Analysis
-
max time kernel
150s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 16:49
Static task
static1
Behavioral task
behavioral1
Sample
05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe
-
Size
512KB
-
MD5
05a37a23d825f72a3f83a031a21d928f
-
SHA1
6e7dc18228906cf9077c56e5b6938cb55131aef6
-
SHA256
6ee1815fb67ed5f8f91e26937332f4388fb37e6b8c5cc51b54b89ba607362216
-
SHA512
9c546ee4b495abccce5cb9368a40783d1cc47618795d16ef7b6dfb6df0829432b26a2bacf39c83f1e4aeb421f71864a47dfde8c688e8ea58ef6ef27b4ee19b09
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
qaqxdwvzbq.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qaqxdwvzbq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
qaqxdwvzbq.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qaqxdwvzbq.exe -
Processes:
qaqxdwvzbq.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qaqxdwvzbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qaqxdwvzbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qaqxdwvzbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qaqxdwvzbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qaqxdwvzbq.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
qaqxdwvzbq.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qaqxdwvzbq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
qaqxdwvzbq.exelekxzpggdbikmjv.exectinkkst.exebffwodjelawvk.exectinkkst.exepid process 3412 qaqxdwvzbq.exe 3652 lekxzpggdbikmjv.exe 1032 ctinkkst.exe 1088 bffwodjelawvk.exe 4080 ctinkkst.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
qaqxdwvzbq.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qaqxdwvzbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qaqxdwvzbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qaqxdwvzbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qaqxdwvzbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qaqxdwvzbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qaqxdwvzbq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
lekxzpggdbikmjv.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crrhtrdo = "qaqxdwvzbq.exe" lekxzpggdbikmjv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xupoplen = "lekxzpggdbikmjv.exe" lekxzpggdbikmjv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bffwodjelawvk.exe" lekxzpggdbikmjv.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ctinkkst.exeqaqxdwvzbq.exectinkkst.exedescription ioc process File opened (read-only) \??\v: ctinkkst.exe File opened (read-only) \??\i: qaqxdwvzbq.exe File opened (read-only) \??\e: ctinkkst.exe File opened (read-only) \??\g: qaqxdwvzbq.exe File opened (read-only) \??\z: ctinkkst.exe File opened (read-only) \??\a: qaqxdwvzbq.exe File opened (read-only) \??\t: qaqxdwvzbq.exe File opened (read-only) \??\z: qaqxdwvzbq.exe File opened (read-only) \??\t: ctinkkst.exe File opened (read-only) \??\j: ctinkkst.exe File opened (read-only) \??\t: ctinkkst.exe File opened (read-only) \??\x: ctinkkst.exe File opened (read-only) \??\e: ctinkkst.exe File opened (read-only) \??\b: qaqxdwvzbq.exe File opened (read-only) \??\s: qaqxdwvzbq.exe File opened (read-only) \??\y: qaqxdwvzbq.exe File opened (read-only) \??\b: ctinkkst.exe File opened (read-only) \??\h: ctinkkst.exe File opened (read-only) \??\p: ctinkkst.exe File opened (read-only) \??\k: qaqxdwvzbq.exe File opened (read-only) \??\l: qaqxdwvzbq.exe File opened (read-only) \??\m: qaqxdwvzbq.exe File opened (read-only) \??\i: ctinkkst.exe File opened (read-only) \??\o: ctinkkst.exe File opened (read-only) \??\q: ctinkkst.exe File opened (read-only) \??\p: qaqxdwvzbq.exe File opened (read-only) \??\r: qaqxdwvzbq.exe File opened (read-only) \??\v: qaqxdwvzbq.exe File opened (read-only) \??\m: ctinkkst.exe File opened (read-only) \??\n: ctinkkst.exe File opened (read-only) \??\o: ctinkkst.exe File opened (read-only) \??\s: ctinkkst.exe File opened (read-only) \??\u: ctinkkst.exe File opened (read-only) \??\k: ctinkkst.exe File opened (read-only) \??\h: qaqxdwvzbq.exe File opened (read-only) \??\j: qaqxdwvzbq.exe File opened (read-only) \??\n: ctinkkst.exe File opened (read-only) \??\x: ctinkkst.exe File opened (read-only) \??\b: ctinkkst.exe File opened (read-only) \??\k: ctinkkst.exe File opened (read-only) \??\o: qaqxdwvzbq.exe File opened (read-only) \??\u: ctinkkst.exe File opened (read-only) \??\v: ctinkkst.exe File opened (read-only) \??\m: ctinkkst.exe File opened (read-only) \??\g: ctinkkst.exe File opened (read-only) \??\r: ctinkkst.exe File opened (read-only) \??\w: ctinkkst.exe File opened (read-only) \??\u: qaqxdwvzbq.exe File opened (read-only) \??\g: ctinkkst.exe File opened (read-only) \??\l: ctinkkst.exe File opened (read-only) \??\p: ctinkkst.exe File opened (read-only) \??\a: ctinkkst.exe File opened (read-only) \??\h: ctinkkst.exe File opened (read-only) \??\i: ctinkkst.exe File opened (read-only) \??\l: ctinkkst.exe File opened (read-only) \??\q: ctinkkst.exe File opened (read-only) \??\q: qaqxdwvzbq.exe File opened (read-only) \??\x: qaqxdwvzbq.exe File opened (read-only) \??\a: ctinkkst.exe File opened (read-only) \??\e: qaqxdwvzbq.exe File opened (read-only) \??\w: qaqxdwvzbq.exe File opened (read-only) \??\y: ctinkkst.exe File opened (read-only) \??\n: qaqxdwvzbq.exe File opened (read-only) \??\y: ctinkkst.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
qaqxdwvzbq.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qaqxdwvzbq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qaqxdwvzbq.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2964-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\lekxzpggdbikmjv.exe autoit_exe C:\Windows\SysWOW64\ctinkkst.exe autoit_exe C:\Windows\SysWOW64\bffwodjelawvk.exe autoit_exe C:\Windows\SysWOW64\qaqxdwvzbq.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exeqaqxdwvzbq.exectinkkst.exectinkkst.exedescription ioc process File created C:\Windows\SysWOW64\qaqxdwvzbq.exe 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe File created C:\Windows\SysWOW64\ctinkkst.exe 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qaqxdwvzbq.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ctinkkst.exe File created C:\Windows\SysWOW64\lekxzpggdbikmjv.exe 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lekxzpggdbikmjv.exe 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe File created C:\Windows\SysWOW64\bffwodjelawvk.exe 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ctinkkst.exe File opened for modification C:\Windows\SysWOW64\qaqxdwvzbq.exe 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bffwodjelawvk.exe 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ctinkkst.exe File opened for modification C:\Windows\SysWOW64\ctinkkst.exe 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ctinkkst.exe -
Drops file in Program Files directory 14 IoCs
Processes:
ctinkkst.exectinkkst.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ctinkkst.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ctinkkst.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ctinkkst.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ctinkkst.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ctinkkst.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ctinkkst.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ctinkkst.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ctinkkst.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ctinkkst.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ctinkkst.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ctinkkst.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ctinkkst.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ctinkkst.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ctinkkst.exe -
Drops file in Windows directory 19 IoCs
Processes:
ctinkkst.exeWINWORD.EXEctinkkst.exe05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exedescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ctinkkst.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ctinkkst.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ctinkkst.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ctinkkst.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ctinkkst.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ctinkkst.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ctinkkst.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ctinkkst.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ctinkkst.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ctinkkst.exe File opened for modification C:\Windows\mydoc.rtf 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ctinkkst.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ctinkkst.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ctinkkst.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ctinkkst.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ctinkkst.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ctinkkst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exeqaqxdwvzbq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FFF84826826F9137D7587DE6BD93E147594666406241D79F" 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F268B7FF6621D0D10FD1D38A7D9165" 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qaqxdwvzbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B02E47E739EC53C5BAA033EFD4BB" 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qaqxdwvzbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qaqxdwvzbq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422C799D5782576A4177D777202DAD7DF565D8" 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qaqxdwvzbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qaqxdwvzbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qaqxdwvzbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qaqxdwvzbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qaqxdwvzbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qaqxdwvzbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FAB1F966F291847A3A41869C3996B08B028F43610332E1BA42EA09D3" 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C77414E2DAB4B9BB7CE8EDE234C7" 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qaqxdwvzbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qaqxdwvzbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qaqxdwvzbq.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3792 WINWORD.EXE 3792 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exelekxzpggdbikmjv.exebffwodjelawvk.exeqaqxdwvzbq.exectinkkst.exectinkkst.exepid process 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 3652 lekxzpggdbikmjv.exe 3652 lekxzpggdbikmjv.exe 3652 lekxzpggdbikmjv.exe 3652 lekxzpggdbikmjv.exe 3652 lekxzpggdbikmjv.exe 3652 lekxzpggdbikmjv.exe 3652 lekxzpggdbikmjv.exe 3652 lekxzpggdbikmjv.exe 3652 lekxzpggdbikmjv.exe 3652 lekxzpggdbikmjv.exe 1088 bffwodjelawvk.exe 1088 bffwodjelawvk.exe 1088 bffwodjelawvk.exe 1088 bffwodjelawvk.exe 1088 bffwodjelawvk.exe 1088 bffwodjelawvk.exe 1088 bffwodjelawvk.exe 1088 bffwodjelawvk.exe 1088 bffwodjelawvk.exe 1088 bffwodjelawvk.exe 1088 bffwodjelawvk.exe 1088 bffwodjelawvk.exe 3412 qaqxdwvzbq.exe 3412 qaqxdwvzbq.exe 3412 qaqxdwvzbq.exe 3412 qaqxdwvzbq.exe 3412 qaqxdwvzbq.exe 3412 qaqxdwvzbq.exe 3412 qaqxdwvzbq.exe 3412 qaqxdwvzbq.exe 3412 qaqxdwvzbq.exe 3412 qaqxdwvzbq.exe 1032 ctinkkst.exe 1032 ctinkkst.exe 1032 ctinkkst.exe 1032 ctinkkst.exe 1032 ctinkkst.exe 1032 ctinkkst.exe 1032 ctinkkst.exe 1032 ctinkkst.exe 4080 ctinkkst.exe 4080 ctinkkst.exe 4080 ctinkkst.exe 4080 ctinkkst.exe 4080 ctinkkst.exe 4080 ctinkkst.exe 4080 ctinkkst.exe 4080 ctinkkst.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exelekxzpggdbikmjv.exebffwodjelawvk.exeqaqxdwvzbq.exectinkkst.exectinkkst.exepid process 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 3652 lekxzpggdbikmjv.exe 3652 lekxzpggdbikmjv.exe 3652 lekxzpggdbikmjv.exe 1088 bffwodjelawvk.exe 3412 qaqxdwvzbq.exe 1088 bffwodjelawvk.exe 3412 qaqxdwvzbq.exe 1088 bffwodjelawvk.exe 3412 qaqxdwvzbq.exe 1032 ctinkkst.exe 1032 ctinkkst.exe 1032 ctinkkst.exe 4080 ctinkkst.exe 4080 ctinkkst.exe 4080 ctinkkst.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exelekxzpggdbikmjv.exebffwodjelawvk.exeqaqxdwvzbq.exectinkkst.exectinkkst.exepid process 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe 3652 lekxzpggdbikmjv.exe 3652 lekxzpggdbikmjv.exe 3652 lekxzpggdbikmjv.exe 1088 bffwodjelawvk.exe 3412 qaqxdwvzbq.exe 1088 bffwodjelawvk.exe 3412 qaqxdwvzbq.exe 1088 bffwodjelawvk.exe 3412 qaqxdwvzbq.exe 1032 ctinkkst.exe 1032 ctinkkst.exe 1032 ctinkkst.exe 4080 ctinkkst.exe 4080 ctinkkst.exe 4080 ctinkkst.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3792 WINWORD.EXE 3792 WINWORD.EXE 3792 WINWORD.EXE 3792 WINWORD.EXE 3792 WINWORD.EXE 3792 WINWORD.EXE 3792 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exeqaqxdwvzbq.exedescription pid process target process PID 2964 wrote to memory of 3412 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe qaqxdwvzbq.exe PID 2964 wrote to memory of 3412 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe qaqxdwvzbq.exe PID 2964 wrote to memory of 3412 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe qaqxdwvzbq.exe PID 2964 wrote to memory of 3652 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe lekxzpggdbikmjv.exe PID 2964 wrote to memory of 3652 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe lekxzpggdbikmjv.exe PID 2964 wrote to memory of 3652 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe lekxzpggdbikmjv.exe PID 2964 wrote to memory of 1032 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe ctinkkst.exe PID 2964 wrote to memory of 1032 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe ctinkkst.exe PID 2964 wrote to memory of 1032 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe ctinkkst.exe PID 2964 wrote to memory of 1088 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe bffwodjelawvk.exe PID 2964 wrote to memory of 1088 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe bffwodjelawvk.exe PID 2964 wrote to memory of 1088 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe bffwodjelawvk.exe PID 2964 wrote to memory of 3792 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe WINWORD.EXE PID 2964 wrote to memory of 3792 2964 05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe WINWORD.EXE PID 3412 wrote to memory of 4080 3412 qaqxdwvzbq.exe ctinkkst.exe PID 3412 wrote to memory of 4080 3412 qaqxdwvzbq.exe ctinkkst.exe PID 3412 wrote to memory of 4080 3412 qaqxdwvzbq.exe ctinkkst.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05a37a23d825f72a3f83a031a21d928f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\qaqxdwvzbq.exeqaqxdwvzbq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ctinkkst.exeC:\Windows\system32\ctinkkst.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\lekxzpggdbikmjv.exelekxzpggdbikmjv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ctinkkst.exectinkkst.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\bffwodjelawvk.exebffwodjelawvk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD53ccbc29b72542ae297e1db58a7ff365f
SHA1ec8dae76237258b59dcfa7b30a0b5189d737978c
SHA256e17d526f479edf7117812f9c6405b4bab984b903bd684393ef5c1d9bccc5cd8b
SHA512b17d9f07341f761dffb661ff4f8551db4ff51bf14db50a0cff9a5e07ab73553f748e7d443f902d058767c1de6b0e7c5c6461971c17cde04d7015be4947d0a3a9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
247B
MD51b529425a37b1334b8b33ebd890269a4
SHA184768e6475b45e3431d5dd62968dde9b92bcb799
SHA256774609fb895e024729e533b8420e732453a0f7ad9cc4599a871157b4f2ca0440
SHA5128d82cb100fb6e979061a2a86aedf2f77de9bb5abf4431ed7add5c75d04988a3cd747119ade26856e8c2fdf7fe75e6aedf0025f2015e525b6835c80cfa2eff295
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5334b9f2ac4e7dbded97cfc6a0491d309
SHA1bde2c1f66e62f831ced12b4b55a47c7076381462
SHA256c98201e4a79c07f42b02537599aa52ba816ce21bdac1fa9946ac035e7015307d
SHA512edb859647f97385f47e9e943ce22e212043d6e9fe3f2492e374ea3bc0e7ab3950dbfb972becbf4f5e61b38b9b9e3f0086e0000c29329181cdb1e639f9a0e954d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD56eddc6f7e3d97f5865ca68a9ab90d2a9
SHA1c143687a44dbfa01e9c1d3defdc5a83cba485f05
SHA25696c5b0688f7ae088810851bf97d5b695f0dcc55113d393f1adfc23e0542aa9fb
SHA5121d4b3d068709ecb1c13ae22f9356306b3c6d3d859e5a901d92baadf1d4d25f09b824fe3acff0b0a244ea176898ee45d6122060630f6c580884b8ccf1f41563f4
-
C:\Windows\SysWOW64\bffwodjelawvk.exeFilesize
512KB
MD5495349aeb25095417e2e5ffac48eb3c4
SHA143925dc8ac43cade186d6fa75face8e0b8457218
SHA25681ed9beb68be28aa564c64d845f56d039b7b3f989f9b289e0e43a998c66511df
SHA5128a8122c35bad01db42b52c3e9fc2d41c0a1e5db394b8eb9b566e2a8151ec2bdc13564484bc3bc800b21f3ad9cc895933ac4f3bd7b4d8ab07f9e5e631a437ee62
-
C:\Windows\SysWOW64\ctinkkst.exeFilesize
512KB
MD5443d5a5bdd8b09277438eb7d725e165e
SHA17a4d5a94553ec3f957b11e0c9821471f7fa97a1f
SHA256d5d53534c7b9c9cdf28aac5fe72d435c1128bb1825e6675ebc729d0cbbe60bc5
SHA5126a0782d67080311fa395c5cabf8aacf2333a8dd288b2586ee81d17763182863ff1da5822c93080c497fc801d806359d2db2865aaa576283857c5fe16563aa665
-
C:\Windows\SysWOW64\lekxzpggdbikmjv.exeFilesize
512KB
MD5065072af8397bccf6eb472ba9e1fba71
SHA1c7ca294817d54ebdaa2cd35283ed24f5c4d54f79
SHA2568e73ed298da22e648b8486bc81664a1ddf5fbba072fc605e9df356c6d358c4ab
SHA5129283facf825157af0633e1c569945f0cd4a7a35bf099f560b10c0d1df8e5659efa0f3378c2ffe3a275d9c89971777b5131d5bed583a96f4a260368652e7f5a79
-
C:\Windows\SysWOW64\qaqxdwvzbq.exeFilesize
512KB
MD5bc43383fdf11c886a45eb3f1e3bf9e9e
SHA15d446d9708350eab07ec2bc745ccd5247b247b38
SHA256267fe73757e97c9123e2507724cdea6ffe57e99e91d9d39c55ed0f9f4079a620
SHA5125c3dd98d73036f66f0303c82bb630a37a743d3a07711c5a93d1dd0f9530f8706c6e250378d58557595780908ffbeadf85b6aeb789a6c28fdeb00836a0555cdd0
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD593782972f831335dfbdec53f109b3cb6
SHA1a175cd7bbf7f639a63f64adbb14ea07a0cc648df
SHA256bc0a5e1cf67d36ae706331a5c2370f52303b6d3799eca482fc550cbd7d32b020
SHA512a352e7edf53a649e71ecb743c763f232793e8b53ac11d06b365c1e611da4fd4680babf2c8e081350130f5e25fbc812994740213b581bf5c204ea99f81dcc9175
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5188e1c3ae1f3b4b319b3654093204620
SHA117f6253db3dc8695dc0809b0fdba107462821007
SHA256de925b86dea5950a552ce8cd56bbe928ab22c44164bfb32d5f4a95f6beb3fd07
SHA5129f39f12d12941d606083d50cf0a36d78873114102c705960a92d49d8d40cc056df8c5f378b856f730ba835e703c50f62b9541e48e8d5f01b0f69e3364fd6a507
-
memory/2964-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/3792-37-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmpFilesize
64KB
-
memory/3792-41-0x00007FFDD0AF0000-0x00007FFDD0B00000-memory.dmpFilesize
64KB
-
memory/3792-40-0x00007FFDD0AF0000-0x00007FFDD0B00000-memory.dmpFilesize
64KB
-
memory/3792-35-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmpFilesize
64KB
-
memory/3792-39-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmpFilesize
64KB
-
memory/3792-36-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmpFilesize
64KB
-
memory/3792-38-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmpFilesize
64KB
-
memory/3792-113-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmpFilesize
64KB
-
memory/3792-114-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmpFilesize
64KB
-
memory/3792-115-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmpFilesize
64KB
-
memory/3792-112-0x00007FFDD3070000-0x00007FFDD3080000-memory.dmpFilesize
64KB