Analysis
-
max time kernel
149s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 01:29
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe
-
Size
512KB
-
MD5
04131b846ba5a5762964b948f88369ad
-
SHA1
5401c52b08569ef74bd5ed58257c5e56ca3cfce9
-
SHA256
fa310a1199c04c2ca5bdf9434d8b2271ed6fabbcf96e90070da623eade7bbf1a
-
SHA512
725fc97c8f1cab1d1d1908011a710b9a0659050fbe6f9081210ea92b9a69958e4ab2d8bddaaeae5a9f234c5c32a75ea5936ec1ab668bfc2bca12973dfb721c43
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6g:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5f
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ftssmxxfke.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ftssmxxfke.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ftssmxxfke.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ftssmxxfke.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ftssmxxfke.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ftssmxxfke.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ftssmxxfke.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ftssmxxfke.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3276 ftssmxxfke.exe 2728 spsgubnqikxbbpc.exe 3712 xmomajbp.exe 2956 hmdykmtjaldvb.exe 3208 xmomajbp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ftssmxxfke.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ftssmxxfke.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ftssmxxfke.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ftssmxxfke.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ftssmxxfke.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ftssmxxfke.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugjhjhil = "ftssmxxfke.exe" spsgubnqikxbbpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujzlshsd = "spsgubnqikxbbpc.exe" spsgubnqikxbbpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hmdykmtjaldvb.exe" spsgubnqikxbbpc.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: xmomajbp.exe File opened (read-only) \??\s: xmomajbp.exe File opened (read-only) \??\k: ftssmxxfke.exe File opened (read-only) \??\a: xmomajbp.exe File opened (read-only) \??\q: xmomajbp.exe File opened (read-only) \??\e: xmomajbp.exe File opened (read-only) \??\r: xmomajbp.exe File opened (read-only) \??\o: ftssmxxfke.exe File opened (read-only) \??\z: ftssmxxfke.exe File opened (read-only) \??\k: xmomajbp.exe File opened (read-only) \??\l: xmomajbp.exe File opened (read-only) \??\n: xmomajbp.exe File opened (read-only) \??\o: xmomajbp.exe File opened (read-only) \??\z: xmomajbp.exe File opened (read-only) \??\h: xmomajbp.exe File opened (read-only) \??\u: xmomajbp.exe File opened (read-only) \??\j: xmomajbp.exe File opened (read-only) \??\h: ftssmxxfke.exe File opened (read-only) \??\o: xmomajbp.exe File opened (read-only) \??\p: xmomajbp.exe File opened (read-only) \??\v: xmomajbp.exe File opened (read-only) \??\k: xmomajbp.exe File opened (read-only) \??\y: xmomajbp.exe File opened (read-only) \??\t: ftssmxxfke.exe File opened (read-only) \??\i: xmomajbp.exe File opened (read-only) \??\s: xmomajbp.exe File opened (read-only) \??\x: xmomajbp.exe File opened (read-only) \??\g: xmomajbp.exe File opened (read-only) \??\q: ftssmxxfke.exe File opened (read-only) \??\s: ftssmxxfke.exe File opened (read-only) \??\j: xmomajbp.exe File opened (read-only) \??\m: xmomajbp.exe File opened (read-only) \??\w: xmomajbp.exe File opened (read-only) \??\u: ftssmxxfke.exe File opened (read-only) \??\x: ftssmxxfke.exe File opened (read-only) \??\a: xmomajbp.exe File opened (read-only) \??\q: xmomajbp.exe File opened (read-only) \??\v: ftssmxxfke.exe File opened (read-only) \??\e: xmomajbp.exe File opened (read-only) \??\t: xmomajbp.exe File opened (read-only) \??\y: xmomajbp.exe File opened (read-only) \??\p: xmomajbp.exe File opened (read-only) \??\i: ftssmxxfke.exe File opened (read-only) \??\j: ftssmxxfke.exe File opened (read-only) \??\z: xmomajbp.exe File opened (read-only) \??\m: ftssmxxfke.exe File opened (read-only) \??\r: ftssmxxfke.exe File opened (read-only) \??\g: xmomajbp.exe File opened (read-only) \??\b: xmomajbp.exe File opened (read-only) \??\t: xmomajbp.exe File opened (read-only) \??\a: ftssmxxfke.exe File opened (read-only) \??\p: ftssmxxfke.exe File opened (read-only) \??\u: xmomajbp.exe File opened (read-only) \??\x: xmomajbp.exe File opened (read-only) \??\b: xmomajbp.exe File opened (read-only) \??\n: xmomajbp.exe File opened (read-only) \??\w: xmomajbp.exe File opened (read-only) \??\v: xmomajbp.exe File opened (read-only) \??\e: ftssmxxfke.exe File opened (read-only) \??\l: ftssmxxfke.exe File opened (read-only) \??\b: ftssmxxfke.exe File opened (read-only) \??\n: ftssmxxfke.exe File opened (read-only) \??\w: ftssmxxfke.exe File opened (read-only) \??\y: ftssmxxfke.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ftssmxxfke.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ftssmxxfke.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1468-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000a000000023b9f-5.dat autoit_exe behavioral2/files/0x000c000000023b3e-18.dat autoit_exe behavioral2/files/0x000a000000023ba1-31.dat autoit_exe behavioral2/files/0x000a000000023ba0-29.dat autoit_exe behavioral2/files/0x000a000000023bad-64.dat autoit_exe behavioral2/files/0x00400000000234e6-70.dat autoit_exe behavioral2/files/0x00020000000229be-94.dat autoit_exe behavioral2/files/0x00020000000229be-96.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xmomajbp.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xmomajbp.exe File created C:\Windows\SysWOW64\hmdykmtjaldvb.exe 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hmdykmtjaldvb.exe 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe File created C:\Windows\SysWOW64\spsgubnqikxbbpc.exe 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\spsgubnqikxbbpc.exe 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe File created C:\Windows\SysWOW64\xmomajbp.exe 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xmomajbp.exe 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ftssmxxfke.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xmomajbp.exe File created C:\Windows\SysWOW64\ftssmxxfke.exe 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ftssmxxfke.exe 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xmomajbp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xmomajbp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xmomajbp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xmomajbp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xmomajbp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xmomajbp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xmomajbp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xmomajbp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xmomajbp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xmomajbp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xmomajbp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xmomajbp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xmomajbp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xmomajbp.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xmomajbp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xmomajbp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xmomajbp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xmomajbp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xmomajbp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xmomajbp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xmomajbp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xmomajbp.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xmomajbp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xmomajbp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xmomajbp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xmomajbp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xmomajbp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xmomajbp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xmomajbp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xmomajbp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ftssmxxfke.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ftssmxxfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ftssmxxfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ftssmxxfke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ftssmxxfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452D7C9D5182256A3177A7772E2CD87D8564DC" 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ftssmxxfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDF9CBFE11F1E784753B4386EE3E90B0FD02FF4260033BE1CC459908A9" 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B15C47E139EF53CFBAA732E8D4BF" 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FF8A485F82189133D72A7E91BDE7E133594B67436241D7ED" 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB2FE6E21D0D27AD0A68A099166" 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ftssmxxfke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ftssmxxfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C67B1491DAB7B9BE7C95ECE434CD" 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ftssmxxfke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ftssmxxfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ftssmxxfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ftssmxxfke.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5044 WINWORD.EXE 5044 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 3712 xmomajbp.exe 3712 xmomajbp.exe 3712 xmomajbp.exe 3712 xmomajbp.exe 3712 xmomajbp.exe 3712 xmomajbp.exe 3712 xmomajbp.exe 3712 xmomajbp.exe 3276 ftssmxxfke.exe 3276 ftssmxxfke.exe 3276 ftssmxxfke.exe 3276 ftssmxxfke.exe 3276 ftssmxxfke.exe 3276 ftssmxxfke.exe 3276 ftssmxxfke.exe 3276 ftssmxxfke.exe 3276 ftssmxxfke.exe 3276 ftssmxxfke.exe 2728 spsgubnqikxbbpc.exe 2728 spsgubnqikxbbpc.exe 2728 spsgubnqikxbbpc.exe 2728 spsgubnqikxbbpc.exe 2728 spsgubnqikxbbpc.exe 2728 spsgubnqikxbbpc.exe 2728 spsgubnqikxbbpc.exe 2728 spsgubnqikxbbpc.exe 2728 spsgubnqikxbbpc.exe 2728 spsgubnqikxbbpc.exe 2956 hmdykmtjaldvb.exe 2956 hmdykmtjaldvb.exe 2956 hmdykmtjaldvb.exe 2956 hmdykmtjaldvb.exe 2956 hmdykmtjaldvb.exe 2956 hmdykmtjaldvb.exe 2956 hmdykmtjaldvb.exe 2956 hmdykmtjaldvb.exe 2956 hmdykmtjaldvb.exe 2956 hmdykmtjaldvb.exe 2956 hmdykmtjaldvb.exe 2956 hmdykmtjaldvb.exe 3208 xmomajbp.exe 3208 xmomajbp.exe 3208 xmomajbp.exe 3208 xmomajbp.exe 3208 xmomajbp.exe 3208 xmomajbp.exe 3208 xmomajbp.exe 3208 xmomajbp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 3276 ftssmxxfke.exe 2728 spsgubnqikxbbpc.exe 2728 spsgubnqikxbbpc.exe 2728 spsgubnqikxbbpc.exe 3276 ftssmxxfke.exe 3276 ftssmxxfke.exe 3712 xmomajbp.exe 3712 xmomajbp.exe 3712 xmomajbp.exe 2956 hmdykmtjaldvb.exe 2956 hmdykmtjaldvb.exe 2956 hmdykmtjaldvb.exe 3208 xmomajbp.exe 3208 xmomajbp.exe 3208 xmomajbp.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 3276 ftssmxxfke.exe 2728 spsgubnqikxbbpc.exe 2728 spsgubnqikxbbpc.exe 2728 spsgubnqikxbbpc.exe 3276 ftssmxxfke.exe 3276 ftssmxxfke.exe 3712 xmomajbp.exe 3712 xmomajbp.exe 3712 xmomajbp.exe 2956 hmdykmtjaldvb.exe 2956 hmdykmtjaldvb.exe 2956 hmdykmtjaldvb.exe 3208 xmomajbp.exe 3208 xmomajbp.exe 3208 xmomajbp.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5044 WINWORD.EXE 5044 WINWORD.EXE 5044 WINWORD.EXE 5044 WINWORD.EXE 5044 WINWORD.EXE 5044 WINWORD.EXE 5044 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1468 wrote to memory of 3276 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 84 PID 1468 wrote to memory of 3276 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 84 PID 1468 wrote to memory of 3276 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 84 PID 1468 wrote to memory of 2728 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 85 PID 1468 wrote to memory of 2728 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 85 PID 1468 wrote to memory of 2728 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 85 PID 1468 wrote to memory of 3712 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 86 PID 1468 wrote to memory of 3712 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 86 PID 1468 wrote to memory of 3712 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 86 PID 1468 wrote to memory of 2956 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 87 PID 1468 wrote to memory of 2956 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 87 PID 1468 wrote to memory of 2956 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 87 PID 1468 wrote to memory of 5044 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 88 PID 1468 wrote to memory of 5044 1468 04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe 88 PID 3276 wrote to memory of 3208 3276 ftssmxxfke.exe 91 PID 3276 wrote to memory of 3208 3276 ftssmxxfke.exe 91 PID 3276 wrote to memory of 3208 3276 ftssmxxfke.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04131b846ba5a5762964b948f88369ad_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\ftssmxxfke.exeftssmxxfke.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\xmomajbp.exeC:\Windows\system32\xmomajbp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3208
-
-
-
C:\Windows\SysWOW64\spsgubnqikxbbpc.exespsgubnqikxbbpc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2728
-
-
C:\Windows\SysWOW64\xmomajbp.exexmomajbp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3712
-
-
C:\Windows\SysWOW64\hmdykmtjaldvb.exehmdykmtjaldvb.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2956
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5044
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5f837ff355ada448e8a4d42bf987a27f0
SHA1912170097f8233e61b41c4d18576b3d2a0ab31b0
SHA2563a6dec0a228f81b2fef7787acbb9cad1fe49402ff2aafeb20790a4d6b83e56cb
SHA512b636b49474c9db4eb1d5e8ed29ff551d9523fd95fb05d2c2687b286e76b3c13bb9eecbc3bc71ab744b4dccdbcd836420c2f1d5a584a382ae4a0d81bb0b41aa10
-
Filesize
247B
MD5899f76e0ce43e1ef617b8443cefabaed
SHA14197ad8182977a6f93e8a8ba522a6b4f51d9ac5e
SHA2567c263bc6c0d01b6fd65793cd3fb686d415426ae99be7d55aceff14c68af87cd0
SHA512640aa904f58d042e8c070f96553105f23cb5f3c9e393b352e811f2ace172cad92f55a136ead6c1cd9b4ef30c9c7be07a50b438b284fc1cb5903c795b21b22cf0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5047846c4182d4ce0538cc17c86b6f3bb
SHA1d0148f85de7d92cbac9a6af75d85ddd863b5e964
SHA256644e12548925dcc811a75e360661722201f692f5b8970e4147422e5cc704ae37
SHA512bfdb0b142cbfff7632673981b70ac742109a78b108774c4c4fa481780e5e83a7753808beed330e1b69b71d6e2acbafb8cbb4841244c390652a5f4e50675a3fbf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD572bbf23f694e9ae473674b0a0ff925e3
SHA1f1d0db065f6983f0cb6910e22af21b63f79eef28
SHA2565b6f479298cd39cef4b93e19d02943c037c7e4aec2065c18a427675af1dbf099
SHA5126b0f88f8451a407d734743815d955b19114f3392457981fcd093c6d7355d086f9799fd37d3535dc46d9821ec7e595b5ecad497de6f4be701dacdf1b18763e7d5
-
Filesize
512KB
MD56d93a0e6f9b2416f57cf0a42f5789128
SHA1a3b8a7d4cc0df1ab3382aa3af74b886e3c8b4c70
SHA256df2ccb4d7e986d17218c501af59a3286d4ab87b6cd2ac49943ef0791aa17c42a
SHA512ad50a1ead5c2c72c8974e3b2d3599e3b725f227052c6f17e2eeca19b0d7fd985549aa91a815aa8b389c0c3b2391cc127eb9e76ae2e827ded760939ed1ff508fd
-
Filesize
512KB
MD508d7062fcdcfb9ece8f367ebf88e6754
SHA174e5b44ee5116c6558bf9998c46bed76bb272eaa
SHA2566bf70cb15d30277bb2f1b4b526573321fa53b9d14a4a44807600ae52a6b6896f
SHA512d8816831a07bf1694d5bae99763f99f15e30eff1563eebb094920a1a64c7c8ef6909245804f3d38360db5964915d957c0393999c1fa34564b8e37f4544a92b3a
-
Filesize
512KB
MD5fbbd82d323a62385a1a5212b44ab1467
SHA118f985d99335dd912d8917cf16443e0e0d6ce51f
SHA2561f405cd9defef76e1b09d14d55184e2b57d6484f7d8078acaede20316d6b4bb8
SHA51283625392bb06024d6e9d83f55980e479e84ee8fe8bd45dacd3c10494a8d9554645b9a534c889bb50a66aec4eb00d3de778ab074f925fa81aa53568640b8ccc87
-
Filesize
512KB
MD5cf0f04a7d8935c76cb8ad52eca0b3435
SHA1f58a1dbfc124308e21174028025df2d5db1b3bc2
SHA2567f10bd31963a285ff97d2c7a0a3a26339611082e9ba85e961306ec92621b5b36
SHA5123751e5a7b6fd8b05da24b621101dcc7417226f3619808bdd839753c92d5d9c115b94549ac902fc99eee03817e5aafe880fb2a1f304ce3b63abbfbbfcbb24182c
-
Filesize
512KB
MD51508fea51d3a1ff16abf356ce7738469
SHA1ac5845e0b683fc9d9aaedc4363c16dc5fe1092b1
SHA256f2d474cfde34b0777e631de02ed249b33de3fe6941de2bd2d1b6ce3acdcd6c4b
SHA512c5ee00e2f19100e0de2b5aca8e18fd2b0106b86697e6e076ab226cae15c15504c8f081eb9ae21e30afc9c08fe31bf9424d1ca8edcf79087fefd82f5834496a65
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5e1a61c80c0bdf710b443fc03866fa35f
SHA15764d589242ff8b6c0b3f1db62093d1456574f79
SHA2561649322f3a1d8653d91d114e89537845ecf69a42224253191857b28dc876fb11
SHA512e4018e9c3266b9d20a6f93528d0a94f5cad52aa55f26017c7ab12a439abb7800e4dbdc0abce57e39860825f18496cf85d3919a1b3c8d89d9276e3f0a9a348ef6
-
Filesize
512KB
MD526e40cd61a80da9b231fa1c8434369c7
SHA14fe2ea163c55c41a1b15d56bf4c4a148a0cfe6e0
SHA25698fc85be910fa8902da267681d38e4e46e5268e69df6f6a6ec3e74bc6f8f2b43
SHA5125eeb13c4b3c7a3691076fde33a0227601ab64766aa6f96c13049e24222544eaf8ab16318b6c7c4a04780482e28f24451b3e7d04fa3444d1898fb24a0cf7b4dce