Analysis
-
max time kernel
150s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 14:31
Static task
static1
Behavioral task
behavioral1
Sample
0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe
-
Size
512KB
-
MD5
0566b2c00f7a1cfd66f62adddd6014a6
-
SHA1
3add8370f307668dce587c7ae61a5f62a4db4995
-
SHA256
1602a478584522bb56ee3d310e16e1df9449347a682fb4c37520e9ae5579c02e
-
SHA512
9fed5b6548bcc1572e28f97294f7fdc35c4f8b98792be4e732272ecf35bfe3d3a4bf3083e31877c8135bebfbf9bb45c677767734a4e9b5a3d1d30f7be4a3c12c
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj62:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5J
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
gfuqxcklnj.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" gfuqxcklnj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
gfuqxcklnj.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gfuqxcklnj.exe -
Processes:
gfuqxcklnj.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gfuqxcklnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gfuqxcklnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gfuqxcklnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gfuqxcklnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gfuqxcklnj.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
gfuqxcklnj.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gfuqxcklnj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
pmvcbhofwjnqxdv.exegfuqxcklnj.exeejsyacrt.exehrescuevlrkhn.exeejsyacrt.exepid process 2900 pmvcbhofwjnqxdv.exe 704 gfuqxcklnj.exe 1856 ejsyacrt.exe 3796 hrescuevlrkhn.exe 364 ejsyacrt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
gfuqxcklnj.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gfuqxcklnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gfuqxcklnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gfuqxcklnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" gfuqxcklnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gfuqxcklnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gfuqxcklnj.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
pmvcbhofwjnqxdv.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aicdzzxc = "pmvcbhofwjnqxdv.exe" pmvcbhofwjnqxdv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hrescuevlrkhn.exe" pmvcbhofwjnqxdv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haeucljl = "gfuqxcklnj.exe" pmvcbhofwjnqxdv.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ejsyacrt.exegfuqxcklnj.exeejsyacrt.exedescription ioc process File opened (read-only) \??\z: ejsyacrt.exe File opened (read-only) \??\l: gfuqxcklnj.exe File opened (read-only) \??\n: gfuqxcklnj.exe File opened (read-only) \??\p: ejsyacrt.exe File opened (read-only) \??\t: ejsyacrt.exe File opened (read-only) \??\i: ejsyacrt.exe File opened (read-only) \??\m: ejsyacrt.exe File opened (read-only) \??\v: ejsyacrt.exe File opened (read-only) \??\j: ejsyacrt.exe File opened (read-only) \??\e: gfuqxcklnj.exe File opened (read-only) \??\k: gfuqxcklnj.exe File opened (read-only) \??\p: gfuqxcklnj.exe File opened (read-only) \??\t: gfuqxcklnj.exe File opened (read-only) \??\b: ejsyacrt.exe File opened (read-only) \??\y: gfuqxcklnj.exe File opened (read-only) \??\n: ejsyacrt.exe File opened (read-only) \??\o: ejsyacrt.exe File opened (read-only) \??\t: ejsyacrt.exe File opened (read-only) \??\u: ejsyacrt.exe File opened (read-only) \??\m: gfuqxcklnj.exe File opened (read-only) \??\r: gfuqxcklnj.exe File opened (read-only) \??\k: ejsyacrt.exe File opened (read-only) \??\q: ejsyacrt.exe File opened (read-only) \??\r: ejsyacrt.exe File opened (read-only) \??\i: gfuqxcklnj.exe File opened (read-only) \??\j: gfuqxcklnj.exe File opened (read-only) \??\v: gfuqxcklnj.exe File opened (read-only) \??\l: ejsyacrt.exe File opened (read-only) \??\h: gfuqxcklnj.exe File opened (read-only) \??\o: gfuqxcklnj.exe File opened (read-only) \??\r: ejsyacrt.exe File opened (read-only) \??\v: ejsyacrt.exe File opened (read-only) \??\x: ejsyacrt.exe File opened (read-only) \??\q: gfuqxcklnj.exe File opened (read-only) \??\o: ejsyacrt.exe File opened (read-only) \??\h: ejsyacrt.exe File opened (read-only) \??\n: ejsyacrt.exe File opened (read-only) \??\s: ejsyacrt.exe File opened (read-only) \??\u: ejsyacrt.exe File opened (read-only) \??\a: ejsyacrt.exe File opened (read-only) \??\m: ejsyacrt.exe File opened (read-only) \??\b: gfuqxcklnj.exe File opened (read-only) \??\g: ejsyacrt.exe File opened (read-only) \??\h: ejsyacrt.exe File opened (read-only) \??\g: ejsyacrt.exe File opened (read-only) \??\b: ejsyacrt.exe File opened (read-only) \??\a: ejsyacrt.exe File opened (read-only) \??\l: ejsyacrt.exe File opened (read-only) \??\s: gfuqxcklnj.exe File opened (read-only) \??\w: ejsyacrt.exe File opened (read-only) \??\z: ejsyacrt.exe File opened (read-only) \??\e: ejsyacrt.exe File opened (read-only) \??\g: gfuqxcklnj.exe File opened (read-only) \??\w: gfuqxcklnj.exe File opened (read-only) \??\q: ejsyacrt.exe File opened (read-only) \??\a: gfuqxcklnj.exe File opened (read-only) \??\x: gfuqxcklnj.exe File opened (read-only) \??\s: ejsyacrt.exe File opened (read-only) \??\y: ejsyacrt.exe File opened (read-only) \??\j: ejsyacrt.exe File opened (read-only) \??\p: ejsyacrt.exe File opened (read-only) \??\y: ejsyacrt.exe File opened (read-only) \??\e: ejsyacrt.exe File opened (read-only) \??\k: ejsyacrt.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
gfuqxcklnj.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" gfuqxcklnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" gfuqxcklnj.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4928-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\pmvcbhofwjnqxdv.exe autoit_exe C:\Windows\SysWOW64\hrescuevlrkhn.exe autoit_exe C:\Windows\SysWOW64\ejsyacrt.exe autoit_exe C:\Windows\SysWOW64\gfuqxcklnj.exe autoit_exe \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Users\Admin\Documents\StopGrant.doc.exe autoit_exe C:\Users\Admin\Downloads\SelectAssert.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
gfuqxcklnj.exeejsyacrt.exeejsyacrt.exe0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll gfuqxcklnj.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ejsyacrt.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ejsyacrt.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ejsyacrt.exe File opened for modification C:\Windows\SysWOW64\pmvcbhofwjnqxdv.exe 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe File created C:\Windows\SysWOW64\hrescuevlrkhn.exe 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hrescuevlrkhn.exe 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe File created C:\Windows\SysWOW64\ejsyacrt.exe 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ejsyacrt.exe 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ejsyacrt.exe File created C:\Windows\SysWOW64\gfuqxcklnj.exe 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gfuqxcklnj.exe 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe File created C:\Windows\SysWOW64\pmvcbhofwjnqxdv.exe 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
ejsyacrt.exeejsyacrt.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ejsyacrt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ejsyacrt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ejsyacrt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ejsyacrt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ejsyacrt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ejsyacrt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ejsyacrt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ejsyacrt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ejsyacrt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ejsyacrt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ejsyacrt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ejsyacrt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ejsyacrt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ejsyacrt.exe -
Drops file in Windows directory 19 IoCs
Processes:
ejsyacrt.exeejsyacrt.exeWINWORD.EXE0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exedescription ioc process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ejsyacrt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ejsyacrt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ejsyacrt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ejsyacrt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ejsyacrt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ejsyacrt.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ejsyacrt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ejsyacrt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ejsyacrt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ejsyacrt.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ejsyacrt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ejsyacrt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ejsyacrt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ejsyacrt.exe File opened for modification C:\Windows\mydoc.rtf 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ejsyacrt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ejsyacrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exegfuqxcklnj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442C7E9D2C82276D3476D370562CAB7D8064AA" 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" gfuqxcklnj.exe Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" gfuqxcklnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" gfuqxcklnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" gfuqxcklnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg gfuqxcklnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5FAB9FE6BF1E3830B3B3286ED3997B38802FE43660238E2BD429D09D3" 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FCFC485C82129142D65B7D90BC92E147584567356336D79A" 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" gfuqxcklnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs gfuqxcklnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" gfuqxcklnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B120449438EB53CFBAD133E8D4BB" 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C67815E1DABFB9CE7F97EC9634CA" 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat gfuqxcklnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh gfuqxcklnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc gfuqxcklnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf gfuqxcklnj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7866BB4FE1822DDD273D0A28A089166" 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1220 WINWORD.EXE 1220 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exepmvcbhofwjnqxdv.exehrescuevlrkhn.exeejsyacrt.exegfuqxcklnj.exeejsyacrt.exepid process 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 2900 pmvcbhofwjnqxdv.exe 2900 pmvcbhofwjnqxdv.exe 2900 pmvcbhofwjnqxdv.exe 2900 pmvcbhofwjnqxdv.exe 2900 pmvcbhofwjnqxdv.exe 2900 pmvcbhofwjnqxdv.exe 2900 pmvcbhofwjnqxdv.exe 2900 pmvcbhofwjnqxdv.exe 2900 pmvcbhofwjnqxdv.exe 2900 pmvcbhofwjnqxdv.exe 3796 hrescuevlrkhn.exe 3796 hrescuevlrkhn.exe 3796 hrescuevlrkhn.exe 3796 hrescuevlrkhn.exe 3796 hrescuevlrkhn.exe 3796 hrescuevlrkhn.exe 3796 hrescuevlrkhn.exe 3796 hrescuevlrkhn.exe 3796 hrescuevlrkhn.exe 3796 hrescuevlrkhn.exe 3796 hrescuevlrkhn.exe 3796 hrescuevlrkhn.exe 1856 ejsyacrt.exe 1856 ejsyacrt.exe 1856 ejsyacrt.exe 1856 ejsyacrt.exe 1856 ejsyacrt.exe 1856 ejsyacrt.exe 1856 ejsyacrt.exe 1856 ejsyacrt.exe 704 gfuqxcklnj.exe 704 gfuqxcklnj.exe 704 gfuqxcklnj.exe 704 gfuqxcklnj.exe 704 gfuqxcklnj.exe 704 gfuqxcklnj.exe 704 gfuqxcklnj.exe 704 gfuqxcklnj.exe 704 gfuqxcklnj.exe 704 gfuqxcklnj.exe 2900 pmvcbhofwjnqxdv.exe 2900 pmvcbhofwjnqxdv.exe 364 ejsyacrt.exe 364 ejsyacrt.exe 364 ejsyacrt.exe 364 ejsyacrt.exe 364 ejsyacrt.exe 364 ejsyacrt.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exepmvcbhofwjnqxdv.exehrescuevlrkhn.exeejsyacrt.exegfuqxcklnj.exeejsyacrt.exepid process 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 2900 pmvcbhofwjnqxdv.exe 2900 pmvcbhofwjnqxdv.exe 2900 pmvcbhofwjnqxdv.exe 3796 hrescuevlrkhn.exe 3796 hrescuevlrkhn.exe 3796 hrescuevlrkhn.exe 1856 ejsyacrt.exe 704 gfuqxcklnj.exe 1856 ejsyacrt.exe 704 gfuqxcklnj.exe 1856 ejsyacrt.exe 704 gfuqxcklnj.exe 364 ejsyacrt.exe 364 ejsyacrt.exe 364 ejsyacrt.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exepmvcbhofwjnqxdv.exehrescuevlrkhn.exeejsyacrt.exegfuqxcklnj.exeejsyacrt.exepid process 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe 2900 pmvcbhofwjnqxdv.exe 2900 pmvcbhofwjnqxdv.exe 2900 pmvcbhofwjnqxdv.exe 3796 hrescuevlrkhn.exe 3796 hrescuevlrkhn.exe 3796 hrescuevlrkhn.exe 1856 ejsyacrt.exe 704 gfuqxcklnj.exe 1856 ejsyacrt.exe 704 gfuqxcklnj.exe 1856 ejsyacrt.exe 704 gfuqxcklnj.exe 364 ejsyacrt.exe 364 ejsyacrt.exe 364 ejsyacrt.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1220 WINWORD.EXE 1220 WINWORD.EXE 1220 WINWORD.EXE 1220 WINWORD.EXE 1220 WINWORD.EXE 1220 WINWORD.EXE 1220 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exegfuqxcklnj.exedescription pid process target process PID 4928 wrote to memory of 704 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe gfuqxcklnj.exe PID 4928 wrote to memory of 704 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe gfuqxcklnj.exe PID 4928 wrote to memory of 704 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe gfuqxcklnj.exe PID 4928 wrote to memory of 2900 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe pmvcbhofwjnqxdv.exe PID 4928 wrote to memory of 2900 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe pmvcbhofwjnqxdv.exe PID 4928 wrote to memory of 2900 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe pmvcbhofwjnqxdv.exe PID 4928 wrote to memory of 1856 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe ejsyacrt.exe PID 4928 wrote to memory of 1856 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe ejsyacrt.exe PID 4928 wrote to memory of 1856 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe ejsyacrt.exe PID 4928 wrote to memory of 3796 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe hrescuevlrkhn.exe PID 4928 wrote to memory of 3796 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe hrescuevlrkhn.exe PID 4928 wrote to memory of 3796 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe hrescuevlrkhn.exe PID 4928 wrote to memory of 1220 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe WINWORD.EXE PID 4928 wrote to memory of 1220 4928 0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe WINWORD.EXE PID 704 wrote to memory of 364 704 gfuqxcklnj.exe ejsyacrt.exe PID 704 wrote to memory of 364 704 gfuqxcklnj.exe ejsyacrt.exe PID 704 wrote to memory of 364 704 gfuqxcklnj.exe ejsyacrt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\gfuqxcklnj.exegfuqxcklnj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ejsyacrt.exeC:\Windows\system32\ejsyacrt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\pmvcbhofwjnqxdv.exepmvcbhofwjnqxdv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ejsyacrt.exeejsyacrt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\hrescuevlrkhn.exehrescuevlrkhn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5adec5fd78ab7665b296794f504b3db2c
SHA155aa60ce3f9fa1c763a38e45997458082afc0300
SHA256f0c574fc58cb553032ed18cf7cc740a28077a8064dd7d4bb73e67bbaa733d7e7
SHA5125b1dca347422923f1d879e76024740f474c9b14dc117c42086d46c415d9bc8d50c8d9172427dacd67e1c936ef861b6f94cae321868102a9156f46fef5d4ed6b8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
247B
MD51b529425a37b1334b8b33ebd890269a4
SHA184768e6475b45e3431d5dd62968dde9b92bcb799
SHA256774609fb895e024729e533b8420e732453a0f7ad9cc4599a871157b4f2ca0440
SHA5128d82cb100fb6e979061a2a86aedf2f77de9bb5abf4431ed7add5c75d04988a3cd747119ade26856e8c2fdf7fe75e6aedf0025f2015e525b6835c80cfa2eff295
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD54ab1cca57b20d43c085cca209bfcb6e4
SHA172cac146b61d15f13edbf4db116135fc57b1b763
SHA25626ef78fe86dc3bcdfa7ecab5968869aa1724d0fcae8c9b4c7e4b70f2766c7fbb
SHA512beda4c70fc7fc6daa2d9e302569e8c0ccbc228edb59d11ad5484440f5ab07ccce26570bf219bb4595c0b5e464156fda55c739ee5110f5e985df11cf0660feb0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5a1ceaaf1d7852bd2d9b3d8262c6a0a2e
SHA165db2629a39ec3dd7a06e347a7714b2b94fb1078
SHA25630444c9ee7d2d77046683b9898f00e70b216eaa5dc39181f9039ee40c2e27690
SHA5127476d10ecaf809b85dd15bda17c9e1b9cdbb270ac60c874af8f3ab5bff8a57ec460eda66ec8a609770a95a649e73d3e4caedf5d53513fc2f0ec838e433ffe75f
-
C:\Users\Admin\Documents\StopGrant.doc.exeFilesize
512KB
MD538219792e080a92f9c4a2500d0cfa96e
SHA1d2eb3a5b65f025a3cad9872dacacc42e4a8ed6df
SHA256f7497eacbf654b358bd81361aaa3ab29b0cc432a86eaea2ae123abfdc656e300
SHA512ac5e1c98114604142f69a97f7dab290b394ea82a6f64b033839c9482ce56b037ae22b7601f58af02d234702df76d62978c01f07bac995ce8ba2d2187441011d6
-
C:\Users\Admin\Downloads\SelectAssert.doc.exeFilesize
512KB
MD5b9da1248da930fe67636376851113a66
SHA18c6bdcdfe0a279b8c25724ef8fad6309f2848e3f
SHA25669de2ca1f8486c815d3596de87e8838291218bf1d1984101acd2974b92b0dbc4
SHA51249de245601f6064fa026fd679108437f7f3a18c9e55da341421f394737627ef12e2dfb836ef24910c9b593481d5b78bbfd65b986ade7476827fe6e8709d553e3
-
C:\Windows\SysWOW64\ejsyacrt.exeFilesize
512KB
MD52ab2ace54e8c77c62e18e9402b2918c4
SHA112ecc8156e395244b79c83d17d9b17da6ecf0140
SHA2561e4e5be4a1fe572b880cdd844b961661c4123c6816e8629a7933527d5d5fab5a
SHA512c2baa70677dde4b6b1045ca7560a0c02d6e8b9c34a506b972ff83bae554ba55ade5b1f7d05a12828a5ec99523677c44a8e2babb3ccadaabdc0531dfc22b267f7
-
C:\Windows\SysWOW64\gfuqxcklnj.exeFilesize
512KB
MD51621bc3bdcbbb70bcb6dc6e9d53f7a0e
SHA1812ee0dbc2d698ebd05fc040be248d669375a07e
SHA2561684013c637b0bdaade299970f10bf9981c98def7e3d582dd3a67850a08b171b
SHA512472a9e48afedd2ae1afafc1ce25e58f093a744203b1d6157f1f973e7a75c9b7957b5a2164183329b5082fc04857820425581e443d8aa8c805defbe66f1b68ebd
-
C:\Windows\SysWOW64\hrescuevlrkhn.exeFilesize
512KB
MD5af990e3da8d78abd066971fa4a28774b
SHA1d2132c172b16ff04d869c9a8b251ac0fea4d3db9
SHA2560332b16cba63fce559185eba0a5da07068807b4f4da889b5660dfaba1764ae96
SHA512c043bcd91dcf4f026f7b8a45b0abc50652c201cf58c68891afc1ee89d1d18d0e368a6e7a3a624452886b17f7f6cc5961357f1af9709ab7a632689481ff78564d
-
C:\Windows\SysWOW64\pmvcbhofwjnqxdv.exeFilesize
512KB
MD5fab7752f61d1db185ce6cefc2f008778
SHA14fa8f542b8ab68004232e9f88264d2e6d2be4ab1
SHA256f4d6ed09dab51bb5cafb28dbbc6b34820901d9a184d69db49e7112810459dfc2
SHA5121e78b79fe90b81123fcf7801c00328644168d1204c682044a4fe03b2452d1ef287947ce8fed36662989254e8ce8de62ce603dbbe471cc411c33082fb1dcd2881
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5d21883502e8f685bdd8580f217373efb
SHA10cbd59daf090c87017b95bca34a828c6cf53dd15
SHA25629e5638f2ccc46195207cb6224a7e0a6a5614cd1bd6beeaeaf3f2a314756ec45
SHA512e50e9a952c051398e85ffdea269d7080b5656d0bb508406ca9c8c6ba44ce81e6556046a2aadbae35de841356e8fda366d87c44affbccd93c8484e8eed32454a6
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5babacf38ace6fd66ce7405e65bc82bd5
SHA1118f6a8bbfff6f9e154551e162e8fd80e8e42c5c
SHA25655506da9ffbfa872c9ff860f87e7664d5ba774ed734dbc50e1ba472a835e26b9
SHA512061795183aa372fb5292b9684e561657819ada2882b4c4e690e23417264f3e312ed3e2d7659da2a7bb1d1fa7aa5e76338a8638d654418544b43031d10e418246
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5db5ad16133aca03e78a9499bafa36f46
SHA1ccfbb0f72ad7d842127def50558eaf78aab61b8a
SHA2564ac69fbb9fadfdb2c146923d111f8d82953935aeddb71c523184a26ea0dc70c1
SHA51271ac73a91cff011ae41cf360e9fc945a557a997fb151f6dc29f4d98cb765fd39e1befd82fae85ba7d2055373335452330a32c1429bc1ce606f2733ad71fc7acf
-
memory/1220-40-0x00007FFB8EC20000-0x00007FFB8EC30000-memory.dmpFilesize
64KB
-
memory/1220-39-0x00007FFB91470000-0x00007FFB91480000-memory.dmpFilesize
64KB
-
memory/1220-36-0x00007FFB91470000-0x00007FFB91480000-memory.dmpFilesize
64KB
-
memory/1220-38-0x00007FFB91470000-0x00007FFB91480000-memory.dmpFilesize
64KB
-
memory/1220-37-0x00007FFB91470000-0x00007FFB91480000-memory.dmpFilesize
64KB
-
memory/1220-35-0x00007FFB91470000-0x00007FFB91480000-memory.dmpFilesize
64KB
-
memory/1220-41-0x00007FFB8EC20000-0x00007FFB8EC30000-memory.dmpFilesize
64KB
-
memory/1220-131-0x00007FFB91470000-0x00007FFB91480000-memory.dmpFilesize
64KB
-
memory/1220-132-0x00007FFB91470000-0x00007FFB91480000-memory.dmpFilesize
64KB
-
memory/1220-130-0x00007FFB91470000-0x00007FFB91480000-memory.dmpFilesize
64KB
-
memory/1220-129-0x00007FFB91470000-0x00007FFB91480000-memory.dmpFilesize
64KB
-
memory/4928-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB