Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 13:56
Static task
static1
Behavioral task
behavioral1
Sample
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe
-
Size
512KB
-
MD5
055735e29b5b10f70534747b4728f0e0
-
SHA1
9f532602425f9055a1ce843a141b1a8576c00a6d
-
SHA256
e5ce80ae6335e3de4780105efc6f0f92085fd34ebf91d33995128fb5890ac605
-
SHA512
764cca2c2c9cf312a4d30e0661d0091e46ed3e357561eb10c48cb81d079e1740ab6e863f0440734d1d7e2db19a2ba683a941bf22b2c46b203c7cab567dc09135
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6A:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5T
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
hyzvyixugu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hyzvyixugu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
hyzvyixugu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hyzvyixugu.exe -
Processes:
hyzvyixugu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hyzvyixugu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hyzvyixugu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hyzvyixugu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hyzvyixugu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hyzvyixugu.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
hyzvyixugu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hyzvyixugu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
hyzvyixugu.exeybxwotoeximypbd.exeymflyivc.exeriiykdhfvbqgu.exeymflyivc.exepid process 4596 hyzvyixugu.exe 2900 ybxwotoeximypbd.exe 3184 ymflyivc.exe 4692 riiykdhfvbqgu.exe 5420 ymflyivc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
hyzvyixugu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" hyzvyixugu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hyzvyixugu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hyzvyixugu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hyzvyixugu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hyzvyixugu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hyzvyixugu.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ybxwotoeximypbd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rxyedrlb = "hyzvyixugu.exe" ybxwotoeximypbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pedcjyfg = "ybxwotoeximypbd.exe" ybxwotoeximypbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "riiykdhfvbqgu.exe" ybxwotoeximypbd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ymflyivc.exehyzvyixugu.exeymflyivc.exedescription ioc process File opened (read-only) \??\v: ymflyivc.exe File opened (read-only) \??\r: hyzvyixugu.exe File opened (read-only) \??\w: ymflyivc.exe File opened (read-only) \??\e: ymflyivc.exe File opened (read-only) \??\r: ymflyivc.exe File opened (read-only) \??\a: hyzvyixugu.exe File opened (read-only) \??\n: hyzvyixugu.exe File opened (read-only) \??\p: hyzvyixugu.exe File opened (read-only) \??\t: hyzvyixugu.exe File opened (read-only) \??\z: ymflyivc.exe File opened (read-only) \??\p: ymflyivc.exe File opened (read-only) \??\x: ymflyivc.exe File opened (read-only) \??\q: ymflyivc.exe File opened (read-only) \??\l: ymflyivc.exe File opened (read-only) \??\w: hyzvyixugu.exe File opened (read-only) \??\k: ymflyivc.exe File opened (read-only) \??\i: hyzvyixugu.exe File opened (read-only) \??\m: hyzvyixugu.exe File opened (read-only) \??\u: hyzvyixugu.exe File opened (read-only) \??\x: ymflyivc.exe File opened (read-only) \??\j: ymflyivc.exe File opened (read-only) \??\n: ymflyivc.exe File opened (read-only) \??\z: ymflyivc.exe File opened (read-only) \??\b: hyzvyixugu.exe File opened (read-only) \??\z: hyzvyixugu.exe File opened (read-only) \??\n: ymflyivc.exe File opened (read-only) \??\s: ymflyivc.exe File opened (read-only) \??\b: ymflyivc.exe File opened (read-only) \??\m: ymflyivc.exe File opened (read-only) \??\j: ymflyivc.exe File opened (read-only) \??\e: hyzvyixugu.exe File opened (read-only) \??\b: ymflyivc.exe File opened (read-only) \??\h: hyzvyixugu.exe File opened (read-only) \??\p: ymflyivc.exe File opened (read-only) \??\h: ymflyivc.exe File opened (read-only) \??\l: ymflyivc.exe File opened (read-only) \??\t: ymflyivc.exe File opened (read-only) \??\t: ymflyivc.exe File opened (read-only) \??\w: ymflyivc.exe File opened (read-only) \??\o: hyzvyixugu.exe File opened (read-only) \??\y: hyzvyixugu.exe File opened (read-only) \??\m: ymflyivc.exe File opened (read-only) \??\r: ymflyivc.exe File opened (read-only) \??\o: ymflyivc.exe File opened (read-only) \??\l: hyzvyixugu.exe File opened (read-only) \??\q: hyzvyixugu.exe File opened (read-only) \??\e: ymflyivc.exe File opened (read-only) \??\g: ymflyivc.exe File opened (read-only) \??\i: ymflyivc.exe File opened (read-only) \??\u: ymflyivc.exe File opened (read-only) \??\j: hyzvyixugu.exe File opened (read-only) \??\x: hyzvyixugu.exe File opened (read-only) \??\i: ymflyivc.exe File opened (read-only) \??\k: hyzvyixugu.exe File opened (read-only) \??\a: ymflyivc.exe File opened (read-only) \??\u: ymflyivc.exe File opened (read-only) \??\q: ymflyivc.exe File opened (read-only) \??\s: hyzvyixugu.exe File opened (read-only) \??\o: ymflyivc.exe File opened (read-only) \??\v: ymflyivc.exe File opened (read-only) \??\y: ymflyivc.exe File opened (read-only) \??\s: ymflyivc.exe File opened (read-only) \??\k: ymflyivc.exe File opened (read-only) \??\g: hyzvyixugu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
hyzvyixugu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" hyzvyixugu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" hyzvyixugu.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4620-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\ybxwotoeximypbd.exe autoit_exe C:\Windows\SysWOW64\hyzvyixugu.exe autoit_exe C:\Windows\SysWOW64\ymflyivc.exe autoit_exe C:\Windows\SysWOW64\riiykdhfvbqgu.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Users\Admin\Downloads\ClearConvertFrom.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exehyzvyixugu.exeymflyivc.exeymflyivc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ybxwotoeximypbd.exe 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe File created C:\Windows\SysWOW64\riiykdhfvbqgu.exe 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll hyzvyixugu.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ymflyivc.exe File created C:\Windows\SysWOW64\hyzvyixugu.exe 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hyzvyixugu.exe 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe File created C:\Windows\SysWOW64\ybxwotoeximypbd.exe 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ymflyivc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ymflyivc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ymflyivc.exe File created C:\Windows\SysWOW64\ymflyivc.exe 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ymflyivc.exe 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\riiykdhfvbqgu.exe 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
ymflyivc.exeymflyivc.exedescription ioc process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ymflyivc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ymflyivc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ymflyivc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ymflyivc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ymflyivc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ymflyivc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ymflyivc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ymflyivc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ymflyivc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ymflyivc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ymflyivc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ymflyivc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ymflyivc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ymflyivc.exe -
Drops file in Windows directory 3 IoCs
Processes:
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exehyzvyixugu.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs hyzvyixugu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf hyzvyixugu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" hyzvyixugu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322D089D2382596D3576A0772E2DDB7DF265DC" 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F368C4FF6D21DDD20FD1D38A759113" 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC67415E6DAC3B8CE7F92EDE334CE" 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat hyzvyixugu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" hyzvyixugu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc hyzvyixugu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg hyzvyixugu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B15C479339EE52BEBAA23393D7C5" 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" hyzvyixugu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" hyzvyixugu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" hyzvyixugu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCFACDFE65F2E7837F3A4586ED3994B3FE02FD4365024BE2CE429B08D5" 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FF8E482982189133D7587D9DBD92E634594566466342D691" 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh hyzvyixugu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" hyzvyixugu.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 5760 WINWORD.EXE 5760 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exehyzvyixugu.exeymflyivc.exeybxwotoeximypbd.exeriiykdhfvbqgu.exeymflyivc.exepid process 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4596 hyzvyixugu.exe 4596 hyzvyixugu.exe 4596 hyzvyixugu.exe 4596 hyzvyixugu.exe 4596 hyzvyixugu.exe 4596 hyzvyixugu.exe 4596 hyzvyixugu.exe 4596 hyzvyixugu.exe 4596 hyzvyixugu.exe 4596 hyzvyixugu.exe 3184 ymflyivc.exe 3184 ymflyivc.exe 3184 ymflyivc.exe 3184 ymflyivc.exe 3184 ymflyivc.exe 3184 ymflyivc.exe 3184 ymflyivc.exe 3184 ymflyivc.exe 2900 ybxwotoeximypbd.exe 2900 ybxwotoeximypbd.exe 2900 ybxwotoeximypbd.exe 2900 ybxwotoeximypbd.exe 2900 ybxwotoeximypbd.exe 2900 ybxwotoeximypbd.exe 2900 ybxwotoeximypbd.exe 2900 ybxwotoeximypbd.exe 4692 riiykdhfvbqgu.exe 4692 riiykdhfvbqgu.exe 4692 riiykdhfvbqgu.exe 4692 riiykdhfvbqgu.exe 4692 riiykdhfvbqgu.exe 4692 riiykdhfvbqgu.exe 4692 riiykdhfvbqgu.exe 4692 riiykdhfvbqgu.exe 4692 riiykdhfvbqgu.exe 4692 riiykdhfvbqgu.exe 4692 riiykdhfvbqgu.exe 4692 riiykdhfvbqgu.exe 2900 ybxwotoeximypbd.exe 2900 ybxwotoeximypbd.exe 2900 ybxwotoeximypbd.exe 2900 ybxwotoeximypbd.exe 4692 riiykdhfvbqgu.exe 4692 riiykdhfvbqgu.exe 4692 riiykdhfvbqgu.exe 4692 riiykdhfvbqgu.exe 5420 ymflyivc.exe 5420 ymflyivc.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exehyzvyixugu.exeymflyivc.exeybxwotoeximypbd.exeriiykdhfvbqgu.exeymflyivc.exepid process 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4596 hyzvyixugu.exe 4596 hyzvyixugu.exe 4596 hyzvyixugu.exe 3184 ymflyivc.exe 3184 ymflyivc.exe 3184 ymflyivc.exe 2900 ybxwotoeximypbd.exe 4692 riiykdhfvbqgu.exe 2900 ybxwotoeximypbd.exe 4692 riiykdhfvbqgu.exe 2900 ybxwotoeximypbd.exe 4692 riiykdhfvbqgu.exe 5420 ymflyivc.exe 5420 ymflyivc.exe 5420 ymflyivc.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exehyzvyixugu.exeymflyivc.exeybxwotoeximypbd.exeriiykdhfvbqgu.exeymflyivc.exepid process 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe 4596 hyzvyixugu.exe 4596 hyzvyixugu.exe 4596 hyzvyixugu.exe 3184 ymflyivc.exe 3184 ymflyivc.exe 3184 ymflyivc.exe 2900 ybxwotoeximypbd.exe 4692 riiykdhfvbqgu.exe 2900 ybxwotoeximypbd.exe 4692 riiykdhfvbqgu.exe 2900 ybxwotoeximypbd.exe 4692 riiykdhfvbqgu.exe 5420 ymflyivc.exe 5420 ymflyivc.exe 5420 ymflyivc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 5760 WINWORD.EXE 5760 WINWORD.EXE 5760 WINWORD.EXE 5760 WINWORD.EXE 5760 WINWORD.EXE 5760 WINWORD.EXE 5760 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exehyzvyixugu.exedescription pid process target process PID 4620 wrote to memory of 4596 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe hyzvyixugu.exe PID 4620 wrote to memory of 4596 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe hyzvyixugu.exe PID 4620 wrote to memory of 4596 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe hyzvyixugu.exe PID 4620 wrote to memory of 2900 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe ybxwotoeximypbd.exe PID 4620 wrote to memory of 2900 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe ybxwotoeximypbd.exe PID 4620 wrote to memory of 2900 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe ybxwotoeximypbd.exe PID 4620 wrote to memory of 3184 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe ymflyivc.exe PID 4620 wrote to memory of 3184 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe ymflyivc.exe PID 4620 wrote to memory of 3184 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe ymflyivc.exe PID 4620 wrote to memory of 4692 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe riiykdhfvbqgu.exe PID 4620 wrote to memory of 4692 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe riiykdhfvbqgu.exe PID 4620 wrote to memory of 4692 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe riiykdhfvbqgu.exe PID 4596 wrote to memory of 5420 4596 hyzvyixugu.exe ymflyivc.exe PID 4596 wrote to memory of 5420 4596 hyzvyixugu.exe ymflyivc.exe PID 4596 wrote to memory of 5420 4596 hyzvyixugu.exe ymflyivc.exe PID 4620 wrote to memory of 5760 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe WINWORD.EXE PID 4620 wrote to memory of 5760 4620 055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\hyzvyixugu.exehyzvyixugu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ymflyivc.exeC:\Windows\system32\ymflyivc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ybxwotoeximypbd.exeybxwotoeximypbd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ymflyivc.exeymflyivc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\riiykdhfvbqgu.exeriiykdhfvbqgu.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3916 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5339b1ea198bc1867ea1abb71ae29f364
SHA1347467dac41b9972efbb7e80cb1fb60c2274d699
SHA2562bb2bbff9b65230932eaae85428534d84f988eb9bacbc3d35ada185b65383ee3
SHA512751893e2a0cddaa329bfdbaaf16f12a033469f7944c4168b72938f40b85a40ac21184e0b6383c10077e0b477ade424b7a09503a3393048e21535ce337b206649
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD56e24cac8eaef71cdc220b5ec86a11ffc
SHA1bab6facdc484d8ffef6a0194342087baa84520a4
SHA256ba0c89fcd9393a0874fd74c8920a962d280667dd4fb4947f41746878baec1783
SHA5128aaadcd134c3a7b86483e56d82e639b30c1f6193d311a7c922f585c224adcca071a98bc17ef38d9a1cc48727552b79d1f901b97e8bb4393803904863abec1f5a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD57283dcdff55ed7e5b8b55e6e3fbf6aac
SHA119718b8fd9ad83abf9e229c8b9351824c339452d
SHA256132a3fbd2cd6349d150a08f0217de4ae1b897c1b5909df93408fccc136a5266f
SHA5121a8e50bc8de90bbdd93fa236784bab2813ca6dd5ae065e4086a29f4e3dc2e3263f085f9ae95a36aa86f102f018394226f90c0593c86c2490f51f401f793584a0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5d781388618c1109e8c29db8c644d7116
SHA1457ec20c51700ac2b71fa1514b94920f218c7a4d
SHA2568432ed797ffa907df5698cfecfa95e99264b8bdc1a5721b21709d1999bd8f877
SHA5125a1b6e1a4ddd37e526b2060c337ac45ef2886cb8fc681373fba5a18700e7c05b9d7d4803b3b33fbf2b68d4bc5a8cb6cbe494a155249b9716f44b32864c15f87a
-
C:\Users\Admin\Downloads\ClearConvertFrom.doc.exeFilesize
512KB
MD5fae2149c6aa808ebe0de89ecff310971
SHA1c332bcd0cd898fdfbff9683dccca09fd39fad960
SHA256533fca707dc4b9a186e3e9126d3dfee97208bbebe23ddee65cc401ef4453c911
SHA512beb86afb23888c2f8f213c070a9cf3dab7adf787973253cf466ac8647986b2642b0cadf8ca427b9b988c13c4e2b96a34f1627acd90dcfb45afd7f9e4705bfa82
-
C:\Windows\SysWOW64\hyzvyixugu.exeFilesize
512KB
MD5fa42b5e4afa8802d96b1478aa7bc5c79
SHA1404c1248d9563e3ad3a49698d21c48c4713c69e9
SHA2564f311fcaf0d6752e9976f1e8d4155ed8f8491830b06b41ee14f794d9abb18dbd
SHA512f7ba38b4e8f99fbd924a759600e49b1c28ee85f2e381d1d82e001777199fec899ba933628135a0324e2d891cb1a5ebfe4111d0f7fdd337f8c839fa9c5864be88
-
C:\Windows\SysWOW64\riiykdhfvbqgu.exeFilesize
512KB
MD51f4d817f9c2409a96d1963b2643e865e
SHA19bd1c7b2a57397da475d000b495bd97dd7d0f1a4
SHA256f6cd758e1b50362b7330f6096e8cdadc225e38d72200b94d5c7643df3715917e
SHA5121a792c17cf98dda98100a9fab345f64b7d5798a14c4de056d93e28e02a445b1049cf5304872d327e505cf647e5f9527df8aaaadba71fcac0a93be52c177779c8
-
C:\Windows\SysWOW64\ybxwotoeximypbd.exeFilesize
512KB
MD582bb22b16e9007d238efb02479ab8e66
SHA175a0f381f8a3a97d883b41b3633c8c6a053ff0a2
SHA25607d7c4cf5a105578fe214d5febc02a852466e867e0e97e344a11c14ec4f98d67
SHA5127551358a550d20609fbef2db6c25546e2359d2ee816d590c5edc8136c935ab0e5fc08895c32e551ef1383bb9170ea2721d78af3d5558862c29d0c038abf8f949
-
C:\Windows\SysWOW64\ymflyivc.exeFilesize
512KB
MD57b0735228ce97f1b2cbe270e3a050feb
SHA131c6a424be622424bedb16ca3fbb4cca733ccd13
SHA256ea6364061892f290f65030e96881bb381c37ed5efab72dfe9c4a3337068da218
SHA512312c7a5a8f62618d8caab6b2cf93bf31aba253eaff4cfb193119680d4706c7dcc364d8afb748bfa01bd0c4bbbf93c434acca69cf8bf0634b428ef1d75430e02a
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD50dc8e06a23844f827c63e036c08b1120
SHA11ccd85a77ca3a52316cc684e5032b6e1c06df3e1
SHA2565186ad6ce9ded6bcd39c778ac11ab24b91e0e6099202b286a45265925e665661
SHA512da3ac90e03e8d70037f5c454c0705fa25e5e8b6aebd4d49e07e3618e347cf6ddab692126b6f045ef0f15d2757d35fc60a855eb3888cb7097694d9605ad23e094
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD509e49d5ec61ffd2403e9be724944b43c
SHA1fa00ce6206df17554bfab207628d7477a755655f
SHA256a8ad3f8c806d0f38aa5ccd3a516d2656bb3a5f4af4e455eec20dff7e6d5196d7
SHA512c24f4364aeced4c85cb7fed8ec94587604a0953b85bdd260ac41824cdbde1fd8d96ba5fa2ab157547abbb885897cdc115235b2f97d6c8920f9105d6d2179122e
-
memory/4620-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/5760-43-0x00007FFD60A30000-0x00007FFD60A40000-memory.dmpFilesize
64KB
-
memory/5760-42-0x00007FFD60A30000-0x00007FFD60A40000-memory.dmpFilesize
64KB
-
memory/5760-41-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmpFilesize
64KB
-
memory/5760-40-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmpFilesize
64KB
-
memory/5760-39-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmpFilesize
64KB
-
memory/5760-37-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmpFilesize
64KB
-
memory/5760-38-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmpFilesize
64KB
-
memory/5760-122-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmpFilesize
64KB
-
memory/5760-123-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmpFilesize
64KB
-
memory/5760-125-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmpFilesize
64KB
-
memory/5760-124-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmpFilesize
64KB