Analysis
-
max time kernel
150s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 09:27
Static task
static1
Behavioral task
behavioral1
Sample
04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe
-
Size
512KB
-
MD5
04e09d986ccbfcea90d12af9c5a8c899
-
SHA1
e021eeee851c96d55d79359b54fc84135be5728a
-
SHA256
e456129f312197672d56f5e2a26260b722184805755ede006ca07a17d07c3e06
-
SHA512
f3a5edb54b75c5710eaef549ae1d1fd92c0e2de57334e9c90bf5b03206333e62cd1c121bba4cd03558ff75fc2e584f409f5e2fd7d93ba64d86ca9abfb9066955
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj60:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5J
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
ldseuqmnts.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ldseuqmnts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
ldseuqmnts.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ldseuqmnts.exe -
Processes:
ldseuqmnts.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ldseuqmnts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ldseuqmnts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ldseuqmnts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ldseuqmnts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ldseuqmnts.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ldseuqmnts.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ldseuqmnts.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
ldseuqmnts.exeixgjnsyg.exednxeijbenenrapv.exesqnxbmulfppew.exeixgjnsyg.exepid process 3452 ldseuqmnts.exe 1896 ixgjnsyg.exe 4664 dnxeijbenenrapv.exe 1332 sqnxbmulfppew.exe 4628 ixgjnsyg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ldseuqmnts.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ldseuqmnts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ldseuqmnts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ldseuqmnts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ldseuqmnts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ldseuqmnts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ldseuqmnts.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
dnxeijbenenrapv.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\panvzuzj = "ldseuqmnts.exe" dnxeijbenenrapv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tbbdssjb = "dnxeijbenenrapv.exe" dnxeijbenenrapv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "sqnxbmulfppew.exe" dnxeijbenenrapv.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ixgjnsyg.exeixgjnsyg.exeldseuqmnts.exedescription ioc process File opened (read-only) \??\r: ixgjnsyg.exe File opened (read-only) \??\x: ixgjnsyg.exe File opened (read-only) \??\o: ixgjnsyg.exe File opened (read-only) \??\m: ldseuqmnts.exe File opened (read-only) \??\t: ldseuqmnts.exe File opened (read-only) \??\u: ldseuqmnts.exe File opened (read-only) \??\y: ldseuqmnts.exe File opened (read-only) \??\v: ixgjnsyg.exe File opened (read-only) \??\x: ixgjnsyg.exe File opened (read-only) \??\l: ixgjnsyg.exe File opened (read-only) \??\h: ixgjnsyg.exe File opened (read-only) \??\p: ixgjnsyg.exe File opened (read-only) \??\h: ldseuqmnts.exe File opened (read-only) \??\g: ixgjnsyg.exe File opened (read-only) \??\p: ixgjnsyg.exe File opened (read-only) \??\i: ixgjnsyg.exe File opened (read-only) \??\b: ixgjnsyg.exe File opened (read-only) \??\w: ldseuqmnts.exe File opened (read-only) \??\a: ixgjnsyg.exe File opened (read-only) \??\i: ixgjnsyg.exe File opened (read-only) \??\u: ixgjnsyg.exe File opened (read-only) \??\e: ixgjnsyg.exe File opened (read-only) \??\y: ixgjnsyg.exe File opened (read-only) \??\a: ldseuqmnts.exe File opened (read-only) \??\n: ldseuqmnts.exe File opened (read-only) \??\t: ixgjnsyg.exe File opened (read-only) \??\r: ldseuqmnts.exe File opened (read-only) \??\z: ldseuqmnts.exe File opened (read-only) \??\h: ixgjnsyg.exe File opened (read-only) \??\g: ixgjnsyg.exe File opened (read-only) \??\j: ldseuqmnts.exe File opened (read-only) \??\o: ldseuqmnts.exe File opened (read-only) \??\k: ixgjnsyg.exe File opened (read-only) \??\o: ixgjnsyg.exe File opened (read-only) \??\k: ldseuqmnts.exe File opened (read-only) \??\a: ixgjnsyg.exe File opened (read-only) \??\l: ixgjnsyg.exe File opened (read-only) \??\r: ixgjnsyg.exe File opened (read-only) \??\u: ixgjnsyg.exe File opened (read-only) \??\g: ldseuqmnts.exe File opened (read-only) \??\e: ldseuqmnts.exe File opened (read-only) \??\v: ldseuqmnts.exe File opened (read-only) \??\e: ixgjnsyg.exe File opened (read-only) \??\j: ixgjnsyg.exe File opened (read-only) \??\n: ixgjnsyg.exe File opened (read-only) \??\s: ixgjnsyg.exe File opened (read-only) \??\z: ixgjnsyg.exe File opened (read-only) \??\b: ldseuqmnts.exe File opened (read-only) \??\q: ixgjnsyg.exe File opened (read-only) \??\t: ixgjnsyg.exe File opened (read-only) \??\q: ldseuqmnts.exe File opened (read-only) \??\j: ixgjnsyg.exe File opened (read-only) \??\w: ixgjnsyg.exe File opened (read-only) \??\n: ixgjnsyg.exe File opened (read-only) \??\v: ixgjnsyg.exe File opened (read-only) \??\b: ixgjnsyg.exe File opened (read-only) \??\k: ixgjnsyg.exe File opened (read-only) \??\m: ixgjnsyg.exe File opened (read-only) \??\q: ixgjnsyg.exe File opened (read-only) \??\p: ldseuqmnts.exe File opened (read-only) \??\w: ixgjnsyg.exe File opened (read-only) \??\s: ldseuqmnts.exe File opened (read-only) \??\m: ixgjnsyg.exe File opened (read-only) \??\z: ixgjnsyg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ldseuqmnts.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ldseuqmnts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ldseuqmnts.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1012-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\dnxeijbenenrapv.exe autoit_exe C:\Windows\SysWOW64\ixgjnsyg.exe autoit_exe C:\Windows\SysWOW64\sqnxbmulfppew.exe autoit_exe C:\Windows\SysWOW64\ldseuqmnts.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\InstallExit.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exeldseuqmnts.exeixgjnsyg.exeixgjnsyg.exedescription ioc process File created C:\Windows\SysWOW64\dnxeijbenenrapv.exe 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe File created C:\Windows\SysWOW64\ixgjnsyg.exe 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ixgjnsyg.exe 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sqnxbmulfppew.exe 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ldseuqmnts.exe File created C:\Windows\SysWOW64\ldseuqmnts.exe 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dnxeijbenenrapv.exe 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe File created C:\Windows\SysWOW64\sqnxbmulfppew.exe 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ixgjnsyg.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ixgjnsyg.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ixgjnsyg.exe File opened for modification C:\Windows\SysWOW64\ldseuqmnts.exe 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
ixgjnsyg.exeixgjnsyg.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ixgjnsyg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ixgjnsyg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ixgjnsyg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ixgjnsyg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ixgjnsyg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ixgjnsyg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ixgjnsyg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ixgjnsyg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ixgjnsyg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ixgjnsyg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ixgjnsyg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ixgjnsyg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ixgjnsyg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ixgjnsyg.exe -
Drops file in Windows directory 19 IoCs
Processes:
04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exeWINWORD.EXEixgjnsyg.exeixgjnsyg.exedescription ioc process File opened for modification C:\Windows\mydoc.rtf 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ixgjnsyg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ixgjnsyg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ixgjnsyg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ixgjnsyg.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ixgjnsyg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ixgjnsyg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ixgjnsyg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ixgjnsyg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ixgjnsyg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ixgjnsyg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ixgjnsyg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ixgjnsyg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ixgjnsyg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ixgjnsyg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ixgjnsyg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ixgjnsyg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
ldseuqmnts.exe04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ldseuqmnts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F16BB4FE6A22DED17AD1D28B089160" 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2C7C9D5183236D4277D170542CA97CF365DA" 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C60815E0DABFB9BE7FE7ED9434CB" 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ldseuqmnts.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ldseuqmnts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ldseuqmnts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ldseuqmnts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ldseuqmnts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8FABAFE65F1E583793B4B86993994B08102F14366023BE1CF459909D3" 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFCF9482E82199141D72A7E90BDE1E134584766476344D6EA" 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ldseuqmnts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ldseuqmnts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ldseuqmnts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ldseuqmnts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ldseuqmnts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B05B479039E853BFB9D1339CD7BE" 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ldseuqmnts.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 5744 WINWORD.EXE 5744 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exeldseuqmnts.exeixgjnsyg.exesqnxbmulfppew.exednxeijbenenrapv.exeixgjnsyg.exepid process 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 3452 ldseuqmnts.exe 3452 ldseuqmnts.exe 3452 ldseuqmnts.exe 3452 ldseuqmnts.exe 3452 ldseuqmnts.exe 3452 ldseuqmnts.exe 3452 ldseuqmnts.exe 3452 ldseuqmnts.exe 3452 ldseuqmnts.exe 3452 ldseuqmnts.exe 1896 ixgjnsyg.exe 1896 ixgjnsyg.exe 1896 ixgjnsyg.exe 1896 ixgjnsyg.exe 1896 ixgjnsyg.exe 1896 ixgjnsyg.exe 1896 ixgjnsyg.exe 1896 ixgjnsyg.exe 1332 sqnxbmulfppew.exe 1332 sqnxbmulfppew.exe 1332 sqnxbmulfppew.exe 1332 sqnxbmulfppew.exe 1332 sqnxbmulfppew.exe 1332 sqnxbmulfppew.exe 1332 sqnxbmulfppew.exe 1332 sqnxbmulfppew.exe 1332 sqnxbmulfppew.exe 1332 sqnxbmulfppew.exe 1332 sqnxbmulfppew.exe 1332 sqnxbmulfppew.exe 4664 dnxeijbenenrapv.exe 4664 dnxeijbenenrapv.exe 4664 dnxeijbenenrapv.exe 4664 dnxeijbenenrapv.exe 4664 dnxeijbenenrapv.exe 4664 dnxeijbenenrapv.exe 4664 dnxeijbenenrapv.exe 4664 dnxeijbenenrapv.exe 4664 dnxeijbenenrapv.exe 4664 dnxeijbenenrapv.exe 4628 ixgjnsyg.exe 4628 ixgjnsyg.exe 4628 ixgjnsyg.exe 4628 ixgjnsyg.exe 4628 ixgjnsyg.exe 4628 ixgjnsyg.exe 4628 ixgjnsyg.exe 4628 ixgjnsyg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exeldseuqmnts.exesqnxbmulfppew.exeixgjnsyg.exednxeijbenenrapv.exeixgjnsyg.exepid process 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 3452 ldseuqmnts.exe 3452 ldseuqmnts.exe 3452 ldseuqmnts.exe 1332 sqnxbmulfppew.exe 1896 ixgjnsyg.exe 4664 dnxeijbenenrapv.exe 1332 sqnxbmulfppew.exe 1896 ixgjnsyg.exe 4664 dnxeijbenenrapv.exe 1332 sqnxbmulfppew.exe 1896 ixgjnsyg.exe 4664 dnxeijbenenrapv.exe 4628 ixgjnsyg.exe 4628 ixgjnsyg.exe 4628 ixgjnsyg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exeldseuqmnts.exesqnxbmulfppew.exeixgjnsyg.exednxeijbenenrapv.exeixgjnsyg.exepid process 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe 3452 ldseuqmnts.exe 3452 ldseuqmnts.exe 3452 ldseuqmnts.exe 1332 sqnxbmulfppew.exe 1896 ixgjnsyg.exe 4664 dnxeijbenenrapv.exe 1332 sqnxbmulfppew.exe 1896 ixgjnsyg.exe 4664 dnxeijbenenrapv.exe 1332 sqnxbmulfppew.exe 1896 ixgjnsyg.exe 4664 dnxeijbenenrapv.exe 4628 ixgjnsyg.exe 4628 ixgjnsyg.exe 4628 ixgjnsyg.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 5744 WINWORD.EXE 5744 WINWORD.EXE 5744 WINWORD.EXE 5744 WINWORD.EXE 5744 WINWORD.EXE 5744 WINWORD.EXE 5744 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exeldseuqmnts.exedescription pid process target process PID 1012 wrote to memory of 3452 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe ldseuqmnts.exe PID 1012 wrote to memory of 3452 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe ldseuqmnts.exe PID 1012 wrote to memory of 3452 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe ldseuqmnts.exe PID 1012 wrote to memory of 4664 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe dnxeijbenenrapv.exe PID 1012 wrote to memory of 4664 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe dnxeijbenenrapv.exe PID 1012 wrote to memory of 4664 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe dnxeijbenenrapv.exe PID 1012 wrote to memory of 1896 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe ixgjnsyg.exe PID 1012 wrote to memory of 1896 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe ixgjnsyg.exe PID 1012 wrote to memory of 1896 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe ixgjnsyg.exe PID 1012 wrote to memory of 1332 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe sqnxbmulfppew.exe PID 1012 wrote to memory of 1332 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe sqnxbmulfppew.exe PID 1012 wrote to memory of 1332 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe sqnxbmulfppew.exe PID 1012 wrote to memory of 5744 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe WINWORD.EXE PID 1012 wrote to memory of 5744 1012 04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe WINWORD.EXE PID 3452 wrote to memory of 4628 3452 ldseuqmnts.exe ixgjnsyg.exe PID 3452 wrote to memory of 4628 3452 ldseuqmnts.exe ixgjnsyg.exe PID 3452 wrote to memory of 4628 3452 ldseuqmnts.exe ixgjnsyg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ldseuqmnts.exeldseuqmnts.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ixgjnsyg.exeC:\Windows\system32\ixgjnsyg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\dnxeijbenenrapv.exednxeijbenenrapv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ixgjnsyg.exeixgjnsyg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\sqnxbmulfppew.exesqnxbmulfppew.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5ea4e91f563749037d17071888ce833a2
SHA12a7a0b4dbbde599978f54f84b4f670786079de2a
SHA256755b92502380624cf1b56c5f8ab1fe1dab9c109e20b9829d449fba09a0fffc69
SHA51239a81f3360947f280b0ec195402597815f85bbb9b9016a86c7b995ac25355ff905928a110bddc2bc21717b6c6357585c30ece077034779152ae11975bcab27a0
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD52c0af9c1cbda740920c8f542518cdbc2
SHA1599eec05ee7fe8bd0f102d321f25ee1582913fae
SHA2562ea91481807ecf92020bd2e7d9b97290a2066605ec6b38528a4b151b895c9820
SHA512dba95602921c6597e5234332427c76d887d00c97dc4aa16ebd7feded18efd549d041a371f9a7853e7a2897dd4a1dfacb47dc0c5073ae99f82d8e69e737f85026
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD5707a7804af52e6627d2282e025e67448
SHA1d8b3015cfebe7cb30d6e2fba2e36b50468a4ec28
SHA2567151c25ff695ee9b53785af1fd3b9d1d0be4b04f60ec0c25184e27a1641157b4
SHA5123dd35fbfeb5bd72fe9323fa889a9afbfbe4513a14e17742a1fec19fb0b2e02d13fa4bf80f97ef6ddb333dbad107a4d87527a669505ece95492d8a510939fdb76
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD568a1e4949b464f3a8f8302583337e5cb
SHA11064e2f339b1265e06d88d5b61a614dbc0013f08
SHA256805f27c1cd6caef4e9b6cb6ff533a9950081c45b5002c2e65456720d0ee39b1c
SHA512c68be308528b8286b3a6fbc97cd8412e2df197c50adbe5d80886253ec1ea659c45446e8e80949a59bbbd2b230323e17376db21f09c5b471a76cd5b70ec64d5e2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5f62118fb5fd6694312d7eca88faecf14
SHA1af6e5b826288d59fdd296688177803400b2fecbb
SHA2562e4f95c19d13f79f309be9381266945ad1c9408f9851eaf17385c85c170681db
SHA5127f3bf50380eea5b83909f5668ed7479257898b160c9d8ea6e619c5d3c6ed82a1b8d7a2b0d586ea3daa4831d8e4b8052f8ba2b3ea1b651513f2ae058d38594a98
-
C:\Users\Admin\Documents\InstallExit.doc.exeFilesize
512KB
MD572b4dbc8bd7ea56c8b0ede50ec8742df
SHA10250e364ad6b68d108408b0e0c62bc91bb24601e
SHA256b9c219f6f1ecfd5c14af89ba183182cb4727e9dd800771a2f9dfdb8342fdaa70
SHA512c57eda222f706a7178b392e2ea073810ffcd1880d6f3307cd4ab450e50324c881b3a22e7d1f728bd02cfacf8f48cae63b380c70b9d20f7e83aea61482580603b
-
C:\Windows\SysWOW64\dnxeijbenenrapv.exeFilesize
512KB
MD5154af760ac5e4f9732fc878612854b50
SHA17c60a3afd0d3c5e9389323000d4117c48891c7c0
SHA2562cf96315013dc03ffa3743a40e42ae68b90d7dff15a8f606246fd493c6ceeb4b
SHA51234d97b6a1b990e733ed9e7564b95e37ab1b405ac4af5f9438efd01b7323a5a4b52329a84fce0ce993121a1eec2d3e41c5f062c5892897ec8e02d5a5845f4359f
-
C:\Windows\SysWOW64\ixgjnsyg.exeFilesize
512KB
MD5d47851bb463ba25a77c9c5c1c881ac61
SHA104174b43e0b3557ea19b570794564dc1bae4db2e
SHA256ae871bcabc3927dc1aeda3cce9a086cbcc8b9de727a9cd0b0365d42461774c5c
SHA512bdae871ee3476d02d9e6a46b648c73831000848fca0902511dc2a4b11120dbafde29f8e932eff6fb4e41edc9b8f82c04247aa1f27a80a5456f72b326cf0c875d
-
C:\Windows\SysWOW64\ldseuqmnts.exeFilesize
512KB
MD5d42c795653418d7e418947aab0b074e2
SHA173a18ed7655e4df6fc7a2d2cea60c6a3744a9c00
SHA2565876b07959f7a9b76abaab21373b73076df2bf4ddd6d761859e3237c4f31702a
SHA512bf1365d3a1f0d1e2a4c603d8ea6ba3ed08b48168b5021168e3b7491ad78f7d019a4c0c7730153fe195417ab20966a38b6e973af915b20db0b03b64806dec8bfa
-
C:\Windows\SysWOW64\sqnxbmulfppew.exeFilesize
512KB
MD55ae16defd080be65bf84f5846f44b97c
SHA1f3becea357be8c6a7149453a1676a834bb0e9f19
SHA256e444a95a8f213457845db51681bb85f25f70c466be1363356f4d9d4677dc65b3
SHA512ca7dc85e76c8e57c55275974f643557804d72c4cf9fbd8a4daa55b1103e4e7d5af81e8f6b8f94626f150ec42da325c5ae807235f2040ab8dd3c211edf2740a53
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5a22ad41e4aee85f195dc7557bf01c0db
SHA14e77092b2075f8c76c27422cdcce0610f33e0d35
SHA2567491cd810fb4813fd137c79e8597fa71eeba09de984be49ef5b4d4f93a762417
SHA5122bcad5dd3551ec4af860dbffc91c3228470746c9c36d7934d7136545806f37cab3472241f6922edcde03fae8eac34589327c3008f59712093f00c0e878e4b35d
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD59f21c3faa2753b7aaa95b68d6bf7cf6f
SHA14b5d0510be8e30b8bbb09932f2f1a58b545c6694
SHA2567258c0cf748450c2179360dd4207dc32a61e907dbfa528af6b9ab61b443c82fd
SHA51214e27953f56880ee3cb1ce8bc02acc97a4972beda27f0232e2cf8dca2ef9b46d6e23069a0df7b382d61a3aad0173ef4ffbe6f5cb7e3f51d46e778397dbad4ef6
-
memory/1012-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/5744-39-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmpFilesize
64KB
-
memory/5744-37-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmpFilesize
64KB
-
memory/5744-38-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmpFilesize
64KB
-
memory/5744-36-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmpFilesize
64KB
-
memory/5744-35-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmpFilesize
64KB
-
memory/5744-43-0x00007FF9ECA30000-0x00007FF9ECA40000-memory.dmpFilesize
64KB
-
memory/5744-40-0x00007FF9ECA30000-0x00007FF9ECA40000-memory.dmpFilesize
64KB
-
memory/5744-114-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmpFilesize
64KB
-
memory/5744-115-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmpFilesize
64KB
-
memory/5744-113-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmpFilesize
64KB
-
memory/5744-116-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmpFilesize
64KB