Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 02:16
Static task
static1
Behavioral task
behavioral1
Sample
fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe
-
Size
512KB
-
MD5
fbb4aac8ca9cb008dcaa29ea04cfaac0
-
SHA1
227f11bfa01e05bdc242e0195845604e75d17da9
-
SHA256
8a1e58fab0d97559ba2242c6a9834de9659e996bd12344258c1c655d01069723
-
SHA512
f519c170d011da50f63933fdb2fee45614292c9c33ae7bed6700aaa37cb476f31656ffebc91a6c18022a788b55e5d48fd947d2aec606b4ce242efa66399977ea
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6O:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5v
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
miyftmsaqg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" miyftmsaqg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
miyftmsaqg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" miyftmsaqg.exe -
Processes:
miyftmsaqg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" miyftmsaqg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" miyftmsaqg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" miyftmsaqg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" miyftmsaqg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" miyftmsaqg.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
miyftmsaqg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" miyftmsaqg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
miyftmsaqg.exexuvszvvolqlntpw.exexcfoizjv.exefqicinswrxtmz.exexcfoizjv.exepid process 3300 miyftmsaqg.exe 760 xuvszvvolqlntpw.exe 3448 xcfoizjv.exe 1624 fqicinswrxtmz.exe 5036 xcfoizjv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
miyftmsaqg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" miyftmsaqg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" miyftmsaqg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" miyftmsaqg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" miyftmsaqg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" miyftmsaqg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" miyftmsaqg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
xuvszvvolqlntpw.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugptldhh = "miyftmsaqg.exe" xuvszvvolqlntpw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nhqwfixm = "xuvszvvolqlntpw.exe" xuvszvvolqlntpw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fqicinswrxtmz.exe" xuvszvvolqlntpw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
miyftmsaqg.exexcfoizjv.exexcfoizjv.exedescription ioc process File opened (read-only) \??\m: miyftmsaqg.exe File opened (read-only) \??\a: xcfoizjv.exe File opened (read-only) \??\i: xcfoizjv.exe File opened (read-only) \??\z: xcfoizjv.exe File opened (read-only) \??\b: miyftmsaqg.exe File opened (read-only) \??\e: miyftmsaqg.exe File opened (read-only) \??\z: miyftmsaqg.exe File opened (read-only) \??\s: xcfoizjv.exe File opened (read-only) \??\t: xcfoizjv.exe File opened (read-only) \??\v: xcfoizjv.exe File opened (read-only) \??\n: miyftmsaqg.exe File opened (read-only) \??\m: xcfoizjv.exe File opened (read-only) \??\j: xcfoizjv.exe File opened (read-only) \??\q: xcfoizjv.exe File opened (read-only) \??\i: miyftmsaqg.exe File opened (read-only) \??\v: miyftmsaqg.exe File opened (read-only) \??\g: xcfoizjv.exe File opened (read-only) \??\g: miyftmsaqg.exe File opened (read-only) \??\p: miyftmsaqg.exe File opened (read-only) \??\u: miyftmsaqg.exe File opened (read-only) \??\q: miyftmsaqg.exe File opened (read-only) \??\y: miyftmsaqg.exe File opened (read-only) \??\g: xcfoizjv.exe File opened (read-only) \??\n: xcfoizjv.exe File opened (read-only) \??\h: miyftmsaqg.exe File opened (read-only) \??\r: miyftmsaqg.exe File opened (read-only) \??\b: xcfoizjv.exe File opened (read-only) \??\e: xcfoizjv.exe File opened (read-only) \??\q: xcfoizjv.exe File opened (read-only) \??\t: xcfoizjv.exe File opened (read-only) \??\z: xcfoizjv.exe File opened (read-only) \??\l: miyftmsaqg.exe File opened (read-only) \??\o: xcfoizjv.exe File opened (read-only) \??\v: xcfoizjv.exe File opened (read-only) \??\y: xcfoizjv.exe File opened (read-only) \??\m: xcfoizjv.exe File opened (read-only) \??\o: xcfoizjv.exe File opened (read-only) \??\p: xcfoizjv.exe File opened (read-only) \??\k: miyftmsaqg.exe File opened (read-only) \??\h: xcfoizjv.exe File opened (read-only) \??\k: xcfoizjv.exe File opened (read-only) \??\u: xcfoizjv.exe File opened (read-only) \??\x: xcfoizjv.exe File opened (read-only) \??\r: xcfoizjv.exe File opened (read-only) \??\t: miyftmsaqg.exe File opened (read-only) \??\a: xcfoizjv.exe File opened (read-only) \??\w: xcfoizjv.exe File opened (read-only) \??\u: xcfoizjv.exe File opened (read-only) \??\y: xcfoizjv.exe File opened (read-only) \??\x: miyftmsaqg.exe File opened (read-only) \??\b: xcfoizjv.exe File opened (read-only) \??\k: xcfoizjv.exe File opened (read-only) \??\s: xcfoizjv.exe File opened (read-only) \??\a: miyftmsaqg.exe File opened (read-only) \??\r: xcfoizjv.exe File opened (read-only) \??\w: xcfoizjv.exe File opened (read-only) \??\x: xcfoizjv.exe File opened (read-only) \??\w: miyftmsaqg.exe File opened (read-only) \??\i: xcfoizjv.exe File opened (read-only) \??\o: miyftmsaqg.exe File opened (read-only) \??\s: miyftmsaqg.exe File opened (read-only) \??\l: xcfoizjv.exe File opened (read-only) \??\n: xcfoizjv.exe File opened (read-only) \??\e: xcfoizjv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
miyftmsaqg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" miyftmsaqg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" miyftmsaqg.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3588-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\xuvszvvolqlntpw.exe autoit_exe C:\Windows\SysWOW64\miyftmsaqg.exe autoit_exe C:\Windows\SysWOW64\fqicinswrxtmz.exe autoit_exe C:\Windows\SysWOW64\xcfoizjv.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exemiyftmsaqg.exexcfoizjv.exexcfoizjv.exedescription ioc process File created C:\Windows\SysWOW64\xuvszvvolqlntpw.exe fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe File created C:\Windows\SysWOW64\xcfoizjv.exe fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe File created C:\Windows\SysWOW64\fqicinswrxtmz.exe fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll miyftmsaqg.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xcfoizjv.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xcfoizjv.exe File created C:\Windows\SysWOW64\miyftmsaqg.exe fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\miyftmsaqg.exe fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xuvszvvolqlntpw.exe fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xcfoizjv.exe fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fqicinswrxtmz.exe fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xcfoizjv.exe -
Drops file in Program Files directory 14 IoCs
Processes:
xcfoizjv.exexcfoizjv.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xcfoizjv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xcfoizjv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xcfoizjv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xcfoizjv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xcfoizjv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xcfoizjv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xcfoizjv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xcfoizjv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xcfoizjv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xcfoizjv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xcfoizjv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xcfoizjv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xcfoizjv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xcfoizjv.exe -
Drops file in Windows directory 19 IoCs
Processes:
xcfoizjv.exeWINWORD.EXExcfoizjv.exefbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exedescription ioc process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xcfoizjv.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xcfoizjv.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xcfoizjv.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xcfoizjv.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xcfoizjv.exe File opened for modification C:\Windows\mydoc.rtf fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xcfoizjv.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xcfoizjv.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xcfoizjv.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xcfoizjv.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xcfoizjv.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xcfoizjv.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xcfoizjv.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xcfoizjv.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xcfoizjv.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xcfoizjv.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xcfoizjv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exemiyftmsaqg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2C089D2083596D4176DD77252CDF7C8F64DE" fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B129479339ED53BEB9A7329FD4B9" fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc miyftmsaqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs miyftmsaqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" miyftmsaqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB2FF1F22DCD27CD0D18A0E9162" fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat miyftmsaqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf miyftmsaqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" miyftmsaqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" miyftmsaqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" miyftmsaqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg miyftmsaqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDF9B1FE6BF2E3847A3A47819D39E5B0FA038A4364034EE2CA459909D4" fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFCF9482985129131D7297E96BC95E630583066436333D69E" fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" miyftmsaqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh miyftmsaqg.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC67914E3DBC7B8B97C92EC9634BD" fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" miyftmsaqg.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1980 WINWORD.EXE 1980 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exemiyftmsaqg.exexuvszvvolqlntpw.exexcfoizjv.exefqicinswrxtmz.exexcfoizjv.exepid process 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3300 miyftmsaqg.exe 3300 miyftmsaqg.exe 3300 miyftmsaqg.exe 3300 miyftmsaqg.exe 3300 miyftmsaqg.exe 3300 miyftmsaqg.exe 3300 miyftmsaqg.exe 3300 miyftmsaqg.exe 3300 miyftmsaqg.exe 3300 miyftmsaqg.exe 760 xuvszvvolqlntpw.exe 760 xuvszvvolqlntpw.exe 760 xuvszvvolqlntpw.exe 760 xuvszvvolqlntpw.exe 760 xuvszvvolqlntpw.exe 760 xuvszvvolqlntpw.exe 760 xuvszvvolqlntpw.exe 760 xuvszvvolqlntpw.exe 760 xuvszvvolqlntpw.exe 760 xuvszvvolqlntpw.exe 3448 xcfoizjv.exe 3448 xcfoizjv.exe 3448 xcfoizjv.exe 3448 xcfoizjv.exe 3448 xcfoizjv.exe 3448 xcfoizjv.exe 3448 xcfoizjv.exe 3448 xcfoizjv.exe 1624 fqicinswrxtmz.exe 1624 fqicinswrxtmz.exe 1624 fqicinswrxtmz.exe 1624 fqicinswrxtmz.exe 1624 fqicinswrxtmz.exe 1624 fqicinswrxtmz.exe 1624 fqicinswrxtmz.exe 1624 fqicinswrxtmz.exe 1624 fqicinswrxtmz.exe 1624 fqicinswrxtmz.exe 1624 fqicinswrxtmz.exe 1624 fqicinswrxtmz.exe 5036 xcfoizjv.exe 5036 xcfoizjv.exe 5036 xcfoizjv.exe 5036 xcfoizjv.exe 5036 xcfoizjv.exe 5036 xcfoizjv.exe 5036 xcfoizjv.exe 5036 xcfoizjv.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exemiyftmsaqg.exexuvszvvolqlntpw.exexcfoizjv.exefqicinswrxtmz.exexcfoizjv.exepid process 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3300 miyftmsaqg.exe 3300 miyftmsaqg.exe 3300 miyftmsaqg.exe 760 xuvszvvolqlntpw.exe 760 xuvszvvolqlntpw.exe 760 xuvszvvolqlntpw.exe 3448 xcfoizjv.exe 1624 fqicinswrxtmz.exe 3448 xcfoizjv.exe 1624 fqicinswrxtmz.exe 3448 xcfoizjv.exe 1624 fqicinswrxtmz.exe 5036 xcfoizjv.exe 5036 xcfoizjv.exe 5036 xcfoizjv.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exemiyftmsaqg.exexuvszvvolqlntpw.exexcfoizjv.exefqicinswrxtmz.exexcfoizjv.exepid process 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe 3300 miyftmsaqg.exe 3300 miyftmsaqg.exe 3300 miyftmsaqg.exe 760 xuvszvvolqlntpw.exe 760 xuvszvvolqlntpw.exe 760 xuvszvvolqlntpw.exe 3448 xcfoizjv.exe 1624 fqicinswrxtmz.exe 3448 xcfoizjv.exe 1624 fqicinswrxtmz.exe 3448 xcfoizjv.exe 1624 fqicinswrxtmz.exe 5036 xcfoizjv.exe 5036 xcfoizjv.exe 5036 xcfoizjv.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1980 WINWORD.EXE 1980 WINWORD.EXE 1980 WINWORD.EXE 1980 WINWORD.EXE 1980 WINWORD.EXE 1980 WINWORD.EXE 1980 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exemiyftmsaqg.exedescription pid process target process PID 3588 wrote to memory of 3300 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe miyftmsaqg.exe PID 3588 wrote to memory of 3300 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe miyftmsaqg.exe PID 3588 wrote to memory of 3300 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe miyftmsaqg.exe PID 3588 wrote to memory of 760 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe xuvszvvolqlntpw.exe PID 3588 wrote to memory of 760 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe xuvszvvolqlntpw.exe PID 3588 wrote to memory of 760 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe xuvszvvolqlntpw.exe PID 3588 wrote to memory of 3448 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe xcfoizjv.exe PID 3588 wrote to memory of 3448 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe xcfoizjv.exe PID 3588 wrote to memory of 3448 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe xcfoizjv.exe PID 3588 wrote to memory of 1624 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe fqicinswrxtmz.exe PID 3588 wrote to memory of 1624 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe fqicinswrxtmz.exe PID 3588 wrote to memory of 1624 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe fqicinswrxtmz.exe PID 3588 wrote to memory of 1980 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe WINWORD.EXE PID 3588 wrote to memory of 1980 3588 fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe WINWORD.EXE PID 3300 wrote to memory of 5036 3300 miyftmsaqg.exe xcfoizjv.exe PID 3300 wrote to memory of 5036 3300 miyftmsaqg.exe xcfoizjv.exe PID 3300 wrote to memory of 5036 3300 miyftmsaqg.exe xcfoizjv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fbb4aac8ca9cb008dcaa29ea04cfaac0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\miyftmsaqg.exemiyftmsaqg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xcfoizjv.exeC:\Windows\system32\xcfoizjv.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\xuvszvvolqlntpw.exexuvszvvolqlntpw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\xcfoizjv.exexcfoizjv.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\fqicinswrxtmz.exefqicinswrxtmz.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5b1da075031a32fb94b8792d9aae2b213
SHA1f1ce79503221b58c669cf33bf5801f6a30a028bc
SHA256951048962a6d8fd6ca3ec6ff847d35af14ec692aa5b5f0ed470de886c47002e6
SHA512116a65bf802498f42332c9525fc788a55db9615b97ce991cd11402a2812373bba9ad9981a644f307e7077e82e43b3e331bcecadedf6d4ccb6261d52e19708561
-
C:\Users\Admin\AppData\Local\Temp\TCDC3C6.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD536bfdac921f64a8bb2e01fa67f1e679b
SHA161e6f563e4466670fadded63353c8fbd16a54e89
SHA2565128f0eae9bb5b0864c6d3c4ba5f3f311a055fc46e3e2786b7ad35f264d58f6c
SHA512171c9fca77fc3ee2c0b24eb7978c05db44c71ca859f93e43bdc25e0517f1bb921ea4c8e9fb1b04987f4191d05c2001ad5c148de0e496a5e05b3f9187d692df11
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5df1cd38ab55bad4d4606d9ec07af999d
SHA19a81cf7f1828dc7acabcb300dc8526a0a3fc1d06
SHA256e59f9fa5cef18aa1d10bcd0fb4615d40250a9420cab5087706c5f12f2c5e2237
SHA512e4d5e5102ebc59aec7f2b045efceb68d8eccab4c8e0d37408d5aa354a10c7ce8143700312fbc52db4754aa1d3c9568fb72274d82a19a28596e844a6c8fb41404
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5410ca2e19f0ddc09934d5bb4b2138c83
SHA12db7a4f46a08d9ff8d122838def976f0caa3b33a
SHA2565ebfb86941c1ea6850e8dd7fcdbafacd3cb8f104a79a36eec19de14f3605e2ef
SHA51243f3753d9073e18f32da390f1ba2c59fe7fc2186ad33b750122403c2bb4037523859ede407f3ff342f7b94ef1f75a7eed901e51062e4deb583d58cfdc2425534
-
C:\Windows\SysWOW64\fqicinswrxtmz.exeFilesize
512KB
MD585a9bd6bd3c9abd68bc645f6d0eca183
SHA17aa9f8ebeee08d86bd5a17f172f8b023a7a0ac36
SHA25649773de17baf8fbd0e9e8ebd5c2db9ee067a540355d40e0bcd60c40c96305629
SHA512a44c78155fb245d3058d8051404a661ccb33384af452363a95ab3600862f03d762b9ea9dafe0b4a6ecdfbc190c539154a99cafd54a767fa1998781d72a8666bd
-
C:\Windows\SysWOW64\miyftmsaqg.exeFilesize
512KB
MD5e7092ab88acecc7f4831cbe6aeb86b13
SHA14db1c32fd88e7ce82faf15bb2d54e43a961a9749
SHA256f5c58a37411de0093e46a29ac1aa14a4c4b8fe025919fcb4b67971130684430d
SHA5121c682ef6543478e3b24ecc2c8a33c87d941e8a3931d48825303eb0c59f35e0e1845f6dbc842e5fc744292ed7278e4749c3d50642262420f685af750b6cdb522d
-
C:\Windows\SysWOW64\xcfoizjv.exeFilesize
512KB
MD5905a36c6edb25809a6eab1f8b0b95d25
SHA10595f583f42dcb760fcb530a58fca71adb485edb
SHA256d173fd7b32b4dbe9a4a5a7aff7ddcace92cd0d3b43eadbf5d880e9d4ff00a244
SHA5125d62b6fe62b713cc030002652e47f209f352ccc4849db073abb35f5c619426088441053abc58b4b8f4a868854f1ebd18ab2be9ea726805d0d20955f38cd2d15e
-
C:\Windows\SysWOW64\xuvszvvolqlntpw.exeFilesize
512KB
MD5df2cd1da550cbe26643c784efba185d5
SHA1063f3d84099020ff5f2604b897091aa5ecd2a7f6
SHA256de98fc0d53e75fea8abca9232fb72db25bc06e3053902b2daf934fa659908ee3
SHA512716435f23170937957346ae705a969655308835d4c7367842e2ab71d56ebb398156aa92d801ff5bd0d8977033fef4504a1caba0c7cc444fd3b654b9d4d4767c1
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD50064f8913456c732340725bf09106c86
SHA1bb3fa6445aa2938b49fb758be07017a7d98652db
SHA25628350873be9ab3eac79944e1d47238ca128a62dceaee326b476f2d380c3580eb
SHA51270b668642f1375cee7cc92511a2e5a1e47c3bfbcbbff746d8c545d581f6bab7aa82954d4594ff70232feb92c3fee969ceec4d078da053958dc5e9419817cd2ad
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5b8bf85ce4c072960436615864cf1cf13
SHA1c6a0d24c1959779e670dbd9088a9a10a34d852af
SHA25655027e40cf7f370069e76611918fb33f81658fbad822f26cc0f91d418de8eee0
SHA51215573572c0fdd686a1a6e465f60e6e2cf35c942512609c7d21c4796df18aa8f5fb3eaa29645e24a1cc0efd321935d728c63164e00febbc680fdbd201d097fd80
-
memory/1980-41-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmpFilesize
64KB
-
memory/1980-39-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmpFilesize
64KB
-
memory/1980-46-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmpFilesize
2.0MB
-
memory/1980-47-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmpFilesize
2.0MB
-
memory/1980-48-0x00007FFCB72F0000-0x00007FFCB7300000-memory.dmpFilesize
64KB
-
memory/1980-49-0x00007FFCB72F0000-0x00007FFCB7300000-memory.dmpFilesize
64KB
-
memory/1980-44-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmpFilesize
2.0MB
-
memory/1980-43-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmpFilesize
64KB
-
memory/1980-42-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmpFilesize
2.0MB
-
memory/1980-40-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmpFilesize
2.0MB
-
memory/1980-611-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmpFilesize
2.0MB
-
memory/1980-45-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmpFilesize
64KB
-
memory/1980-38-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmpFilesize
2.0MB
-
memory/1980-104-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmpFilesize
2.0MB
-
memory/1980-37-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmpFilesize
64KB
-
memory/1980-528-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmpFilesize
2.0MB
-
memory/1980-583-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmpFilesize
2.0MB
-
memory/1980-606-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmpFilesize
64KB
-
memory/1980-607-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmpFilesize
64KB
-
memory/1980-608-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmpFilesize
64KB
-
memory/1980-609-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmpFilesize
64KB
-
memory/1980-610-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmpFilesize
2.0MB
-
memory/3588-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB