Analysis
-
max time kernel
149s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 16:07
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe
-
Size
512KB
-
MD5
0127157e92f97a8e8e05ae6a7d42dd24
-
SHA1
b1efbdc6672560f2835346ce75bb27a50d600777
-
SHA256
788a64bcdb1fd5ab9203dce06033a729cc13514db575ca086995272326583316
-
SHA512
603c574225ec98503fd867005b3b477c7668b65ec081bc3bd4a006f3dad8d64a49a9924503fe297471acc8b36cc122d6ad4c20d52bed716af816632ae482eb3c
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6x:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wtezgyngwl.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wtezgyngwl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wtezgyngwl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wtezgyngwl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wtezgyngwl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wtezgyngwl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wtezgyngwl.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wtezgyngwl.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1060 wtezgyngwl.exe 2100 uvyoodaiorpbtvy.exe 4460 orvdjvah.exe 4188 xgimidtenozjn.exe 3636 orvdjvah.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wtezgyngwl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wtezgyngwl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wtezgyngwl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wtezgyngwl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wtezgyngwl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wtezgyngwl.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cisapeno = "uvyoodaiorpbtvy.exe" uvyoodaiorpbtvy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xgimidtenozjn.exe" uvyoodaiorpbtvy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vusfyoru = "wtezgyngwl.exe" uvyoodaiorpbtvy.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: orvdjvah.exe File opened (read-only) \??\s: orvdjvah.exe File opened (read-only) \??\t: orvdjvah.exe File opened (read-only) \??\q: orvdjvah.exe File opened (read-only) \??\w: orvdjvah.exe File opened (read-only) \??\a: wtezgyngwl.exe File opened (read-only) \??\n: wtezgyngwl.exe File opened (read-only) \??\g: orvdjvah.exe File opened (read-only) \??\v: orvdjvah.exe File opened (read-only) \??\b: wtezgyngwl.exe File opened (read-only) \??\h: wtezgyngwl.exe File opened (read-only) \??\t: wtezgyngwl.exe File opened (read-only) \??\v: wtezgyngwl.exe File opened (read-only) \??\o: orvdjvah.exe File opened (read-only) \??\z: orvdjvah.exe File opened (read-only) \??\p: orvdjvah.exe File opened (read-only) \??\y: orvdjvah.exe File opened (read-only) \??\i: wtezgyngwl.exe File opened (read-only) \??\m: wtezgyngwl.exe File opened (read-only) \??\u: wtezgyngwl.exe File opened (read-only) \??\w: wtezgyngwl.exe File opened (read-only) \??\h: orvdjvah.exe File opened (read-only) \??\m: orvdjvah.exe File opened (read-only) \??\r: wtezgyngwl.exe File opened (read-only) \??\e: orvdjvah.exe File opened (read-only) \??\n: orvdjvah.exe File opened (read-only) \??\g: wtezgyngwl.exe File opened (read-only) \??\i: orvdjvah.exe File opened (read-only) \??\r: orvdjvah.exe File opened (read-only) \??\q: wtezgyngwl.exe File opened (read-only) \??\l: orvdjvah.exe File opened (read-only) \??\z: wtezgyngwl.exe File opened (read-only) \??\m: orvdjvah.exe File opened (read-only) \??\w: orvdjvah.exe File opened (read-only) \??\z: orvdjvah.exe File opened (read-only) \??\e: wtezgyngwl.exe File opened (read-only) \??\o: wtezgyngwl.exe File opened (read-only) \??\a: orvdjvah.exe File opened (read-only) \??\j: orvdjvah.exe File opened (read-only) \??\r: orvdjvah.exe File opened (read-only) \??\u: orvdjvah.exe File opened (read-only) \??\x: orvdjvah.exe File opened (read-only) \??\a: orvdjvah.exe File opened (read-only) \??\h: orvdjvah.exe File opened (read-only) \??\o: orvdjvah.exe File opened (read-only) \??\b: orvdjvah.exe File opened (read-only) \??\g: orvdjvah.exe File opened (read-only) \??\k: wtezgyngwl.exe File opened (read-only) \??\x: orvdjvah.exe File opened (read-only) \??\l: wtezgyngwl.exe File opened (read-only) \??\y: wtezgyngwl.exe File opened (read-only) \??\k: orvdjvah.exe File opened (read-only) \??\e: orvdjvah.exe File opened (read-only) \??\i: orvdjvah.exe File opened (read-only) \??\k: orvdjvah.exe File opened (read-only) \??\l: orvdjvah.exe File opened (read-only) \??\t: orvdjvah.exe File opened (read-only) \??\y: orvdjvah.exe File opened (read-only) \??\j: wtezgyngwl.exe File opened (read-only) \??\p: wtezgyngwl.exe File opened (read-only) \??\b: orvdjvah.exe File opened (read-only) \??\j: orvdjvah.exe File opened (read-only) \??\v: orvdjvah.exe File opened (read-only) \??\s: orvdjvah.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wtezgyngwl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wtezgyngwl.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2096-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000a000000023bb6-5.dat autoit_exe behavioral2/files/0x000b000000023bb2-18.dat autoit_exe behavioral2/files/0x000a000000023bb7-29.dat autoit_exe behavioral2/files/0x000a000000023bb8-32.dat autoit_exe behavioral2/files/0x000a000000023bc3-57.dat autoit_exe behavioral2/files/0x000a000000023bc4-63.dat autoit_exe behavioral2/files/0x00020000000229be-84.dat autoit_exe behavioral2/files/0x00020000000229be-90.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe orvdjvah.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe orvdjvah.exe File opened for modification C:\Windows\SysWOW64\wtezgyngwl.exe 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe File created C:\Windows\SysWOW64\uvyoodaiorpbtvy.exe 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uvyoodaiorpbtvy.exe 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\orvdjvah.exe 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xgimidtenozjn.exe 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wtezgyngwl.exe File created C:\Windows\SysWOW64\wtezgyngwl.exe 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe File created C:\Windows\SysWOW64\orvdjvah.exe 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe File created C:\Windows\SysWOW64\xgimidtenozjn.exe 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe orvdjvah.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe orvdjvah.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe orvdjvah.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal orvdjvah.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe orvdjvah.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe orvdjvah.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe orvdjvah.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal orvdjvah.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal orvdjvah.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe orvdjvah.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe orvdjvah.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal orvdjvah.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe orvdjvah.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe orvdjvah.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe orvdjvah.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe orvdjvah.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe orvdjvah.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe orvdjvah.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe orvdjvah.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe orvdjvah.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe orvdjvah.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe orvdjvah.exe File opened for modification C:\Windows\mydoc.rtf 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe orvdjvah.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe orvdjvah.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe orvdjvah.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe orvdjvah.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe orvdjvah.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe orvdjvah.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe orvdjvah.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe orvdjvah.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe orvdjvah.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe orvdjvah.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B0284493399F53C4B9D432EDD7CE" 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf wtezgyngwl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" wtezgyngwl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442D7C9C2C82556A4477A070512CD97CF264AC" 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFF9C9FE64F196837F3B45869A3998B080038F4268033BE2CA45E609A3" 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh wtezgyngwl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wtezgyngwl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wtezgyngwl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC67814E1DAC5B9BB7CE1ED9034C6" 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wtezgyngwl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768B0FF6721DED179D0A18B7B9016" 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" wtezgyngwl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" wtezgyngwl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" wtezgyngwl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wtezgyngwl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wtezgyngwl.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF9FFFB4829851C9131D7587E91BD93E13C593166366334D79A" 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wtezgyngwl.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1544 WINWORD.EXE 1544 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2100 uvyoodaiorpbtvy.exe 2100 uvyoodaiorpbtvy.exe 2100 uvyoodaiorpbtvy.exe 2100 uvyoodaiorpbtvy.exe 2100 uvyoodaiorpbtvy.exe 2100 uvyoodaiorpbtvy.exe 2100 uvyoodaiorpbtvy.exe 2100 uvyoodaiorpbtvy.exe 1060 wtezgyngwl.exe 1060 wtezgyngwl.exe 1060 wtezgyngwl.exe 1060 wtezgyngwl.exe 1060 wtezgyngwl.exe 1060 wtezgyngwl.exe 1060 wtezgyngwl.exe 1060 wtezgyngwl.exe 1060 wtezgyngwl.exe 1060 wtezgyngwl.exe 2100 uvyoodaiorpbtvy.exe 2100 uvyoodaiorpbtvy.exe 4188 xgimidtenozjn.exe 4188 xgimidtenozjn.exe 4460 orvdjvah.exe 4460 orvdjvah.exe 4188 xgimidtenozjn.exe 4460 orvdjvah.exe 4188 xgimidtenozjn.exe 4460 orvdjvah.exe 4188 xgimidtenozjn.exe 4188 xgimidtenozjn.exe 4188 xgimidtenozjn.exe 4460 orvdjvah.exe 4188 xgimidtenozjn.exe 4460 orvdjvah.exe 4460 orvdjvah.exe 4460 orvdjvah.exe 4188 xgimidtenozjn.exe 4188 xgimidtenozjn.exe 4188 xgimidtenozjn.exe 4188 xgimidtenozjn.exe 3636 orvdjvah.exe 3636 orvdjvah.exe 3636 orvdjvah.exe 3636 orvdjvah.exe 3636 orvdjvah.exe 3636 orvdjvah.exe 3636 orvdjvah.exe 3636 orvdjvah.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2100 uvyoodaiorpbtvy.exe 2100 uvyoodaiorpbtvy.exe 2100 uvyoodaiorpbtvy.exe 1060 wtezgyngwl.exe 1060 wtezgyngwl.exe 1060 wtezgyngwl.exe 4460 orvdjvah.exe 4460 orvdjvah.exe 4460 orvdjvah.exe 4188 xgimidtenozjn.exe 4188 xgimidtenozjn.exe 4188 xgimidtenozjn.exe 3636 orvdjvah.exe 3636 orvdjvah.exe 3636 orvdjvah.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 2100 uvyoodaiorpbtvy.exe 2100 uvyoodaiorpbtvy.exe 2100 uvyoodaiorpbtvy.exe 1060 wtezgyngwl.exe 1060 wtezgyngwl.exe 1060 wtezgyngwl.exe 4460 orvdjvah.exe 4460 orvdjvah.exe 4460 orvdjvah.exe 4188 xgimidtenozjn.exe 4188 xgimidtenozjn.exe 4188 xgimidtenozjn.exe 3636 orvdjvah.exe 3636 orvdjvah.exe 3636 orvdjvah.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1544 WINWORD.EXE 1544 WINWORD.EXE 1544 WINWORD.EXE 1544 WINWORD.EXE 1544 WINWORD.EXE 1544 WINWORD.EXE 1544 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2096 wrote to memory of 1060 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 85 PID 2096 wrote to memory of 1060 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 85 PID 2096 wrote to memory of 1060 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 85 PID 2096 wrote to memory of 2100 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 86 PID 2096 wrote to memory of 2100 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 86 PID 2096 wrote to memory of 2100 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 86 PID 2096 wrote to memory of 4460 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 87 PID 2096 wrote to memory of 4460 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 87 PID 2096 wrote to memory of 4460 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 87 PID 2096 wrote to memory of 4188 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 88 PID 2096 wrote to memory of 4188 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 88 PID 2096 wrote to memory of 4188 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 88 PID 2096 wrote to memory of 1544 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 89 PID 2096 wrote to memory of 1544 2096 0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe 89 PID 1060 wrote to memory of 3636 1060 wtezgyngwl.exe 92 PID 1060 wrote to memory of 3636 1060 wtezgyngwl.exe 92 PID 1060 wrote to memory of 3636 1060 wtezgyngwl.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0127157e92f97a8e8e05ae6a7d42dd24_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\wtezgyngwl.exewtezgyngwl.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\orvdjvah.exeC:\Windows\system32\orvdjvah.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3636
-
-
-
C:\Windows\SysWOW64\uvyoodaiorpbtvy.exeuvyoodaiorpbtvy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2100
-
-
C:\Windows\SysWOW64\orvdjvah.exeorvdjvah.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4460
-
-
C:\Windows\SysWOW64\xgimidtenozjn.exexgimidtenozjn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4188
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1544
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD51f942a0ad708e7399dc8583291876b2f
SHA12592edc715d5d977c59d60e3a0d9d3294bc75601
SHA25692bdcb9994f9d8284a5657aaedf2da65536d3e51e6be6553f967c849c59793b1
SHA512d3063400886c7a1220f5197ca2f1b2b0959c04c619ee8894b1250dbe0b621f2fe414dceb42baa58a3d13db6f818293c983ee3ab980d3162ad9df2d15e5ba4c40
-
Filesize
512KB
MD53f3c69de5dc254c0c9cc44300355393d
SHA1f889b6e1c38d968f57d84ac2a2b67b8eff4d2bdc
SHA256aa415da6fad297c84699a529700949406c2e43e725ccaa51f8037507d502b6f7
SHA5122d0717bf90ed0398be9a9fd06bcb7b33f724233583cbaad16bd24a25b04e185152b4b94ae3eee888d28f827ee55112c2f64718a4c89ef54c9bbe9c815ae45c92
-
Filesize
247B
MD5b9b19cc3197448cce687bb8508db123e
SHA1fe255f32e51db4675547affd0b9bc052c0445b5f
SHA25615c16681c0a32a4d0634ed2ba3433317be72fa0d6cc0a253bfdb6531aa30c4f7
SHA512b66f52a57bbe4e3e131510dcf2945faf8027f329322981a8cb8e033ebf2c4e08fc7a1a9dbd40f8b4cf94d13176696908c080812e178723dc0a71092e9a003698
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5629a3e276e4917dfca5fb611735fd104
SHA1420885fdfa2a38c79344fa742469e27040c95e6d
SHA256812c470608212cdda000bcb6cae1202ebc8a7a83b2c8c585c12e97fbddda16f7
SHA5122f3473320a74b0726c9c94e7235aa310e1f5916aa84ba459b0ff78e6fb0ffa3c891d896cb360d985813c0c645b3fc2e3b192cf8da1c5bfb51c7229b89e46ddcf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD574514fac2e281807beec84812c074477
SHA143c3988a3ec21ff887c643d7eccf03cbcc9cf572
SHA2561d79e3e19378362bf8b81054d80ac7c4a191b2671146f5db915568f7ba9e1485
SHA5123ceb3329362ab9d5274cfab13915492ad322e7a59a95ee489537db06232fa34b115f2a33105247e6e4350fe470674ad0914b30fc62a4ea43e97102f560979867
-
Filesize
512KB
MD5db5aaad1715aaabccf382196b120ffa5
SHA17c0edc1e360f1aefc34a168402a751b69429cbf1
SHA256ddabb52f3c2162acd26406a332e01b84d323b5b0f3b97041307468a295dbadb3
SHA51203037409888f40cb80f022f3f6edd5f33cc3c94c39ad881bd68e3eea9fcb0ac740b829073d82411f50eaa21b5e171c4c704ebbabbd03946beab5483b858d255e
-
Filesize
512KB
MD5915b6d6f096764b9493301805ec66e84
SHA1a284657102451f9819b2f27f741e1130204efda5
SHA256efa8b0aab87e4de0a3357930ce2dfed5e4f89e6c92769eda2d54e6c39f5f5b7e
SHA5123b0a082bd44e20bb427c44ee55f0f07bbbd591ad9fc8e4cede80c7f3bb2749b382733d8b081505674f6e000d18b93e4ff8c37283d2cd3bb976efdc84a8f29857
-
Filesize
512KB
MD5f0b44951c50cebc01961b72b485272ca
SHA12bd43dd9df0641b1b114e2d5cb1fb92330773d31
SHA25631130ce339197ab1b426520ddca3717894c9662577a51c31019fb84026fb83d1
SHA512edd8a543dd368a99e342d8caa4067130f4a8f6864298134a09e75fcafc0a655be76da8c873e99eadfb0cee2aa66fe951cd79c24d7664f0967b6d17b5f97665a6
-
Filesize
512KB
MD5f93efabd18f1a1d46ad5cd7615f2eae7
SHA17940ad8e6e0546ed0b891bc011d780a776ebc9c7
SHA256780d474c818b921319c2fd534994509a7a292c38fbcb4360ef4fdd867b951af5
SHA512b831fbee54c0bd1e347f7cfe87d791bea03201a5c9caf57a5e722227885e4ec4d7fc934bfca92db9106fa0ed6461f562037ff233ed09953874582087b94d6488
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD519cb3abab32459c57c32427eb4a1ec42
SHA1da7b9e9c240d12d12310d1f9a4c14629939dd54e
SHA256ed04c7f2f864e79b35bfb1c86c2193c1f2411363132e17a1b12534ef3cc4902b
SHA512a2a185a5dcf10985c278f04141adbc1108568eee1abb4e7e3550509b4903df4229c8929ac18b1f4cbd2eef34a78a132e95c02306351bea9ba3729e9b7b3a2e3e
-
Filesize
512KB
MD585c641515115dc66089b023c4982dec2
SHA1150c37cd7a5281dbad39f3dcb6f6933fafc85412
SHA2564f24ccadc939b850da19d8e5b9519fba3ef090eb2e8ef1be5b46ff88e4a5a09c
SHA5125faf6e966c25507f4f992a5b2229df7da0f46102e9d4ad2a2ceb44333254ad479eef5e02967fe853d4c5f6b7ec52fe8a1b35e46fb8c9c1cd4b5e0172c9284be9