Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 05:04
Static task
static1
Behavioral task
behavioral1
Sample
046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe
-
Size
513KB
-
MD5
046e9e8a98460e27abfb541b1c6b381e
-
SHA1
1726b747e18c28e940c0af1f7ba75ed0b0e442fa
-
SHA256
c1f6785de4e9cfb7b395b23354a873ed23b273c7a53e6891ef84f2a63a9c2c1f
-
SHA512
617053922fd5033418101cdc41599fdef93bd084e3d6b5eebb93554c1d8fc93dd04b718a19f5947bc95724b564343ad1d26b5d5aa83e93030da65bc3ba600721
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
qeapzhonct.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qeapzhonct.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
qeapzhonct.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qeapzhonct.exe -
Processes:
qeapzhonct.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qeapzhonct.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qeapzhonct.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qeapzhonct.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qeapzhonct.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qeapzhonct.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
qeapzhonct.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qeapzhonct.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
qeapzhonct.exeqbesozshhnxxisr.exeiwlenyro.exevbjumskruslgr.exeiwlenyro.exepid process 4940 qeapzhonct.exe 2408 qbesozshhnxxisr.exe 1916 iwlenyro.exe 1672 vbjumskruslgr.exe 1188 iwlenyro.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
qeapzhonct.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qeapzhonct.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qeapzhonct.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qeapzhonct.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qeapzhonct.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qeapzhonct.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qeapzhonct.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
qbesozshhnxxisr.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vpuiiibj = "qeapzhonct.exe" qbesozshhnxxisr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jpmctitw = "qbesozshhnxxisr.exe" qbesozshhnxxisr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vbjumskruslgr.exe" qbesozshhnxxisr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
qeapzhonct.exeiwlenyro.exeiwlenyro.exedescription ioc process File opened (read-only) \??\s: qeapzhonct.exe File opened (read-only) \??\t: qeapzhonct.exe File opened (read-only) \??\h: iwlenyro.exe File opened (read-only) \??\b: qeapzhonct.exe File opened (read-only) \??\o: qeapzhonct.exe File opened (read-only) \??\k: iwlenyro.exe File opened (read-only) \??\t: iwlenyro.exe File opened (read-only) \??\w: iwlenyro.exe File opened (read-only) \??\u: iwlenyro.exe File opened (read-only) \??\a: iwlenyro.exe File opened (read-only) \??\e: iwlenyro.exe File opened (read-only) \??\x: iwlenyro.exe File opened (read-only) \??\q: iwlenyro.exe File opened (read-only) \??\z: iwlenyro.exe File opened (read-only) \??\o: iwlenyro.exe File opened (read-only) \??\p: iwlenyro.exe File opened (read-only) \??\i: qeapzhonct.exe File opened (read-only) \??\u: qeapzhonct.exe File opened (read-only) \??\s: iwlenyro.exe File opened (read-only) \??\l: qeapzhonct.exe File opened (read-only) \??\k: iwlenyro.exe File opened (read-only) \??\a: iwlenyro.exe File opened (read-only) \??\p: iwlenyro.exe File opened (read-only) \??\h: qeapzhonct.exe File opened (read-only) \??\k: qeapzhonct.exe File opened (read-only) \??\n: iwlenyro.exe File opened (read-only) \??\b: iwlenyro.exe File opened (read-only) \??\t: iwlenyro.exe File opened (read-only) \??\a: qeapzhonct.exe File opened (read-only) \??\b: iwlenyro.exe File opened (read-only) \??\q: qeapzhonct.exe File opened (read-only) \??\x: qeapzhonct.exe File opened (read-only) \??\r: iwlenyro.exe File opened (read-only) \??\l: iwlenyro.exe File opened (read-only) \??\e: qeapzhonct.exe File opened (read-only) \??\p: qeapzhonct.exe File opened (read-only) \??\z: iwlenyro.exe File opened (read-only) \??\o: iwlenyro.exe File opened (read-only) \??\n: qeapzhonct.exe File opened (read-only) \??\u: iwlenyro.exe File opened (read-only) \??\l: iwlenyro.exe File opened (read-only) \??\q: iwlenyro.exe File opened (read-only) \??\s: iwlenyro.exe File opened (read-only) \??\m: iwlenyro.exe File opened (read-only) \??\r: iwlenyro.exe File opened (read-only) \??\x: iwlenyro.exe File opened (read-only) \??\g: qeapzhonct.exe File opened (read-only) \??\y: qeapzhonct.exe File opened (read-only) \??\j: iwlenyro.exe File opened (read-only) \??\i: iwlenyro.exe File opened (read-only) \??\m: iwlenyro.exe File opened (read-only) \??\v: iwlenyro.exe File opened (read-only) \??\w: iwlenyro.exe File opened (read-only) \??\z: qeapzhonct.exe File opened (read-only) \??\h: iwlenyro.exe File opened (read-only) \??\g: iwlenyro.exe File opened (read-only) \??\v: iwlenyro.exe File opened (read-only) \??\e: iwlenyro.exe File opened (read-only) \??\r: qeapzhonct.exe File opened (read-only) \??\v: qeapzhonct.exe File opened (read-only) \??\y: iwlenyro.exe File opened (read-only) \??\j: iwlenyro.exe File opened (read-only) \??\w: qeapzhonct.exe File opened (read-only) \??\i: iwlenyro.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
qeapzhonct.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qeapzhonct.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qeapzhonct.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2460-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\qbesozshhnxxisr.exe autoit_exe C:\Windows\SysWOW64\qeapzhonct.exe autoit_exe C:\Windows\SysWOW64\iwlenyro.exe autoit_exe C:\Windows\SysWOW64\vbjumskruslgr.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exeqeapzhonct.exeiwlenyro.exeiwlenyro.exedescription ioc process File created C:\Windows\SysWOW64\qbesozshhnxxisr.exe 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qeapzhonct.exe File opened for modification C:\Windows\SysWOW64\qbesozshhnxxisr.exe 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe File created C:\Windows\SysWOW64\iwlenyro.exe 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe iwlenyro.exe File opened for modification C:\Windows\SysWOW64\qeapzhonct.exe 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe File created C:\Windows\SysWOW64\vbjumskruslgr.exe 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe iwlenyro.exe File created C:\Windows\SysWOW64\qeapzhonct.exe 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\iwlenyro.exe 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vbjumskruslgr.exe 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe iwlenyro.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe iwlenyro.exe -
Drops file in Program Files directory 14 IoCs
Processes:
iwlenyro.exeiwlenyro.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iwlenyro.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iwlenyro.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iwlenyro.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iwlenyro.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal iwlenyro.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iwlenyro.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal iwlenyro.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iwlenyro.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal iwlenyro.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal iwlenyro.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iwlenyro.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iwlenyro.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iwlenyro.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iwlenyro.exe -
Drops file in Windows directory 19 IoCs
Processes:
WINWORD.EXEiwlenyro.exeiwlenyro.exe046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe iwlenyro.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe iwlenyro.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe iwlenyro.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe iwlenyro.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe iwlenyro.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe iwlenyro.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe iwlenyro.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe iwlenyro.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe iwlenyro.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe iwlenyro.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe iwlenyro.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe iwlenyro.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe iwlenyro.exe File opened for modification C:\Windows\mydoc.rtf 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe iwlenyro.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe iwlenyro.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe iwlenyro.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exeqeapzhonct.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFFFC482A826D9135D65D7DE5BCEFE637584467346342D6ED" 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC70E1594DAC3B9C07C92ECE537CE" 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qeapzhonct.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qeapzhonct.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qeapzhonct.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qeapzhonct.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qeapzhonct.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qeapzhonct.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qeapzhonct.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qeapzhonct.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qeapzhonct.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422C7D9C5782246D3676A770522CA97DF665DD" 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4FACDF913F2E3837F3A4B81983999B0FE02FA42600248E1BE459C09A8" 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B02D47E2399853BFB9A233E8D7C9" 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768B5FF1821D1D279D0A78A7B9160" 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qeapzhonct.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qeapzhonct.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qeapzhonct.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4376 WINWORD.EXE 4376 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exeqbesozshhnxxisr.exeqeapzhonct.exeiwlenyro.exevbjumskruslgr.exeiwlenyro.exepid process 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2408 qbesozshhnxxisr.exe 2408 qbesozshhnxxisr.exe 2408 qbesozshhnxxisr.exe 2408 qbesozshhnxxisr.exe 2408 qbesozshhnxxisr.exe 2408 qbesozshhnxxisr.exe 2408 qbesozshhnxxisr.exe 2408 qbesozshhnxxisr.exe 4940 qeapzhonct.exe 4940 qeapzhonct.exe 4940 qeapzhonct.exe 4940 qeapzhonct.exe 4940 qeapzhonct.exe 4940 qeapzhonct.exe 4940 qeapzhonct.exe 4940 qeapzhonct.exe 4940 qeapzhonct.exe 4940 qeapzhonct.exe 2408 qbesozshhnxxisr.exe 2408 qbesozshhnxxisr.exe 1916 iwlenyro.exe 1916 iwlenyro.exe 1916 iwlenyro.exe 1916 iwlenyro.exe 1916 iwlenyro.exe 1916 iwlenyro.exe 1916 iwlenyro.exe 1916 iwlenyro.exe 1672 vbjumskruslgr.exe 1672 vbjumskruslgr.exe 1672 vbjumskruslgr.exe 1672 vbjumskruslgr.exe 1672 vbjumskruslgr.exe 1672 vbjumskruslgr.exe 1672 vbjumskruslgr.exe 1672 vbjumskruslgr.exe 1672 vbjumskruslgr.exe 1672 vbjumskruslgr.exe 1672 vbjumskruslgr.exe 1672 vbjumskruslgr.exe 2408 qbesozshhnxxisr.exe 2408 qbesozshhnxxisr.exe 1188 iwlenyro.exe 1188 iwlenyro.exe 1188 iwlenyro.exe 1188 iwlenyro.exe 1188 iwlenyro.exe 1188 iwlenyro.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exeqeapzhonct.exeqbesozshhnxxisr.exeiwlenyro.exevbjumskruslgr.exeiwlenyro.exepid process 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 4940 qeapzhonct.exe 2408 qbesozshhnxxisr.exe 4940 qeapzhonct.exe 2408 qbesozshhnxxisr.exe 4940 qeapzhonct.exe 2408 qbesozshhnxxisr.exe 1916 iwlenyro.exe 1916 iwlenyro.exe 1916 iwlenyro.exe 1672 vbjumskruslgr.exe 1672 vbjumskruslgr.exe 1672 vbjumskruslgr.exe 1188 iwlenyro.exe 1188 iwlenyro.exe 1188 iwlenyro.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exeqeapzhonct.exeqbesozshhnxxisr.exeiwlenyro.exevbjumskruslgr.exeiwlenyro.exepid process 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe 4940 qeapzhonct.exe 2408 qbesozshhnxxisr.exe 4940 qeapzhonct.exe 2408 qbesozshhnxxisr.exe 4940 qeapzhonct.exe 2408 qbesozshhnxxisr.exe 1916 iwlenyro.exe 1916 iwlenyro.exe 1916 iwlenyro.exe 1672 vbjumskruslgr.exe 1672 vbjumskruslgr.exe 1672 vbjumskruslgr.exe 1188 iwlenyro.exe 1188 iwlenyro.exe 1188 iwlenyro.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4376 WINWORD.EXE 4376 WINWORD.EXE 4376 WINWORD.EXE 4376 WINWORD.EXE 4376 WINWORD.EXE 4376 WINWORD.EXE 4376 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exeqeapzhonct.exedescription pid process target process PID 2460 wrote to memory of 4940 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe qeapzhonct.exe PID 2460 wrote to memory of 4940 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe qeapzhonct.exe PID 2460 wrote to memory of 4940 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe qeapzhonct.exe PID 2460 wrote to memory of 2408 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe qbesozshhnxxisr.exe PID 2460 wrote to memory of 2408 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe qbesozshhnxxisr.exe PID 2460 wrote to memory of 2408 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe qbesozshhnxxisr.exe PID 2460 wrote to memory of 1916 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe iwlenyro.exe PID 2460 wrote to memory of 1916 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe iwlenyro.exe PID 2460 wrote to memory of 1916 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe iwlenyro.exe PID 2460 wrote to memory of 1672 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe vbjumskruslgr.exe PID 2460 wrote to memory of 1672 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe vbjumskruslgr.exe PID 2460 wrote to memory of 1672 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe vbjumskruslgr.exe PID 2460 wrote to memory of 4376 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe WINWORD.EXE PID 2460 wrote to memory of 4376 2460 046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe WINWORD.EXE PID 4940 wrote to memory of 1188 4940 qeapzhonct.exe iwlenyro.exe PID 4940 wrote to memory of 1188 4940 qeapzhonct.exe iwlenyro.exe PID 4940 wrote to memory of 1188 4940 qeapzhonct.exe iwlenyro.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\046e9e8a98460e27abfb541b1c6b381e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\qeapzhonct.exeqeapzhonct.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\iwlenyro.exeC:\Windows\system32\iwlenyro.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\qbesozshhnxxisr.exeqbesozshhnxxisr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\iwlenyro.exeiwlenyro.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\vbjumskruslgr.exevbjumskruslgr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
513KB
MD5a9219356d14eb373b3a60b2cfa3efe66
SHA1bf599d3634ba0716a0cab09b816f83926885dc49
SHA256901231c7d04d82a877d0886394f44963efe32ef52dc31ba95912a612ec784404
SHA51267d3a20c4c328abeeb508202876e3660de08829b222200898fe18e450d5545e12ec0af06046972a4e68bcc87cd068f3773dd548c21e1014cf8fd01c059b08921
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
513KB
MD5a1b7d499e642b981a9d4b1c348302087
SHA12795fe79c5818af774df1cfb3a02ab5ac2096430
SHA256117e6ab824255e6e6e2e08caf2eb55e52e8b97acbfc1fee5cc89fc9dfa2200a8
SHA51204946981ea8976f791605b5c90cc7002d921d929419a28e0dcd8e98fe77ccdad82ea9d22fd685ec0af1a79f694600cc38aa70a0a7b65726f46e34ba759200c5d
-
C:\Users\Admin\AppData\Local\Temp\TCD9832.tmp\iso690.xslFilesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD5c0458d84c21e6a33d9dd19954db113e2
SHA1ed281badb74c7dc0d4cc42e7bdfb1442c2b7fca2
SHA2569f644dd6e8fd46e1607d736deaae1ef28b2b043d7c1fcf97fda64f4044b047cb
SHA512de0ad401e167d9220d2fd8d08f5f14ca22e68b0e6260ab7b5fdf17e8db8aa442ed9f5326f84f65e4ae93650c182f6e09639d83e8a3798fdb2389ac0422a82f34
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5ab5cfe253696a8889118b6ac23f39fdd
SHA1d1c55583ef21d5a6b080e652df12fa0b8b7eab4b
SHA2566a7bce21869e3b1c37f6c3efda3bba29b89ec0643d24e5a74f9ace068d31bec3
SHA512829e9f85287d9eb35e5952fc4a1f51a6e4ed6cc899094864bd88fb6f9c887fa2732e9a412c9af47ce8ddbec69adc5fc30153870e04f91830beaec18b1268b8e4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5dcf8d89b0757a8c27387084c4c55ea5a
SHA17ac5dc9619a2d2a2c959c6f320920a854fba45a1
SHA256427c8188f22e4f61f7d08e0fae8dab0896ebd0f47eacf306b7d65eb82989d32a
SHA51217e1a3cd1354ddad6d61008266486d5297b7ad258617ebcdd0a0cde69d9b6f51e0d7830ad0f379548404a8e5a4912abfc4cdb94cf443d301c6a694823ff3f8e8
-
C:\Windows\SysWOW64\iwlenyro.exeFilesize
513KB
MD53fd7da215eb738ca72a6fa97dc0db050
SHA13348fadccea7150d97c40bff2ed75163a44d6c0c
SHA256926ce332da1888eb10a3833e7def499fe266dee6d9d6d9a9ea84eae27e117fd6
SHA5124b8889d3d82aee6e6fc6c45f29347ea4f475c689a7ab87b87a57e8736f5e13e9f74bc3ff072be95e19b4fcc7a9055ec73b29426123e1cc505d0b6e9910884c98
-
C:\Windows\SysWOW64\qbesozshhnxxisr.exeFilesize
513KB
MD5ea69af92e04b74547af95e7e1bcb0fdf
SHA160edff7282359316168643e7711021d211f05b92
SHA2560091f0f100b77f0508fe6bd574bb07b3d05040c34a28bd1f31db0f7441cfb75b
SHA5127b7eeaa91352130f54057d0db80d1a75f83309c7909c25b509f4dc631f2152bccd4c95f989cad74d07f25a41d45bdf4cb6f54d875d4a4d500d4687da99a22c06
-
C:\Windows\SysWOW64\qeapzhonct.exeFilesize
513KB
MD502fcfe70b031a40bd9ea277582025946
SHA124d085176635b74c2879b37c9999102447714881
SHA256c039c6576fd4ef6e5f1ff4f52cbf51a52e848c2346f0b0509b5641be3b49c926
SHA5124fe00761cc9ff974d6fe8061c132163895341c0e56cb3631fc83b05ffe47f3bec6ae4de7e64d81b5dc25ebde4cd1e99503f6482feaac10e3d5c927ffb9cdfeec
-
C:\Windows\SysWOW64\vbjumskruslgr.exeFilesize
513KB
MD5e18bc71445c1f3c40a03954fd8d991a0
SHA1ff4bf35f3e2723e44d632601406b1c9402541fee
SHA2564895f99ebdc1642b56e23798a643c2130e32e5a9a4eae0c3d8be3f04aa658dab
SHA5120128787b5c991783e2a3065cad7d92890578d98f81151a8ce854456b25d3455a4010f46a9e354debf20760347e34fcf14dc0b47b507fb84420192a6d545f6722
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
513KB
MD5549380df9ec7e7def27c17419874bbf1
SHA16ee9f1ca7de634399c5f9cfb05868ee4e5e0ad43
SHA256c84c80f1c24898f879a1aecd7be64c3bc155b725a9690dea201c2c505fbb6218
SHA512942b3b4251df19821e2e60ecd68b4f8fe8739bae8d3cba2ef2699807fb7b8d929f60bbb750cbab67f96120fef53b00296abde61ea61054f50541566be70b220a
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
513KB
MD54ba5504ad3f30000bf3f8a08cc7b3652
SHA14cde11568982a0d34ae4da6f8671a74cac1e5c55
SHA256bd150b342421a2bd8e3daf332e3dbd4ce54570bce56ec28d679a5bdf629a49f7
SHA512c1d416b4a9aeb261b8c738fd92b0af992ff285217117d87557f8396a7a33282faf4894c6ca6b94fb1e1ef6036887b8a15d583f50782449a09a2881e25fc11187
-
memory/2460-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4376-39-0x00007FF97A710000-0x00007FF97A720000-memory.dmpFilesize
64KB
-
memory/4376-38-0x00007FF97A710000-0x00007FF97A720000-memory.dmpFilesize
64KB
-
memory/4376-36-0x00007FF97A710000-0x00007FF97A720000-memory.dmpFilesize
64KB
-
memory/4376-37-0x00007FF97A710000-0x00007FF97A720000-memory.dmpFilesize
64KB
-
memory/4376-35-0x00007FF97A710000-0x00007FF97A720000-memory.dmpFilesize
64KB
-
memory/4376-43-0x00007FF978570000-0x00007FF978580000-memory.dmpFilesize
64KB
-
memory/4376-40-0x00007FF978570000-0x00007FF978580000-memory.dmpFilesize
64KB
-
memory/4376-596-0x00007FF97A710000-0x00007FF97A720000-memory.dmpFilesize
64KB
-
memory/4376-597-0x00007FF97A710000-0x00007FF97A720000-memory.dmpFilesize
64KB
-
memory/4376-595-0x00007FF97A710000-0x00007FF97A720000-memory.dmpFilesize
64KB
-
memory/4376-594-0x00007FF97A710000-0x00007FF97A720000-memory.dmpFilesize
64KB