Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 16:49
Static task
static1
Behavioral task
behavioral1
Sample
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe
-
Size
512KB
-
MD5
05a34ce4e1751bf33e0803af17082c1f
-
SHA1
45b354f036de158920d8f242977aab190ede0136
-
SHA256
7e32714f0b728d757d398eb21058c77f8708122415eb052081e8e125563af9b3
-
SHA512
c4c022ae828687de17029eae8c7aaa5f3f6922a04b2bd99fb3fc1b0883b34904ae35eeb77d332ea709b24cb88a8165c2e822fcc15a3b4e8ecc004dbbd530da4d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj68:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5n
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
dibmlfsayy.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dibmlfsayy.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
dibmlfsayy.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dibmlfsayy.exe -
Processes:
dibmlfsayy.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dibmlfsayy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dibmlfsayy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dibmlfsayy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dibmlfsayy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dibmlfsayy.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
dibmlfsayy.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dibmlfsayy.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
dibmlfsayy.exepkhfmwhzevpadjw.exemsqqdhmd.exeyfpmwlgifpiiw.exemsqqdhmd.exepid process 892 dibmlfsayy.exe 4200 pkhfmwhzevpadjw.exe 3884 msqqdhmd.exe 4004 yfpmwlgifpiiw.exe 1772 msqqdhmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
dibmlfsayy.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dibmlfsayy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dibmlfsayy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dibmlfsayy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dibmlfsayy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dibmlfsayy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dibmlfsayy.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
pkhfmwhzevpadjw.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nnwfgpos = "dibmlfsayy.exe" pkhfmwhzevpadjw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xcyqkqio = "pkhfmwhzevpadjw.exe" pkhfmwhzevpadjw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yfpmwlgifpiiw.exe" pkhfmwhzevpadjw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msqqdhmd.exedibmlfsayy.exemsqqdhmd.exedescription ioc process File opened (read-only) \??\p: msqqdhmd.exe File opened (read-only) \??\r: msqqdhmd.exe File opened (read-only) \??\p: dibmlfsayy.exe File opened (read-only) \??\y: dibmlfsayy.exe File opened (read-only) \??\m: dibmlfsayy.exe File opened (read-only) \??\n: msqqdhmd.exe File opened (read-only) \??\o: msqqdhmd.exe File opened (read-only) \??\q: msqqdhmd.exe File opened (read-only) \??\y: msqqdhmd.exe File opened (read-only) \??\k: msqqdhmd.exe File opened (read-only) \??\u: msqqdhmd.exe File opened (read-only) \??\e: msqqdhmd.exe File opened (read-only) \??\p: msqqdhmd.exe File opened (read-only) \??\w: msqqdhmd.exe File opened (read-only) \??\z: msqqdhmd.exe File opened (read-only) \??\a: dibmlfsayy.exe File opened (read-only) \??\h: dibmlfsayy.exe File opened (read-only) \??\l: dibmlfsayy.exe File opened (read-only) \??\u: dibmlfsayy.exe File opened (read-only) \??\h: msqqdhmd.exe File opened (read-only) \??\y: msqqdhmd.exe File opened (read-only) \??\e: dibmlfsayy.exe File opened (read-only) \??\x: dibmlfsayy.exe File opened (read-only) \??\l: msqqdhmd.exe File opened (read-only) \??\g: msqqdhmd.exe File opened (read-only) \??\v: msqqdhmd.exe File opened (read-only) \??\s: dibmlfsayy.exe File opened (read-only) \??\v: msqqdhmd.exe File opened (read-only) \??\k: dibmlfsayy.exe File opened (read-only) \??\q: dibmlfsayy.exe File opened (read-only) \??\v: dibmlfsayy.exe File opened (read-only) \??\w: msqqdhmd.exe File opened (read-only) \??\n: msqqdhmd.exe File opened (read-only) \??\r: msqqdhmd.exe File opened (read-only) \??\t: dibmlfsayy.exe File opened (read-only) \??\i: msqqdhmd.exe File opened (read-only) \??\s: msqqdhmd.exe File opened (read-only) \??\a: msqqdhmd.exe File opened (read-only) \??\n: dibmlfsayy.exe File opened (read-only) \??\x: msqqdhmd.exe File opened (read-only) \??\z: msqqdhmd.exe File opened (read-only) \??\b: dibmlfsayy.exe File opened (read-only) \??\u: msqqdhmd.exe File opened (read-only) \??\o: dibmlfsayy.exe File opened (read-only) \??\a: msqqdhmd.exe File opened (read-only) \??\t: msqqdhmd.exe File opened (read-only) \??\g: dibmlfsayy.exe File opened (read-only) \??\o: msqqdhmd.exe File opened (read-only) \??\i: dibmlfsayy.exe File opened (read-only) \??\r: dibmlfsayy.exe File opened (read-only) \??\g: msqqdhmd.exe File opened (read-only) \??\m: msqqdhmd.exe File opened (read-only) \??\t: msqqdhmd.exe File opened (read-only) \??\b: msqqdhmd.exe File opened (read-only) \??\j: msqqdhmd.exe File opened (read-only) \??\x: msqqdhmd.exe File opened (read-only) \??\j: dibmlfsayy.exe File opened (read-only) \??\w: dibmlfsayy.exe File opened (read-only) \??\z: dibmlfsayy.exe File opened (read-only) \??\l: msqqdhmd.exe File opened (read-only) \??\q: msqqdhmd.exe File opened (read-only) \??\m: msqqdhmd.exe File opened (read-only) \??\k: msqqdhmd.exe File opened (read-only) \??\e: msqqdhmd.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
dibmlfsayy.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dibmlfsayy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dibmlfsayy.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4784-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\pkhfmwhzevpadjw.exe autoit_exe C:\Windows\SysWOW64\dibmlfsayy.exe autoit_exe C:\Windows\SysWOW64\pkhfmwhzevpadjw.exe autoit_exe C:\Windows\SysWOW64\msqqdhmd.exe autoit_exe C:\Windows\SysWOW64\yfpmwlgifpiiw.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\ShowProtect.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
msqqdhmd.exe05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exedibmlfsayy.exemsqqdhmd.exedescription ioc process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe msqqdhmd.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe msqqdhmd.exe File opened for modification C:\Windows\SysWOW64\dibmlfsayy.exe 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe File created C:\Windows\SysWOW64\pkhfmwhzevpadjw.exe 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msqqdhmd.exe 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yfpmwlgifpiiw.exe 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dibmlfsayy.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe msqqdhmd.exe File created C:\Windows\SysWOW64\dibmlfsayy.exe 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pkhfmwhzevpadjw.exe 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe File created C:\Windows\SysWOW64\msqqdhmd.exe 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe File created C:\Windows\SysWOW64\yfpmwlgifpiiw.exe 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe msqqdhmd.exe -
Drops file in Program Files directory 14 IoCs
Processes:
msqqdhmd.exemsqqdhmd.exedescription ioc process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe msqqdhmd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe msqqdhmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe msqqdhmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal msqqdhmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal msqqdhmd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe msqqdhmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe msqqdhmd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe msqqdhmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal msqqdhmd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe msqqdhmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe msqqdhmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal msqqdhmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe msqqdhmd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe msqqdhmd.exe -
Drops file in Windows directory 3 IoCs
Processes:
WINWORD.EXE05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exedibmlfsayy.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5FABFF965F1E4837D3A4686EC3EE2B08A038B42680338E1CA42EA09D4" 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B02944EF38E353CABAA13298D7BB" 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dibmlfsayy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472C089C5283526A3076D677252CDF7C8765AB" 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FFF84F5B851C9046D72B7D92BDE4E1345847674E6337D6EA" 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BC2FF1A21DED20ED1D58A0F9010" 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dibmlfsayy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dibmlfsayy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf dibmlfsayy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs dibmlfsayy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dibmlfsayy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dibmlfsayy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dibmlfsayy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dibmlfsayy.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C60B1490DBC5B8CF7FE5ED9734C6" 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" dibmlfsayy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dibmlfsayy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" dibmlfsayy.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1480 WINWORD.EXE 1480 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exedibmlfsayy.exepkhfmwhzevpadjw.exemsqqdhmd.exeyfpmwlgifpiiw.exepid process 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 892 dibmlfsayy.exe 892 dibmlfsayy.exe 892 dibmlfsayy.exe 892 dibmlfsayy.exe 892 dibmlfsayy.exe 892 dibmlfsayy.exe 892 dibmlfsayy.exe 892 dibmlfsayy.exe 892 dibmlfsayy.exe 892 dibmlfsayy.exe 4200 pkhfmwhzevpadjw.exe 4200 pkhfmwhzevpadjw.exe 4200 pkhfmwhzevpadjw.exe 4200 pkhfmwhzevpadjw.exe 4200 pkhfmwhzevpadjw.exe 4200 pkhfmwhzevpadjw.exe 4200 pkhfmwhzevpadjw.exe 4200 pkhfmwhzevpadjw.exe 4200 pkhfmwhzevpadjw.exe 4200 pkhfmwhzevpadjw.exe 3884 msqqdhmd.exe 3884 msqqdhmd.exe 3884 msqqdhmd.exe 3884 msqqdhmd.exe 3884 msqqdhmd.exe 3884 msqqdhmd.exe 3884 msqqdhmd.exe 3884 msqqdhmd.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 4200 pkhfmwhzevpadjw.exe 4200 pkhfmwhzevpadjw.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 4200 pkhfmwhzevpadjw.exe 4200 pkhfmwhzevpadjw.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exedibmlfsayy.exepkhfmwhzevpadjw.exemsqqdhmd.exeyfpmwlgifpiiw.exemsqqdhmd.exepid process 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 892 dibmlfsayy.exe 892 dibmlfsayy.exe 892 dibmlfsayy.exe 4200 pkhfmwhzevpadjw.exe 4200 pkhfmwhzevpadjw.exe 4200 pkhfmwhzevpadjw.exe 3884 msqqdhmd.exe 3884 msqqdhmd.exe 3884 msqqdhmd.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 1772 msqqdhmd.exe 1772 msqqdhmd.exe 1772 msqqdhmd.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exedibmlfsayy.exepkhfmwhzevpadjw.exemsqqdhmd.exeyfpmwlgifpiiw.exemsqqdhmd.exepid process 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe 892 dibmlfsayy.exe 892 dibmlfsayy.exe 892 dibmlfsayy.exe 4200 pkhfmwhzevpadjw.exe 4200 pkhfmwhzevpadjw.exe 4200 pkhfmwhzevpadjw.exe 3884 msqqdhmd.exe 3884 msqqdhmd.exe 3884 msqqdhmd.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 4004 yfpmwlgifpiiw.exe 1772 msqqdhmd.exe 1772 msqqdhmd.exe 1772 msqqdhmd.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1480 WINWORD.EXE 1480 WINWORD.EXE 1480 WINWORD.EXE 1480 WINWORD.EXE 1480 WINWORD.EXE 1480 WINWORD.EXE 1480 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exedibmlfsayy.exedescription pid process target process PID 4784 wrote to memory of 892 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe dibmlfsayy.exe PID 4784 wrote to memory of 892 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe dibmlfsayy.exe PID 4784 wrote to memory of 892 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe dibmlfsayy.exe PID 4784 wrote to memory of 4200 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe pkhfmwhzevpadjw.exe PID 4784 wrote to memory of 4200 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe pkhfmwhzevpadjw.exe PID 4784 wrote to memory of 4200 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe pkhfmwhzevpadjw.exe PID 4784 wrote to memory of 3884 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe msqqdhmd.exe PID 4784 wrote to memory of 3884 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe msqqdhmd.exe PID 4784 wrote to memory of 3884 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe msqqdhmd.exe PID 4784 wrote to memory of 4004 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe yfpmwlgifpiiw.exe PID 4784 wrote to memory of 4004 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe yfpmwlgifpiiw.exe PID 4784 wrote to memory of 4004 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe yfpmwlgifpiiw.exe PID 892 wrote to memory of 1772 892 dibmlfsayy.exe msqqdhmd.exe PID 892 wrote to memory of 1772 892 dibmlfsayy.exe msqqdhmd.exe PID 892 wrote to memory of 1772 892 dibmlfsayy.exe msqqdhmd.exe PID 4784 wrote to memory of 1480 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe WINWORD.EXE PID 4784 wrote to memory of 1480 4784 05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05a34ce4e1751bf33e0803af17082c1f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dibmlfsayy.exedibmlfsayy.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msqqdhmd.exeC:\Windows\system32\msqqdhmd.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\pkhfmwhzevpadjw.exepkhfmwhzevpadjw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\msqqdhmd.exemsqqdhmd.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\yfpmwlgifpiiw.exeyfpmwlgifpiiw.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3776 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD504fb1b4cf10c2dbb05bf30b37a5c0e5f
SHA1392db12678d98c8b8f73d40fec2a4e8f0828db3b
SHA256be813896e5287a541b81695e6688915531551c8c897a0a689d69cebcf1e6ad56
SHA51228a6a317c3e2bca8723be0ec565800f382d79876261a10826831a4578b28f0efb6b27c9378e280689997b0dfb41500fc90726a8ece8eec5dc219e9476574f733
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD54f13dbb84b1c3a3121aa7ac7b85f1ccc
SHA154fc970cd992f1a6de614ca3104da358a6df41c4
SHA2569822115feece83bde58a5fe3fd185e05aac1927ec05eed439d3fd61801403a2f
SHA5121b5d5e07914cd35d8b608abbc6fd43ad91acc30dcba9886b94255d33735cc8da63f27cfca5cc0d410918ff02bc64ad30ebe953e6ae04074e628b02d0c8d4a0cd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD57bf8377fc38e26815073a786cfd8fc56
SHA1679074d90c1d58c76f6b6c294a827dd586cc7cb9
SHA256a9baf47dfeb065600927a35fb3ae371ab9be5b1d8437b754addfa8df53d9c5ed
SHA51278c2151e73429cb81de4ef19e9493d92cdab20ba9bb814d4712d3f11c8f0bb44fc2ae0aefdf9546d76642b36df48370162c939126e28b705f158b6713330519a
-
C:\Users\Admin\Documents\ShowProtect.doc.exeFilesize
512KB
MD5c5c071e27118a187a0034c78a10d61db
SHA144292f98f0a71ae19116d76d958039acd3104d8b
SHA256047154253d0611623c364bb2b89d2681cd4d964277d3441399cb26fa5029fff3
SHA512bc64c74b2d25c085da34868320b254017e050169f960dad5dfea284c39598f2fcdf4bcf4814efeb9219fab8985565a16e02514583fe952e0d8755957cfe60db0
-
C:\Windows\SysWOW64\dibmlfsayy.exeFilesize
512KB
MD543270aae80cba39e6bc3fcd5493e1f2f
SHA1280d70b4c4195bd629b1f8916158e829cd78eea1
SHA2568544a5b9454b5339a85008dfa2c0ea5b440eeae21cd88a0693a25882900e8225
SHA5122100d9e2aaf0844ac30b1b9c14b04ee2c70cb4f31dbd8807dedf187080f228c8fb2f5c6d95d4654541e0d309a71b5fe1b91a3fa366006b7c5c26dfa19ad50ee2
-
C:\Windows\SysWOW64\msqqdhmd.exeFilesize
512KB
MD5c70c3ec67c213a29832585f5a97293ba
SHA15dc44b44fc07021f14eb5eaa171274d6acd03a60
SHA2569324e0ffab2591208f28b68737be6b39d65a42fc88c07c79b77332928b5a21cd
SHA512d73fbbed32176a572ddd48170b25b275a38d890f4f08557f73bd2fbd2241973435290d83518ce68f70b15cbf70daad4e474abcd8b90dfd30c8a036c1509479db
-
C:\Windows\SysWOW64\pkhfmwhzevpadjw.exeFilesize
512KB
MD5c40c280e8b36c5a9bf17ae7c038539f1
SHA110104f1d235a497f89776389929b3f40f452cc53
SHA2567a4c2a941fbb3501ef1cb50a3ca1ea35259b203652c2547c8fc0009401d9eb65
SHA512768e93eef9f749e07caad7cdaa8b8b1f816eb629d7be91d9f5b478fd7bfc9a7473e3a7e34ce9f1a82acfc4a46b70973b77cbc322991dac58f83a5f42dd7e1425
-
C:\Windows\SysWOW64\pkhfmwhzevpadjw.exeFilesize
512KB
MD505a34ce4e1751bf33e0803af17082c1f
SHA145b354f036de158920d8f242977aab190ede0136
SHA2567e32714f0b728d757d398eb21058c77f8708122415eb052081e8e125563af9b3
SHA512c4c022ae828687de17029eae8c7aaa5f3f6922a04b2bd99fb3fc1b0883b34904ae35eeb77d332ea709b24cb88a8165c2e822fcc15a3b4e8ecc004dbbd530da4d
-
C:\Windows\SysWOW64\yfpmwlgifpiiw.exeFilesize
512KB
MD5dea45a4976925aabb81f58c870fd1926
SHA1451b47b80ecf2977e7ab907f16702ebe785e6ce2
SHA256933a442acd93e37921e647ea7a067c3a251cca7bd29c8b008fa1cdbfed86f3b1
SHA5125f49b56c91b6fd9c7304fae3509dbcb342b5ea93b3fe146e6815d3e8ad9fd4c5abd46713ea9e20c5bf1bada8498a464c20238d412f5955371e3dd989a1d6fe67
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5b5870746118032724147db4867b3f110
SHA1aad38c7e3e90aada2f15eeeaffb5b879031f48ea
SHA256a2633b38ae72725b686f693c91fa9d638cf970fd60c62a4e5da8562e465f1a78
SHA51227381211cd3d8f03bf11d11f51a14f4282345f437679002cd1703e7a3eb0300dbe5f93a14958952740b7c51c6a62eaff6845b9812c6b6b68d1e5f1efc31a03b7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD55ec250256443475fbfca15cb2dc4f03d
SHA1677d21c088dedbeaaf72528faf67558e563c3fb7
SHA25693307c2f29147bf16bdfc0bbf453cdda62422cbeadb7f145b6cca0ae00742370
SHA5122c8bbc02cc01c5cdd654c0998239e88427262678a4eee4bc166c49a5efb5d5398d7f5a7a40d99965e2f8de432bb2943c865e45a557f202dd47b56e5c8df2bdd6
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD558a1083f165b9f3de03bccd5540e97f2
SHA1885c65d56d035e4c85fa0ae1e5ea109ebc047825
SHA25611d6cfd40467650ec7aa69a574300271528f7393114b5021c963b1ce879c3b51
SHA512308b8be42010858ba27f201a12da1229cd2dcba9d41299ad52a3b8713cfff39139a934516875d48464597652444a0c4ae95664b3e0cdc439f6df62f715780de4
-
memory/1480-39-0x00007FF881A90000-0x00007FF881AA0000-memory.dmpFilesize
64KB
-
memory/1480-43-0x00007FF87F9A0000-0x00007FF87F9B0000-memory.dmpFilesize
64KB
-
memory/1480-42-0x00007FF87F9A0000-0x00007FF87F9B0000-memory.dmpFilesize
64KB
-
memory/1480-37-0x00007FF881A90000-0x00007FF881AA0000-memory.dmpFilesize
64KB
-
memory/1480-38-0x00007FF881A90000-0x00007FF881AA0000-memory.dmpFilesize
64KB
-
memory/1480-41-0x00007FF881A90000-0x00007FF881AA0000-memory.dmpFilesize
64KB
-
memory/1480-40-0x00007FF881A90000-0x00007FF881AA0000-memory.dmpFilesize
64KB
-
memory/1480-126-0x00007FF881A90000-0x00007FF881AA0000-memory.dmpFilesize
64KB
-
memory/1480-129-0x00007FF881A90000-0x00007FF881AA0000-memory.dmpFilesize
64KB
-
memory/1480-128-0x00007FF881A90000-0x00007FF881AA0000-memory.dmpFilesize
64KB
-
memory/1480-127-0x00007FF881A90000-0x00007FF881AA0000-memory.dmpFilesize
64KB
-
memory/4784-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB