Analysis
-
max time kernel
149s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 14:03
Static task
static1
Behavioral task
behavioral1
Sample
055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe
-
Size
512KB
-
MD5
055a91a2ebd997290d63f17da8f85f8a
-
SHA1
17b55dfe9845db9ba1794bd7e53aeceab5f54519
-
SHA256
cf17d95662970c325b799cec8ae15506f29b2c663c2b9d603672e8feb5adfcdd
-
SHA512
f7c2f11168a5b4c20869b7c3dc9426c78d0b5b2bbcf06c1a5a2f8a3b3d78ab1e0a93500e2197d271de7576b96615ca6984a8e95be0fc8211e6ac823d0fbbced9
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6k:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5p
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
khsnapesgv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" khsnapesgv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
khsnapesgv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" khsnapesgv.exe -
Processes:
khsnapesgv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" khsnapesgv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" khsnapesgv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" khsnapesgv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" khsnapesgv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" khsnapesgv.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
khsnapesgv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" khsnapesgv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
khsnapesgv.exelenwwkqspvdcjdo.exegcevqcmg.exefpkhnbqnxovwu.exegcevqcmg.exepid process 3948 khsnapesgv.exe 940 lenwwkqspvdcjdo.exe 516 gcevqcmg.exe 2284 fpkhnbqnxovwu.exe 1904 gcevqcmg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
khsnapesgv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" khsnapesgv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" khsnapesgv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" khsnapesgv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" khsnapesgv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" khsnapesgv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" khsnapesgv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
lenwwkqspvdcjdo.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqimyepl = "lenwwkqspvdcjdo.exe" lenwwkqspvdcjdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fpkhnbqnxovwu.exe" lenwwkqspvdcjdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htbphlyu = "khsnapesgv.exe" lenwwkqspvdcjdo.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
gcevqcmg.exegcevqcmg.exekhsnapesgv.exedescription ioc process File opened (read-only) \??\a: gcevqcmg.exe File opened (read-only) \??\b: gcevqcmg.exe File opened (read-only) \??\t: khsnapesgv.exe File opened (read-only) \??\j: gcevqcmg.exe File opened (read-only) \??\l: khsnapesgv.exe File opened (read-only) \??\g: gcevqcmg.exe File opened (read-only) \??\y: gcevqcmg.exe File opened (read-only) \??\y: gcevqcmg.exe File opened (read-only) \??\e: gcevqcmg.exe File opened (read-only) \??\r: gcevqcmg.exe File opened (read-only) \??\w: gcevqcmg.exe File opened (read-only) \??\i: khsnapesgv.exe File opened (read-only) \??\p: khsnapesgv.exe File opened (read-only) \??\u: khsnapesgv.exe File opened (read-only) \??\y: khsnapesgv.exe File opened (read-only) \??\v: gcevqcmg.exe File opened (read-only) \??\g: gcevqcmg.exe File opened (read-only) \??\i: gcevqcmg.exe File opened (read-only) \??\k: gcevqcmg.exe File opened (read-only) \??\o: gcevqcmg.exe File opened (read-only) \??\t: gcevqcmg.exe File opened (read-only) \??\q: gcevqcmg.exe File opened (read-only) \??\b: khsnapesgv.exe File opened (read-only) \??\o: gcevqcmg.exe File opened (read-only) \??\t: gcevqcmg.exe File opened (read-only) \??\w: khsnapesgv.exe File opened (read-only) \??\z: khsnapesgv.exe File opened (read-only) \??\z: gcevqcmg.exe File opened (read-only) \??\s: khsnapesgv.exe File opened (read-only) \??\v: khsnapesgv.exe File opened (read-only) \??\z: gcevqcmg.exe File opened (read-only) \??\h: khsnapesgv.exe File opened (read-only) \??\i: gcevqcmg.exe File opened (read-only) \??\m: gcevqcmg.exe File opened (read-only) \??\n: gcevqcmg.exe File opened (read-only) \??\x: gcevqcmg.exe File opened (read-only) \??\a: gcevqcmg.exe File opened (read-only) \??\v: gcevqcmg.exe File opened (read-only) \??\e: khsnapesgv.exe File opened (read-only) \??\m: khsnapesgv.exe File opened (read-only) \??\s: gcevqcmg.exe File opened (read-only) \??\j: gcevqcmg.exe File opened (read-only) \??\k: gcevqcmg.exe File opened (read-only) \??\u: gcevqcmg.exe File opened (read-only) \??\n: khsnapesgv.exe File opened (read-only) \??\l: gcevqcmg.exe File opened (read-only) \??\m: gcevqcmg.exe File opened (read-only) \??\n: gcevqcmg.exe File opened (read-only) \??\s: gcevqcmg.exe File opened (read-only) \??\k: khsnapesgv.exe File opened (read-only) \??\l: gcevqcmg.exe File opened (read-only) \??\p: gcevqcmg.exe File opened (read-only) \??\q: khsnapesgv.exe File opened (read-only) \??\h: gcevqcmg.exe File opened (read-only) \??\q: gcevqcmg.exe File opened (read-only) \??\h: gcevqcmg.exe File opened (read-only) \??\j: khsnapesgv.exe File opened (read-only) \??\r: khsnapesgv.exe File opened (read-only) \??\w: gcevqcmg.exe File opened (read-only) \??\x: gcevqcmg.exe File opened (read-only) \??\g: khsnapesgv.exe File opened (read-only) \??\e: gcevqcmg.exe File opened (read-only) \??\p: gcevqcmg.exe File opened (read-only) \??\r: gcevqcmg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
khsnapesgv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" khsnapesgv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" khsnapesgv.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4684-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\lenwwkqspvdcjdo.exe autoit_exe C:\Windows\SysWOW64\khsnapesgv.exe autoit_exe C:\Windows\SysWOW64\fpkhnbqnxovwu.exe autoit_exe C:\Windows\SysWOW64\gcevqcmg.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\AppData\Roaming\SubmitEnter.doc.exe autoit_exe C:\Users\Admin\Documents\RemoveCheckpoint.doc.exe autoit_exe C:\Users\Admin\Music\UninstallProtect.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
gcevqcmg.exe055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exekhsnapesgv.exegcevqcmg.exedescription ioc process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gcevqcmg.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gcevqcmg.exe File created C:\Windows\SysWOW64\khsnapesgv.exe 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe File created C:\Windows\SysWOW64\gcevqcmg.exe 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe File created C:\Windows\SysWOW64\fpkhnbqnxovwu.exe 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fpkhnbqnxovwu.exe 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll khsnapesgv.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gcevqcmg.exe File opened for modification C:\Windows\SysWOW64\khsnapesgv.exe 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe File created C:\Windows\SysWOW64\lenwwkqspvdcjdo.exe 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lenwwkqspvdcjdo.exe 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gcevqcmg.exe 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
Processes:
gcevqcmg.exegcevqcmg.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gcevqcmg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gcevqcmg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gcevqcmg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gcevqcmg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gcevqcmg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gcevqcmg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gcevqcmg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gcevqcmg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gcevqcmg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gcevqcmg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gcevqcmg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gcevqcmg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gcevqcmg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gcevqcmg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gcevqcmg.exe -
Drops file in Windows directory 19 IoCs
Processes:
gcevqcmg.exegcevqcmg.exeWINWORD.EXE055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exedescription ioc process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gcevqcmg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gcevqcmg.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gcevqcmg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gcevqcmg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gcevqcmg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gcevqcmg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gcevqcmg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gcevqcmg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gcevqcmg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gcevqcmg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gcevqcmg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gcevqcmg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gcevqcmg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gcevqcmg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gcevqcmg.exe File opened for modification C:\Windows\mydoc.rtf 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gcevqcmg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
khsnapesgv.exe055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs khsnapesgv.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FAB1F963F2E7840C3B4A819A3E92B38F038B4313033AE1C4429D08A5" 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78668B1FE6622D8D278D0A28B099016" 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C7091590DAB6B9CD7CE1EC9E34BE" 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat khsnapesgv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc khsnapesgv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf khsnapesgv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B1294792389D52CFBAD13298D7BE" 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" khsnapesgv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh khsnapesgv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" khsnapesgv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C0B9D5183516A4677D070232DDD7DF265DF" 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFCFE482B85199136D75A7E94BDE3E643593166416242D691" 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" khsnapesgv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg khsnapesgv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" khsnapesgv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" khsnapesgv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" khsnapesgv.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2380 WINWORD.EXE 2380 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exelenwwkqspvdcjdo.exekhsnapesgv.exegcevqcmg.exefpkhnbqnxovwu.exegcevqcmg.exepid process 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 940 lenwwkqspvdcjdo.exe 940 lenwwkqspvdcjdo.exe 940 lenwwkqspvdcjdo.exe 940 lenwwkqspvdcjdo.exe 940 lenwwkqspvdcjdo.exe 940 lenwwkqspvdcjdo.exe 940 lenwwkqspvdcjdo.exe 940 lenwwkqspvdcjdo.exe 3948 khsnapesgv.exe 3948 khsnapesgv.exe 3948 khsnapesgv.exe 3948 khsnapesgv.exe 3948 khsnapesgv.exe 3948 khsnapesgv.exe 3948 khsnapesgv.exe 3948 khsnapesgv.exe 3948 khsnapesgv.exe 3948 khsnapesgv.exe 516 gcevqcmg.exe 516 gcevqcmg.exe 516 gcevqcmg.exe 516 gcevqcmg.exe 516 gcevqcmg.exe 516 gcevqcmg.exe 516 gcevqcmg.exe 516 gcevqcmg.exe 940 lenwwkqspvdcjdo.exe 940 lenwwkqspvdcjdo.exe 2284 fpkhnbqnxovwu.exe 2284 fpkhnbqnxovwu.exe 2284 fpkhnbqnxovwu.exe 2284 fpkhnbqnxovwu.exe 2284 fpkhnbqnxovwu.exe 2284 fpkhnbqnxovwu.exe 2284 fpkhnbqnxovwu.exe 2284 fpkhnbqnxovwu.exe 2284 fpkhnbqnxovwu.exe 2284 fpkhnbqnxovwu.exe 2284 fpkhnbqnxovwu.exe 2284 fpkhnbqnxovwu.exe 1904 gcevqcmg.exe 1904 gcevqcmg.exe 1904 gcevqcmg.exe 1904 gcevqcmg.exe 1904 gcevqcmg.exe 1904 gcevqcmg.exe 1904 gcevqcmg.exe 1904 gcevqcmg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exekhsnapesgv.exelenwwkqspvdcjdo.exefpkhnbqnxovwu.exegcevqcmg.exegcevqcmg.exepid process 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 3948 khsnapesgv.exe 3948 khsnapesgv.exe 3948 khsnapesgv.exe 940 lenwwkqspvdcjdo.exe 940 lenwwkqspvdcjdo.exe 940 lenwwkqspvdcjdo.exe 2284 fpkhnbqnxovwu.exe 516 gcevqcmg.exe 516 gcevqcmg.exe 2284 fpkhnbqnxovwu.exe 516 gcevqcmg.exe 2284 fpkhnbqnxovwu.exe 1904 gcevqcmg.exe 1904 gcevqcmg.exe 1904 gcevqcmg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exekhsnapesgv.exelenwwkqspvdcjdo.exefpkhnbqnxovwu.exegcevqcmg.exegcevqcmg.exepid process 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe 3948 khsnapesgv.exe 3948 khsnapesgv.exe 3948 khsnapesgv.exe 940 lenwwkqspvdcjdo.exe 940 lenwwkqspvdcjdo.exe 940 lenwwkqspvdcjdo.exe 2284 fpkhnbqnxovwu.exe 516 gcevqcmg.exe 516 gcevqcmg.exe 2284 fpkhnbqnxovwu.exe 516 gcevqcmg.exe 2284 fpkhnbqnxovwu.exe 1904 gcevqcmg.exe 1904 gcevqcmg.exe 1904 gcevqcmg.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2380 WINWORD.EXE 2380 WINWORD.EXE 2380 WINWORD.EXE 2380 WINWORD.EXE 2380 WINWORD.EXE 2380 WINWORD.EXE 2380 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exekhsnapesgv.exedescription pid process target process PID 4684 wrote to memory of 3948 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe khsnapesgv.exe PID 4684 wrote to memory of 3948 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe khsnapesgv.exe PID 4684 wrote to memory of 3948 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe khsnapesgv.exe PID 4684 wrote to memory of 940 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe lenwwkqspvdcjdo.exe PID 4684 wrote to memory of 940 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe lenwwkqspvdcjdo.exe PID 4684 wrote to memory of 940 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe lenwwkqspvdcjdo.exe PID 4684 wrote to memory of 516 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe gcevqcmg.exe PID 4684 wrote to memory of 516 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe gcevqcmg.exe PID 4684 wrote to memory of 516 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe gcevqcmg.exe PID 4684 wrote to memory of 2284 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe fpkhnbqnxovwu.exe PID 4684 wrote to memory of 2284 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe fpkhnbqnxovwu.exe PID 4684 wrote to memory of 2284 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe fpkhnbqnxovwu.exe PID 4684 wrote to memory of 2380 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe WINWORD.EXE PID 4684 wrote to memory of 2380 4684 055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe WINWORD.EXE PID 3948 wrote to memory of 1904 3948 khsnapesgv.exe gcevqcmg.exe PID 3948 wrote to memory of 1904 3948 khsnapesgv.exe gcevqcmg.exe PID 3948 wrote to memory of 1904 3948 khsnapesgv.exe gcevqcmg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\055a91a2ebd997290d63f17da8f85f8a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\khsnapesgv.exekhsnapesgv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\gcevqcmg.exeC:\Windows\system32\gcevqcmg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\lenwwkqspvdcjdo.exelenwwkqspvdcjdo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\gcevqcmg.exegcevqcmg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\fpkhnbqnxovwu.exefpkhnbqnxovwu.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD53c8be25e3f3376d40585e364dc3f941e
SHA134e9e2ec21899f278dc282d2dcb42eeb6ff48b47
SHA256226d597339963eb8ad1c3849710858890ee55f022f2d3039bca8a4a02694c787
SHA512fa95083d3791e1a5d9ef90d242c119acd7dc321cfec27747e874280dc79b13f4e0b73dbd9c68eb210525fbf46dcc84228816dc1a28bc815a3ea3620078adbd97
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD54d4c6fe5e0b7edb7767fbe9b2c43f5a0
SHA1bd79cd1a60a8b79947bdf8839e37ec96159d2cbc
SHA25630547e1f309dac791a7516a41ddac717e3d2c93498ca4193d5222c1be0e1b795
SHA512b965ffc1b53865f2a2acf8f8f05435925c91f50991b993efdc5b6426cf081f2d44388a218db2b88b126a78966a630f90c6b60e098cf39b7ab47979963f8958da
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD52fae0fe44fb67ed515b21a2b6fba40e3
SHA1d39c4cb134c596851c157406149129a69844613b
SHA256bd528b67c4e7b5924426cb6edc6bd85896db3a43e596bc76d32632d33eccc2b1
SHA5129902e514810847d11b83ceb64209c7a363f3b482f5444474673988fa0729295d8612ae6aa0d81a09d9adeb958f7e0251b414ef808f82f279df504bc04a347087
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5f433c27f14defb8bc7d72afb2e2a1f9f
SHA185ab55de4314b179171637fb22c6d7e8542f874f
SHA256d2553f7cede7378a3901df71b65f30cfe865be3db765f8a354d71ba91f4667c4
SHA5129dc35e0f2318cc9f2957a171f5814e9ecdba5a83bee3d70b4cefe18c22c33b33d110306488fa05f79a44bad0742a42c3cb1085cacf90fc3007f2840cfc8fb0f6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5f2c842e7eed413dd7364e2a6238dc6a3
SHA1028b995d72db78d6fb129e11c2feb3c35bd39d5e
SHA2567183b2a07351565306e96f8dd6c449334cc697fe27937255bf99a26978aa3703
SHA512c36df9df5e513fe13ae2a5208a576745d7c5191eae878707a21e6f9e4f2707d353930afd3f93b19024763b08c22599ada50df0b81e8b1c67ff3f541c7616d8c9
-
C:\Users\Admin\AppData\Roaming\SubmitEnter.doc.exeFilesize
512KB
MD5c05b08783d843016bc5bf1e91c4d4433
SHA10872144d0dfa596d43f079e708d99588595438f3
SHA256096ba2ce60b1a1d1761561f0888b667b20a9d8af89f609d4170415a9b197bdf4
SHA5129af223e5cedae4694f3ed5b0c5b6c3dd4e4e757b73e9254a87a48bddd7b6f1148e1190f069003c164826843d7848ea292dc929416bc7808a196701972a354c4e
-
C:\Users\Admin\Documents\RemoveCheckpoint.doc.exeFilesize
512KB
MD5af89310501f69da0a854d6adfdddef91
SHA19f699371e029a0543fca183ca0e67325e0bd38cb
SHA25699ce735ec58aaef6b9d83087c30ac43a367bb3fc55ca77c99a667b32d1038973
SHA512ba404e127a023e2aae06fdeac1c0032f72a86f9aac2071081a13125cee05b0ddb1c47e2193079e5f4e134879e2216d8bc7c9de0c6670154c379b06d606308d29
-
C:\Users\Admin\Music\UninstallProtect.doc.exeFilesize
512KB
MD5fbca31dede13dacea7e6a6cb0b838037
SHA1b1cdedaa1a4b1ba24c89be2e4a5ba1fb2554e8a6
SHA2563f23cf58f8dda772ab3bcab5287bfb9db125ebb5fdd49991ad61d211c50f2367
SHA51210418735b2e1b53173a48ffda0675850a6e266ee396af82cae162a94e0eda84c77ad187d90d630d585ee88bb5017040e785449cea728a95920db31103fbe7365
-
C:\Windows\SysWOW64\fpkhnbqnxovwu.exeFilesize
512KB
MD51bc70820fa542afff8f2fbe5a737f55c
SHA1909b0eba58cc961b1b7cd311acd27d78e86c5501
SHA25610b6a068ce861c8945683b892776034655727fa41d2bdddaf2d07a220224af3b
SHA512e2be4f6e83d9a99b0afc9728e2f2f3ed45b6a8372c8b1a003ff789fbd7d5e439aa5e57986a5f0fedb0872679a649ec5f96a58e409904923011a61d1c860e27ac
-
C:\Windows\SysWOW64\gcevqcmg.exeFilesize
512KB
MD50b3ab393127925731a171ffbb4386682
SHA1cf049a09428c0b082f1856a677a6fabe16783848
SHA25649772addf16f07126744eb105bca46cecbdc1d0a3e9f14ac48461dce0da6537f
SHA5127f116ff477b962b46f59f46570924d10098eac971167554f9f1040c22e63ef015d0244d1c13b4d4155fb661eb62a5bbc0cfe5b9aa6725eef999170ce6ab892e7
-
C:\Windows\SysWOW64\khsnapesgv.exeFilesize
512KB
MD52577d6bc4000a332b4ce2b94b45ed018
SHA165cb9659ee7c9ddf9484f3654107af07f7177d99
SHA2563aae1ec0e72651703851351d2b4ab8796335fadc3ea78231389cd79a4c076f89
SHA5120c5d42dc62b7011ec09a47e48119f8958dd29a28a47d8ab10b2b9f568f16d634c81b866aa69e9198d4070f9c485b804e03c51cdc1861bea4f182095961d0819f
-
C:\Windows\SysWOW64\lenwwkqspvdcjdo.exeFilesize
512KB
MD5c1dd015210039b24237d9b3e8124cb4f
SHA1bab5e9af33138e000ce9867d2ba7f23842bba494
SHA256e26db711d390dcd25896ff9bc3a0ce3beb42855cfe480e6987ada0c785403403
SHA51229a7828786942ebc96b66cf6d1cd5faa80aa39211b4afccc3c5c2574962817e78c447ca036e3c7a99df93c73e94e74290a3eaf2157142a6043ec2cd0b52d3e57
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD550deb850a51182a68b11b1a24af0278e
SHA1a09a22a5797684c0d1c6d1e9d9676d892e2811b9
SHA2564d40bc42856471bad11a2b20812f5c8a040ba3f928f6eed143afd05e58953925
SHA5124d662ab4980ba4525944a3ecc03a6dc46df26cb537920248e6d812f0cb92983f6a7d1a021fbb8cf3c19acb49973e33ce547ad74172b736c0bf711ad92c0c7b2e
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD537acd82fe428e5e36c38837c18197bc0
SHA1d99c02bb78044d3599280f3369bb0e959180473b
SHA256376fb7a1eca93db815d4c4d28627fe1ed191c6279b1034e96a274f8366091c54
SHA512a49bccd4bdfc7948a860eccf6cd11d70acbbac88110831b9ca00e024bdd71e40b76d2d1042195d31ba7fb71f245bbfd96d18e1e70024b4952dc36e72592f9668
-
memory/2380-39-0x00007FF82E190000-0x00007FF82E1A0000-memory.dmpFilesize
64KB
-
memory/2380-38-0x00007FF82E190000-0x00007FF82E1A0000-memory.dmpFilesize
64KB
-
memory/2380-36-0x00007FF82E190000-0x00007FF82E1A0000-memory.dmpFilesize
64KB
-
memory/2380-37-0x00007FF82E190000-0x00007FF82E1A0000-memory.dmpFilesize
64KB
-
memory/2380-35-0x00007FF82E190000-0x00007FF82E1A0000-memory.dmpFilesize
64KB
-
memory/2380-40-0x00007FF82BEE0000-0x00007FF82BEF0000-memory.dmpFilesize
64KB
-
memory/2380-41-0x00007FF82BEE0000-0x00007FF82BEF0000-memory.dmpFilesize
64KB
-
memory/2380-133-0x00007FF82E190000-0x00007FF82E1A0000-memory.dmpFilesize
64KB
-
memory/2380-134-0x00007FF82E190000-0x00007FF82E1A0000-memory.dmpFilesize
64KB
-
memory/2380-136-0x00007FF82E190000-0x00007FF82E1A0000-memory.dmpFilesize
64KB
-
memory/2380-135-0x00007FF82E190000-0x00007FF82E1A0000-memory.dmpFilesize
64KB
-
memory/4684-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB