Analysis
-
max time kernel
156s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 16:15
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe
Resource
win7-20240215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe
-
Size
512KB
-
MD5
faad5e0801967071e1a4f484e40da9b9
-
SHA1
ddd682707b0a28edbb7fc8a9a815477ad023b7ef
-
SHA256
c871f47c9a09d1623fd29e569676b8414b5530cb868314808db6b0a47c786fa0
-
SHA512
5252b36ccffc099aff72e433a595f327df3d94b6d703a5c67067e16430aa078c4572dd4272775af33034adb4b7b92df08cbe7e8d17a31c943439e240cc5b6c8e
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6J:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5M
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" exxasdixre.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" exxasdixre.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" exxasdixre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" exxasdixre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" exxasdixre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" exxasdixre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" exxasdixre.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" exxasdixre.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 5072 exxasdixre.exe 624 zajthwotofyworp.exe 3980 dzpibpcv.exe 3180 dmtqrtcjpndtz.exe 4604 dzpibpcv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" exxasdixre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" exxasdixre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" exxasdixre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" exxasdixre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" exxasdixre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" exxasdixre.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vsdnuxuv = "exxasdixre.exe" zajthwotofyworp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dqylxsya = "zajthwotofyworp.exe" zajthwotofyworp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dmtqrtcjpndtz.exe" zajthwotofyworp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: exxasdixre.exe File opened (read-only) \??\o: dzpibpcv.exe File opened (read-only) \??\q: dzpibpcv.exe File opened (read-only) \??\i: dzpibpcv.exe File opened (read-only) \??\v: dzpibpcv.exe File opened (read-only) \??\z: dzpibpcv.exe File opened (read-only) \??\e: exxasdixre.exe File opened (read-only) \??\w: dzpibpcv.exe File opened (read-only) \??\g: dzpibpcv.exe File opened (read-only) \??\w: exxasdixre.exe File opened (read-only) \??\j: dzpibpcv.exe File opened (read-only) \??\e: dzpibpcv.exe File opened (read-only) \??\r: dzpibpcv.exe File opened (read-only) \??\x: dzpibpcv.exe File opened (read-only) \??\y: dzpibpcv.exe File opened (read-only) \??\q: exxasdixre.exe File opened (read-only) \??\r: exxasdixre.exe File opened (read-only) \??\u: dzpibpcv.exe File opened (read-only) \??\y: dzpibpcv.exe File opened (read-only) \??\o: dzpibpcv.exe File opened (read-only) \??\b: exxasdixre.exe File opened (read-only) \??\h: exxasdixre.exe File opened (read-only) \??\n: exxasdixre.exe File opened (read-only) \??\b: dzpibpcv.exe File opened (read-only) \??\k: dzpibpcv.exe File opened (read-only) \??\b: dzpibpcv.exe File opened (read-only) \??\v: exxasdixre.exe File opened (read-only) \??\r: dzpibpcv.exe File opened (read-only) \??\w: dzpibpcv.exe File opened (read-only) \??\x: dzpibpcv.exe File opened (read-only) \??\i: dzpibpcv.exe File opened (read-only) \??\a: dzpibpcv.exe File opened (read-only) \??\p: exxasdixre.exe File opened (read-only) \??\z: exxasdixre.exe File opened (read-only) \??\s: exxasdixre.exe File opened (read-only) \??\m: dzpibpcv.exe File opened (read-only) \??\k: dzpibpcv.exe File opened (read-only) \??\n: dzpibpcv.exe File opened (read-only) \??\p: dzpibpcv.exe File opened (read-only) \??\a: exxasdixre.exe File opened (read-only) \??\t: exxasdixre.exe File opened (read-only) \??\x: exxasdixre.exe File opened (read-only) \??\t: dzpibpcv.exe File opened (read-only) \??\v: dzpibpcv.exe File opened (read-only) \??\l: dzpibpcv.exe File opened (read-only) \??\q: dzpibpcv.exe File opened (read-only) \??\t: dzpibpcv.exe File opened (read-only) \??\j: exxasdixre.exe File opened (read-only) \??\k: exxasdixre.exe File opened (read-only) \??\o: exxasdixre.exe File opened (read-only) \??\g: dzpibpcv.exe File opened (read-only) \??\h: dzpibpcv.exe File opened (read-only) \??\s: dzpibpcv.exe File opened (read-only) \??\p: dzpibpcv.exe File opened (read-only) \??\z: dzpibpcv.exe File opened (read-only) \??\u: dzpibpcv.exe File opened (read-only) \??\u: exxasdixre.exe File opened (read-only) \??\y: exxasdixre.exe File opened (read-only) \??\e: dzpibpcv.exe File opened (read-only) \??\h: dzpibpcv.exe File opened (read-only) \??\n: dzpibpcv.exe File opened (read-only) \??\s: dzpibpcv.exe File opened (read-only) \??\a: dzpibpcv.exe File opened (read-only) \??\m: dzpibpcv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" exxasdixre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" exxasdixre.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4764-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023270-10.dat autoit_exe behavioral2/files/0x000700000002326e-18.dat autoit_exe behavioral2/files/0x000700000002326f-22.dat autoit_exe behavioral2/files/0x0007000000023271-29.dat autoit_exe behavioral2/files/0x0008000000023122-64.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\exxasdixre.exe faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe File created C:\Windows\SysWOW64\zajthwotofyworp.exe faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe File created C:\Windows\SysWOW64\dzpibpcv.exe faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll exxasdixre.exe File created C:\Windows\SysWOW64\exxasdixre.exe faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zajthwotofyworp.exe faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dzpibpcv.exe faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe File created C:\Windows\SysWOW64\dmtqrtcjpndtz.exe faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dmtqrtcjpndtz.exe faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dzpibpcv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dzpibpcv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dzpibpcv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dzpibpcv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dzpibpcv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dzpibpcv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dzpibpcv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dzpibpcv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dzpibpcv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dzpibpcv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dzpibpcv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dzpibpcv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dzpibpcv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dzpibpcv.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768B6FE1B21ADD10CD1A68B7C9017" faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C7091490DAB7B9CC7FE7EC9734C8" faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" exxasdixre.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" exxasdixre.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" exxasdixre.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg exxasdixre.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFACCF967F2E283783A4686ED3E95B080028B4261023EE1B8459B09D1" faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B02044EE39EB53CCB9D232EFD4B9" faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FF8A4F5F82699041D6587D96BDE7E632593267436243D69E" faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat exxasdixre.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh exxasdixre.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" exxasdixre.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc exxasdixre.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" exxasdixre.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462D0B9D2183276D3F76D4702F2DD67CF564DC" faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" exxasdixre.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf exxasdixre.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs exxasdixre.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3404 WINWORD.EXE 3404 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 5072 exxasdixre.exe 5072 exxasdixre.exe 5072 exxasdixre.exe 5072 exxasdixre.exe 5072 exxasdixre.exe 5072 exxasdixre.exe 5072 exxasdixre.exe 5072 exxasdixre.exe 5072 exxasdixre.exe 5072 exxasdixre.exe 624 zajthwotofyworp.exe 624 zajthwotofyworp.exe 624 zajthwotofyworp.exe 624 zajthwotofyworp.exe 624 zajthwotofyworp.exe 624 zajthwotofyworp.exe 624 zajthwotofyworp.exe 624 zajthwotofyworp.exe 624 zajthwotofyworp.exe 624 zajthwotofyworp.exe 3180 dmtqrtcjpndtz.exe 3180 dmtqrtcjpndtz.exe 3180 dmtqrtcjpndtz.exe 3180 dmtqrtcjpndtz.exe 3180 dmtqrtcjpndtz.exe 3180 dmtqrtcjpndtz.exe 3180 dmtqrtcjpndtz.exe 3180 dmtqrtcjpndtz.exe 3180 dmtqrtcjpndtz.exe 3180 dmtqrtcjpndtz.exe 3180 dmtqrtcjpndtz.exe 3180 dmtqrtcjpndtz.exe 3980 dzpibpcv.exe 3980 dzpibpcv.exe 3980 dzpibpcv.exe 3980 dzpibpcv.exe 3980 dzpibpcv.exe 3980 dzpibpcv.exe 3980 dzpibpcv.exe 3980 dzpibpcv.exe 624 zajthwotofyworp.exe 624 zajthwotofyworp.exe 3180 dmtqrtcjpndtz.exe 3180 dmtqrtcjpndtz.exe 3180 dmtqrtcjpndtz.exe 3180 dmtqrtcjpndtz.exe 624 zajthwotofyworp.exe 624 zajthwotofyworp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 5072 exxasdixre.exe 5072 exxasdixre.exe 5072 exxasdixre.exe 624 zajthwotofyworp.exe 624 zajthwotofyworp.exe 624 zajthwotofyworp.exe 3180 dmtqrtcjpndtz.exe 3980 dzpibpcv.exe 3180 dmtqrtcjpndtz.exe 3980 dzpibpcv.exe 3180 dmtqrtcjpndtz.exe 3980 dzpibpcv.exe 4604 dzpibpcv.exe 4604 dzpibpcv.exe 4604 dzpibpcv.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 5072 exxasdixre.exe 5072 exxasdixre.exe 5072 exxasdixre.exe 624 zajthwotofyworp.exe 624 zajthwotofyworp.exe 624 zajthwotofyworp.exe 3180 dmtqrtcjpndtz.exe 3980 dzpibpcv.exe 3180 dmtqrtcjpndtz.exe 3980 dzpibpcv.exe 3180 dmtqrtcjpndtz.exe 3980 dzpibpcv.exe 4604 dzpibpcv.exe 4604 dzpibpcv.exe 4604 dzpibpcv.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4764 wrote to memory of 5072 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 93 PID 4764 wrote to memory of 5072 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 93 PID 4764 wrote to memory of 5072 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 93 PID 4764 wrote to memory of 624 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 94 PID 4764 wrote to memory of 624 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 94 PID 4764 wrote to memory of 624 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 94 PID 4764 wrote to memory of 3980 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 95 PID 4764 wrote to memory of 3980 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 95 PID 4764 wrote to memory of 3980 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 95 PID 4764 wrote to memory of 3180 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 96 PID 4764 wrote to memory of 3180 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 96 PID 4764 wrote to memory of 3180 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 96 PID 5072 wrote to memory of 4604 5072 exxasdixre.exe 98 PID 5072 wrote to memory of 4604 5072 exxasdixre.exe 98 PID 5072 wrote to memory of 4604 5072 exxasdixre.exe 98 PID 4764 wrote to memory of 3404 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 99 PID 4764 wrote to memory of 3404 4764 faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\faad5e0801967071e1a4f484e40da9b9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\exxasdixre.exeexxasdixre.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\dzpibpcv.exeC:\Windows\system32\dzpibpcv.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4604
-
-
-
C:\Windows\SysWOW64\zajthwotofyworp.exezajthwotofyworp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:624
-
-
C:\Windows\SysWOW64\dzpibpcv.exedzpibpcv.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3980
-
-
C:\Windows\SysWOW64\dmtqrtcjpndtz.exedmtqrtcjpndtz.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3180
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3980 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:2392
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD55bef13005dd05c83f8125ce40c87a7b8
SHA1d874b009551df574a445203c6278a609090c05b7
SHA2567d43a9828a30f599b7ba9fe032cc8d6ae9a3ec7b7b1cb68ddcb5e294ecb06c20
SHA512a8fefdbe45268e127abd778a266c606bf110b42b8dba5f93feaa0c28f993be16963409a67286b88e359cd8ebc67b34539e6d6de59d371dcc06bffbc8aed88228
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5303e486a9c3097cb8dbd2fccce6e694c
SHA1a19e92dd560a578bab5c58d32d4ae53b9090b911
SHA25664d17d24a34371c81e3840e080f2e12bc0ad33ba68a08427b433e9aafe1e8435
SHA5127891b98a1441b9f78e35126c2ed0f66e919c30ddf6f903fa00c12251121fe50092f9a7797084a07f5bdaf89173956379883bfba5b218d81f105561b86850dc87
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD53e627db5409f354933172a1c21c1cdcb
SHA16f84ff7ebca66232ecb46fa9e40ce89f2ddad441
SHA256a494d70736b0c8084ab55a411cab5d29f13d9ccf11fa255f2a6332d9600fb5c9
SHA5120341ebbf9746a1a80c93515320ecb80be8c18bd115c179801ecd94c6be0997830f6e377e7417ec771dabe7c0a372ee4d127738f50a7720d29c7af7074a05e107
-
Filesize
512KB
MD52f680b6e7efa1ef5fc31648b351e5125
SHA114be950d6ce5638967763fef118f605159a56a51
SHA2565bbe5e43955d332ac228ba345a0dd5b3379680263411a7f9258149f904f71335
SHA512372de3a7ce9c0a252f90793f272bf35e8054aca4a66c801816cca693c80b3db17f7d1c351a3d46082c37536318f350c5a9e86162fa4f202c107d24a7cd9ff940
-
Filesize
512KB
MD55d3dca2fb7ae93aab72cd3b114c1073e
SHA1bd84bd4e5d9d24f4c6d4d46a8e2e51b87ea156c0
SHA256f49daa21618d35672c474d4fe3792654c8ec42dec05a9c03ee75599891c13106
SHA51239703adb607e7def8c79937fd9ba6a2a611fdc777f84f64e0292675c6754c8a254944314fe3c306069f3328db93ad3e0b1a7cf4e072bdd4b1607fbd4020e007b
-
Filesize
512KB
MD5744db600b5c8026625d76b636737d56e
SHA13bb6835a4c936134be168b37289a1aac97a8adbe
SHA2568e10948a4bab58c4472c8db3a50a81fb08e5213d652dbd8d7935d2f1dd75f4dd
SHA51239305b7f5fb96113701edebd903a4bbbc4f2283b251bdb68818c199dbebd574c95c73ddfb497a64d68afc0d22cb6194df33a62822fb60c114993da22b03c68c5
-
Filesize
512KB
MD54ea7c2c1e1570c05dc87195b00447783
SHA15e6490ca4880382dd00d56a3e88b4328b34e5b90
SHA256706304a2fcbeb8dfadb83308e40680e76488b18f2144a2c9fe2678039f5d2842
SHA5125f5c4e7c92ab21da84408cccab6c988002e72b7aa57f227813389954d78cc297f359d62b85045832ba237a53a2d7b3579badee847e35b6af08420fa6316a13d5
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7