Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 21:09
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
29 signatures
150 seconds
Behavioral task
behavioral2
Sample
ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe
-
Size
512KB
-
MD5
ebfecbef6ebe273d0c5bad983b5b7477
-
SHA1
2f5f13a0b225c472bc67408160d17165c44a9247
-
SHA256
2150e17927f0a9c7996df6ab4346f20a8f0951863b49f597b190d02e294a0f87
-
SHA512
3efeb44882f2f7a99b33862216a3c8ca2bc08a51206d6c75edb7c1368db593c488c87ccc5a5a5ca52c032eb8e4da3761301de9b60058e2d60afd40276e93adec
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5V
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" uwakppsjoj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" uwakppsjoj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uwakppsjoj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uwakppsjoj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uwakppsjoj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uwakppsjoj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uwakppsjoj.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uwakppsjoj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 396 uwakppsjoj.exe 2628 ybzuvtrhzvomjda.exe 4628 erppidyv.exe 4272 nycbuahyeomti.exe 1776 erppidyv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" uwakppsjoj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uwakppsjoj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uwakppsjoj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uwakppsjoj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uwakppsjoj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uwakppsjoj.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cwmhdocx = "uwakppsjoj.exe" ybzuvtrhzvomjda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\brhzqbso = "ybzuvtrhzvomjda.exe" ybzuvtrhzvomjda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nycbuahyeomti.exe" ybzuvtrhzvomjda.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: uwakppsjoj.exe File opened (read-only) \??\j: erppidyv.exe File opened (read-only) \??\e: uwakppsjoj.exe File opened (read-only) \??\i: uwakppsjoj.exe File opened (read-only) \??\s: uwakppsjoj.exe File opened (read-only) \??\x: uwakppsjoj.exe File opened (read-only) \??\v: erppidyv.exe File opened (read-only) \??\w: erppidyv.exe File opened (read-only) \??\b: uwakppsjoj.exe File opened (read-only) \??\a: erppidyv.exe File opened (read-only) \??\s: erppidyv.exe File opened (read-only) \??\m: erppidyv.exe File opened (read-only) \??\h: uwakppsjoj.exe File opened (read-only) \??\z: uwakppsjoj.exe File opened (read-only) \??\h: erppidyv.exe File opened (read-only) \??\j: erppidyv.exe File opened (read-only) \??\u: erppidyv.exe File opened (read-only) \??\e: erppidyv.exe File opened (read-only) \??\q: erppidyv.exe File opened (read-only) \??\o: uwakppsjoj.exe File opened (read-only) \??\g: uwakppsjoj.exe File opened (read-only) \??\o: erppidyv.exe File opened (read-only) \??\z: erppidyv.exe File opened (read-only) \??\a: uwakppsjoj.exe File opened (read-only) \??\n: uwakppsjoj.exe File opened (read-only) \??\u: uwakppsjoj.exe File opened (read-only) \??\r: erppidyv.exe File opened (read-only) \??\i: erppidyv.exe File opened (read-only) \??\k: uwakppsjoj.exe File opened (read-only) \??\p: erppidyv.exe File opened (read-only) \??\l: erppidyv.exe File opened (read-only) \??\z: erppidyv.exe File opened (read-only) \??\n: erppidyv.exe File opened (read-only) \??\p: erppidyv.exe File opened (read-only) \??\t: erppidyv.exe File opened (read-only) \??\x: erppidyv.exe File opened (read-only) \??\k: erppidyv.exe File opened (read-only) \??\r: uwakppsjoj.exe File opened (read-only) \??\l: uwakppsjoj.exe File opened (read-only) \??\g: erppidyv.exe File opened (read-only) \??\o: erppidyv.exe File opened (read-only) \??\s: erppidyv.exe File opened (read-only) \??\j: uwakppsjoj.exe File opened (read-only) \??\l: erppidyv.exe File opened (read-only) \??\y: erppidyv.exe File opened (read-only) \??\n: erppidyv.exe File opened (read-only) \??\e: erppidyv.exe File opened (read-only) \??\m: erppidyv.exe File opened (read-only) \??\g: erppidyv.exe File opened (read-only) \??\v: erppidyv.exe File opened (read-only) \??\t: uwakppsjoj.exe File opened (read-only) \??\y: erppidyv.exe File opened (read-only) \??\k: erppidyv.exe File opened (read-only) \??\r: erppidyv.exe File opened (read-only) \??\w: erppidyv.exe File opened (read-only) \??\w: uwakppsjoj.exe File opened (read-only) \??\v: uwakppsjoj.exe File opened (read-only) \??\i: erppidyv.exe File opened (read-only) \??\t: erppidyv.exe File opened (read-only) \??\u: erppidyv.exe File opened (read-only) \??\m: uwakppsjoj.exe File opened (read-only) \??\y: uwakppsjoj.exe File opened (read-only) \??\q: erppidyv.exe File opened (read-only) \??\x: erppidyv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" uwakppsjoj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" uwakppsjoj.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2176-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000231fe-5.dat autoit_exe behavioral2/files/0x00080000000231fa-20.dat autoit_exe behavioral2/files/0x00070000000231ff-26.dat autoit_exe behavioral2/files/0x0007000000023200-32.dat autoit_exe behavioral2/files/0x0007000000023202-62.dat autoit_exe behavioral2/files/0x001100000001e2ba-87.dat autoit_exe behavioral2/files/0x000e00000001e5c3-105.dat autoit_exe behavioral2/files/0x000e00000001e5c3-110.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\erppidyv.exe ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll uwakppsjoj.exe File opened for modification C:\Windows\SysWOW64\uwakppsjoj.exe ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\erppidyv.exe ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe File created C:\Windows\SysWOW64\nycbuahyeomti.exe ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe erppidyv.exe File created C:\Windows\SysWOW64\uwakppsjoj.exe ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe File created C:\Windows\SysWOW64\ybzuvtrhzvomjda.exe ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ybzuvtrhzvomjda.exe ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe erppidyv.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe erppidyv.exe File opened for modification C:\Windows\SysWOW64\nycbuahyeomti.exe ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe erppidyv.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal erppidyv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe erppidyv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe erppidyv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe erppidyv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal erppidyv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe erppidyv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe erppidyv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal erppidyv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe erppidyv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe erppidyv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe erppidyv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe erppidyv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal erppidyv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe erppidyv.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe erppidyv.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe erppidyv.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe erppidyv.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe erppidyv.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe erppidyv.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe erppidyv.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe erppidyv.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe erppidyv.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe erppidyv.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe erppidyv.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe erppidyv.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe erppidyv.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe erppidyv.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe erppidyv.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe erppidyv.exe File opened for modification C:\Windows\mydoc.rtf ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe erppidyv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" uwakppsjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg uwakppsjoj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C7081593DBB1B9BC7CE6ECE434C6" ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat uwakppsjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" uwakppsjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCFACDFE67F2E5840F3A4581993999B3FC038B4367034FE1C4429D08D2" ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F268B2FE6921D0D20FD0A18A7A9062" ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc uwakppsjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" uwakppsjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462D7F9C5783546D4577D077252CAD7D8164AA" ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFC8E485A8513903DD75F7D9DBCE4E137593167336243D79D" ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" uwakppsjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs uwakppsjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf uwakppsjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" uwakppsjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B02844EE38E253BEBAD6339CD4B9" ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" uwakppsjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh uwakppsjoj.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4972 WINWORD.EXE 4972 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2628 ybzuvtrhzvomjda.exe 396 uwakppsjoj.exe 2628 ybzuvtrhzvomjda.exe 396 uwakppsjoj.exe 2628 ybzuvtrhzvomjda.exe 396 uwakppsjoj.exe 2628 ybzuvtrhzvomjda.exe 396 uwakppsjoj.exe 2628 ybzuvtrhzvomjda.exe 396 uwakppsjoj.exe 2628 ybzuvtrhzvomjda.exe 396 uwakppsjoj.exe 2628 ybzuvtrhzvomjda.exe 396 uwakppsjoj.exe 2628 ybzuvtrhzvomjda.exe 396 uwakppsjoj.exe 396 uwakppsjoj.exe 396 uwakppsjoj.exe 2628 ybzuvtrhzvomjda.exe 2628 ybzuvtrhzvomjda.exe 2628 ybzuvtrhzvomjda.exe 2628 ybzuvtrhzvomjda.exe 4272 nycbuahyeomti.exe 4272 nycbuahyeomti.exe 4272 nycbuahyeomti.exe 4272 nycbuahyeomti.exe 4272 nycbuahyeomti.exe 4272 nycbuahyeomti.exe 4272 nycbuahyeomti.exe 4272 nycbuahyeomti.exe 4272 nycbuahyeomti.exe 4272 nycbuahyeomti.exe 4272 nycbuahyeomti.exe 4272 nycbuahyeomti.exe 4628 erppidyv.exe 4628 erppidyv.exe 4628 erppidyv.exe 4628 erppidyv.exe 4628 erppidyv.exe 4628 erppidyv.exe 4628 erppidyv.exe 4628 erppidyv.exe 1776 erppidyv.exe 1776 erppidyv.exe 1776 erppidyv.exe 1776 erppidyv.exe 1776 erppidyv.exe 1776 erppidyv.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 396 uwakppsjoj.exe 396 uwakppsjoj.exe 396 uwakppsjoj.exe 2628 ybzuvtrhzvomjda.exe 2628 ybzuvtrhzvomjda.exe 2628 ybzuvtrhzvomjda.exe 4272 nycbuahyeomti.exe 4272 nycbuahyeomti.exe 4272 nycbuahyeomti.exe 4628 erppidyv.exe 4628 erppidyv.exe 4628 erppidyv.exe 1776 erppidyv.exe 1776 erppidyv.exe 1776 erppidyv.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 396 uwakppsjoj.exe 396 uwakppsjoj.exe 396 uwakppsjoj.exe 2628 ybzuvtrhzvomjda.exe 2628 ybzuvtrhzvomjda.exe 2628 ybzuvtrhzvomjda.exe 4272 nycbuahyeomti.exe 4272 nycbuahyeomti.exe 4272 nycbuahyeomti.exe 4628 erppidyv.exe 4628 erppidyv.exe 4628 erppidyv.exe 1776 erppidyv.exe 1776 erppidyv.exe 1776 erppidyv.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE 4972 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2176 wrote to memory of 396 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 84 PID 2176 wrote to memory of 396 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 84 PID 2176 wrote to memory of 396 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 84 PID 2176 wrote to memory of 2628 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 85 PID 2176 wrote to memory of 2628 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 85 PID 2176 wrote to memory of 2628 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 85 PID 2176 wrote to memory of 4628 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 86 PID 2176 wrote to memory of 4628 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 86 PID 2176 wrote to memory of 4628 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 86 PID 2176 wrote to memory of 4272 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 87 PID 2176 wrote to memory of 4272 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 87 PID 2176 wrote to memory of 4272 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 87 PID 2176 wrote to memory of 4972 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 88 PID 2176 wrote to memory of 4972 2176 ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe 88 PID 396 wrote to memory of 1776 396 uwakppsjoj.exe 90 PID 396 wrote to memory of 1776 396 uwakppsjoj.exe 90 PID 396 wrote to memory of 1776 396 uwakppsjoj.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ebfecbef6ebe273d0c5bad983b5b7477_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\uwakppsjoj.exeuwakppsjoj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\erppidyv.exeC:\Windows\system32\erppidyv.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1776
-
-
-
C:\Windows\SysWOW64\ybzuvtrhzvomjda.exeybzuvtrhzvomjda.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2628
-
-
C:\Windows\SysWOW64\erppidyv.exeerppidyv.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4628
-
-
C:\Windows\SysWOW64\nycbuahyeomti.exenycbuahyeomti.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4272
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4972
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD545a7f45c900d5e9062b7ecb98c5b63b0
SHA160961b3222e11bf17e08f164b0fdba0df15376fc
SHA2564dba6fed3311e81671c474c56211ab96b8045702e974f302b5935b2a442b404a
SHA512038def34daba3d252ea55ec89e90e40adb593ed3088c86afe17bb14d6342795ab3eae377e26496d3601cbf1f7900f0d8678de1e4865d3ece5e48e7af913183d0
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c594636eeb6771f8bdc08d2882d87ef0
SHA1c62485ff37422c34b9df449f2d7a858fa080a3bd
SHA256fe2639361a36643b5ee5a2f7f78d146c2aaec50d03434b9cb39c2df10bd21927
SHA51244b081a386125d9a626bb241d22e0f4f645d089ed513ed10bee4ba8c178871d3ba868ff9416077ad3a6b387984a594a9c52aa96e6c8bb39542ebb6fa64a5d948
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a72fb37b6d45ca12542115294b8c75cc
SHA15589d41b74acecbccb0e5914385d6af45c3fd712
SHA25683e239733df571fc60fc9c7d6cec8bb82e6795b0520b95f4cd11f296f66a9b49
SHA5121461d6520547262c2d61d795c832290361c4992b868e9e26ae4455f9cfefdb7614604f6a19e9c67700a02012b7b3232847aa032a006de1858a013597a444cc6d
-
Filesize
512KB
MD5e879c9fe5e313fc69d73882853344886
SHA17ff6c92ae605562443f8b8fc3b33fb317a7cee1d
SHA256ca0e4009c488dc2a27837f6f65c97334f388507c228497ce4daedd91816a653a
SHA512d0c38ee4c260482fdf6308ad659d364b5dbf8bfc38ce9fd1bd4aa52481c739142ed079eab8e79e8a161c0ae6d68df390118089752d73f07f639805c32a1cb41a
-
Filesize
512KB
MD5dfee6b0fc6ff5977978816a71afe75eb
SHA1ad7887034188b6ac1e118e5a7dd39fd839bccb82
SHA256666ec5cf97f58a450408cbbf364ee504bc019cee9e397768b691117c5b18d624
SHA5123d19a331564cf27e5f14c3b93dab7cd3cd97a0290c094bf2d9f4cd85078bf883197a8e4a038ea81e031f3ebf32d89c7c349365ece4bd2e81548a2fe783181ebf
-
Filesize
512KB
MD5d8b3a7cd0e8711dad9250532842d8d63
SHA1685f20712d5aedbe167cdc3f65391e3c7df859c4
SHA25682d11cc1bb6394910bd6eeddd922be1fe2204301f401bb4e3f6108e40517d2c6
SHA512f7f7595e72059843d5df1870b663f3d6069e7a65447f8ff33d9d02bd0229889c6a78be0ca53b2826efd85e1c5aebf3f6bc3c886b9d9fb1d0cd888019729ab171
-
Filesize
512KB
MD5d9484d1da4c6292ca877ac700b5d2830
SHA147d6857679ba19fd0d1024eeccc7ab01a4599754
SHA256d11c6056ccaebca519691a10eefd1c09226e587500f007f0bf11c507cb611698
SHA5123795fc80418f181d124e5781c9fbd0e4d7ef6654ecbad0e50caa87218166064f282d085842f405ce6403c964613cc0801c69220a0545617d7c3540843965938e
-
Filesize
512KB
MD5d85a7437d350657560dea0878a4d6562
SHA10bd6a8c57a25b7aa442043f59b288c0622157dc5
SHA256bc038a62a1168c5fc4bcbd09127d0d2e557d9e214f577c2d955a3c19b3f501e7
SHA5126e9e51b93afe1dd21c0a5cf1020db944f916aeed5efed96b00b57b253d62618a5bed6bad75248ab6adddbd5a45bc18570267208213b8cbedf1c7d8b3b551f1d1
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD52dd6240e701d1b6426b9aef7ca1077f1
SHA16c2ef3b42b0232b26a50404c4a3808619105430c
SHA2565bca0aa582aca70a518cb4612447dbb85ede8c362655ba363c1d03a9add4ef86
SHA5121e303dcd83a75941b6d699b71b6edafa70d5aa7b103f6597f5a23aa28a173e7331b2fc3e346c7feb73fb1707420880df43948d83746c5839a4a605c59a81f5f9
-
Filesize
512KB
MD570740202bd44bb0dad865fcc4d1c457c
SHA1cc5cfcd2f2082cfe63c3418344534e95809ad9f8
SHA256651ebf4a504d2a5fdd7f6b12ce3774119c59f8519e19a168af246b4b055d2c67
SHA512e05a6752075110b10f56c4de05917a2064aa0d2d8ed2b130660d988a85df1a26f3cfa70d613fae8c17c5849f8f388f9bce77ed4c1a65e47e0610bf27276ff70d