA139803c6aa2a32653815f7588662c68dacd130c93
SHA2564b763b909b665ca30b3e0f6c5736c094aef08a88581f2050c5a30f036b1a3791
SHA512c95b673c8c12c47be8b4daad11ee1cf3c72fcd0dc4c06f7a8db9c158f867d30cf8b15c4fb61ff5f544f54409102e62123516102951b81202de47be6347d54b77