Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 19:36
Static task
static1
Behavioral task
behavioral1
Sample
05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe
-
Size
512KB
-
MD5
05ebbd956c5c919e011aa103cae3ccf6
-
SHA1
b4f19cadc024e6add58b0994a0f0bccc9a68327f
-
SHA256
fb2ef2d480da85296a27c8d7f9f6d6f62245a6525b152c9310a478f0a027cfcd
-
SHA512
a87bf49bd2781009fc7c1b01460b493dc0102371fa66ffd90298884c010f15a85fac608234feba913c18f8190d3a13da50738577710ddb8f07be18eac4eb6c79
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5f
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
rcuytqczbp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rcuytqczbp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
rcuytqczbp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rcuytqczbp.exe -
Processes:
rcuytqczbp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rcuytqczbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rcuytqczbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rcuytqczbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rcuytqczbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rcuytqczbp.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
rcuytqczbp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rcuytqczbp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
rcuytqczbp.exezkniynvisqomlhb.exebscapwno.execizrmnalnkeko.exebscapwno.exepid process 4596 rcuytqczbp.exe 3080 zkniynvisqomlhb.exe 3868 bscapwno.exe 4468 cizrmnalnkeko.exe 4264 bscapwno.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
rcuytqczbp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rcuytqczbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rcuytqczbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rcuytqczbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rcuytqczbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rcuytqczbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rcuytqczbp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
zkniynvisqomlhb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rqmljxyv = "rcuytqczbp.exe" zkniynvisqomlhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zacljarm = "zkniynvisqomlhb.exe" zkniynvisqomlhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cizrmnalnkeko.exe" zkniynvisqomlhb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
bscapwno.exebscapwno.exercuytqczbp.exedescription ioc process File opened (read-only) \??\y: bscapwno.exe File opened (read-only) \??\l: bscapwno.exe File opened (read-only) \??\r: bscapwno.exe File opened (read-only) \??\u: bscapwno.exe File opened (read-only) \??\x: bscapwno.exe File opened (read-only) \??\e: bscapwno.exe File opened (read-only) \??\e: bscapwno.exe File opened (read-only) \??\i: bscapwno.exe File opened (read-only) \??\q: bscapwno.exe File opened (read-only) \??\r: bscapwno.exe File opened (read-only) \??\h: rcuytqczbp.exe File opened (read-only) \??\t: rcuytqczbp.exe File opened (read-only) \??\v: rcuytqczbp.exe File opened (read-only) \??\p: bscapwno.exe File opened (read-only) \??\i: rcuytqczbp.exe File opened (read-only) \??\a: bscapwno.exe File opened (read-only) \??\g: bscapwno.exe File opened (read-only) \??\s: bscapwno.exe File opened (read-only) \??\x: bscapwno.exe File opened (read-only) \??\q: rcuytqczbp.exe File opened (read-only) \??\r: rcuytqczbp.exe File opened (read-only) \??\h: bscapwno.exe File opened (read-only) \??\q: bscapwno.exe File opened (read-only) \??\j: bscapwno.exe File opened (read-only) \??\l: rcuytqczbp.exe File opened (read-only) \??\s: rcuytqczbp.exe File opened (read-only) \??\j: bscapwno.exe File opened (read-only) \??\m: bscapwno.exe File opened (read-only) \??\b: bscapwno.exe File opened (read-only) \??\h: bscapwno.exe File opened (read-only) \??\w: bscapwno.exe File opened (read-only) \??\z: bscapwno.exe File opened (read-only) \??\y: rcuytqczbp.exe File opened (read-only) \??\i: bscapwno.exe File opened (read-only) \??\n: rcuytqczbp.exe File opened (read-only) \??\n: bscapwno.exe File opened (read-only) \??\n: bscapwno.exe File opened (read-only) \??\b: rcuytqczbp.exe File opened (read-only) \??\o: rcuytqczbp.exe File opened (read-only) \??\b: bscapwno.exe File opened (read-only) \??\l: bscapwno.exe File opened (read-only) \??\u: bscapwno.exe File opened (read-only) \??\j: rcuytqczbp.exe File opened (read-only) \??\p: rcuytqczbp.exe File opened (read-only) \??\z: rcuytqczbp.exe File opened (read-only) \??\y: bscapwno.exe File opened (read-only) \??\z: bscapwno.exe File opened (read-only) \??\a: bscapwno.exe File opened (read-only) \??\m: bscapwno.exe File opened (read-only) \??\t: bscapwno.exe File opened (read-only) \??\k: bscapwno.exe File opened (read-only) \??\p: bscapwno.exe File opened (read-only) \??\e: rcuytqczbp.exe File opened (read-only) \??\x: rcuytqczbp.exe File opened (read-only) \??\t: bscapwno.exe File opened (read-only) \??\k: rcuytqczbp.exe File opened (read-only) \??\u: rcuytqczbp.exe File opened (read-only) \??\k: bscapwno.exe File opened (read-only) \??\o: bscapwno.exe File opened (read-only) \??\v: bscapwno.exe File opened (read-only) \??\a: rcuytqczbp.exe File opened (read-only) \??\s: bscapwno.exe File opened (read-only) \??\g: rcuytqczbp.exe File opened (read-only) \??\g: bscapwno.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
rcuytqczbp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rcuytqczbp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rcuytqczbp.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2320-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\zkniynvisqomlhb.exe autoit_exe C:\Windows\SysWOW64\rcuytqczbp.exe autoit_exe C:\Windows\SysWOW64\bscapwno.exe autoit_exe C:\Windows\SysWOW64\cizrmnalnkeko.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exebscapwno.exercuytqczbp.exebscapwno.exedescription ioc process File created C:\Windows\SysWOW64\rcuytqczbp.exe 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe File created C:\Windows\SysWOW64\zkniynvisqomlhb.exe 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zkniynvisqomlhb.exe 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bscapwno.exe File opened for modification C:\Windows\SysWOW64\rcuytqczbp.exe 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe File created C:\Windows\SysWOW64\bscapwno.exe 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bscapwno.exe 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe File created C:\Windows\SysWOW64\cizrmnalnkeko.exe 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cizrmnalnkeko.exe 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rcuytqczbp.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bscapwno.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bscapwno.exe -
Drops file in Program Files directory 18 IoCs
Processes:
bscapwno.exebscapwno.exedescription ioc process File created \??\c:\Program Files\DebugSuspend.doc.exe bscapwno.exe File opened for modification C:\Program Files\DebugSuspend.nal bscapwno.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bscapwno.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bscapwno.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bscapwno.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bscapwno.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bscapwno.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bscapwno.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bscapwno.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bscapwno.exe File opened for modification \??\c:\Program Files\DebugSuspend.doc.exe bscapwno.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bscapwno.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bscapwno.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bscapwno.exe File opened for modification C:\Program Files\DebugSuspend.doc.exe bscapwno.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bscapwno.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bscapwno.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bscapwno.exe -
Drops file in Windows directory 19 IoCs
Processes:
bscapwno.exe05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exeWINWORD.EXEbscapwno.exedescription ioc process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bscapwno.exe File opened for modification C:\Windows\mydoc.rtf 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bscapwno.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bscapwno.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bscapwno.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bscapwno.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bscapwno.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bscapwno.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bscapwno.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bscapwno.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bscapwno.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bscapwno.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bscapwno.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bscapwno.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bscapwno.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bscapwno.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bscapwno.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
rcuytqczbp.exe05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rcuytqczbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rcuytqczbp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F368B4FE6921ABD27AD1A68B099017" 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC60915E1DAB7B8CE7CE5ECE734BD" 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rcuytqczbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rcuytqczbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rcuytqczbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rcuytqczbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rcuytqczbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412C7B9D2C82566D4177D170252DAD7DF565D9" 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFABFF963F19084793B30819D3998B38C038A4367034FE1B942E808A8" 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFF8E4F2A82139135D7297D94BDE1E13C593567426335D79B" 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rcuytqczbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B029479439E352CEB9D5329BD7C9" 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rcuytqczbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rcuytqczbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rcuytqczbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rcuytqczbp.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2988 WINWORD.EXE 2988 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exercuytqczbp.exebscapwno.exezkniynvisqomlhb.execizrmnalnkeko.exebscapwno.exepid process 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 4596 rcuytqczbp.exe 4596 rcuytqczbp.exe 4596 rcuytqczbp.exe 4596 rcuytqczbp.exe 4596 rcuytqczbp.exe 4596 rcuytqczbp.exe 4596 rcuytqczbp.exe 4596 rcuytqczbp.exe 4596 rcuytqczbp.exe 4596 rcuytqczbp.exe 3868 bscapwno.exe 3868 bscapwno.exe 3868 bscapwno.exe 3868 bscapwno.exe 3868 bscapwno.exe 3868 bscapwno.exe 3868 bscapwno.exe 3868 bscapwno.exe 3080 zkniynvisqomlhb.exe 3080 zkniynvisqomlhb.exe 3080 zkniynvisqomlhb.exe 3080 zkniynvisqomlhb.exe 3080 zkniynvisqomlhb.exe 3080 zkniynvisqomlhb.exe 3080 zkniynvisqomlhb.exe 3080 zkniynvisqomlhb.exe 3080 zkniynvisqomlhb.exe 3080 zkniynvisqomlhb.exe 4468 cizrmnalnkeko.exe 4468 cizrmnalnkeko.exe 4468 cizrmnalnkeko.exe 4468 cizrmnalnkeko.exe 4468 cizrmnalnkeko.exe 4468 cizrmnalnkeko.exe 4468 cizrmnalnkeko.exe 4468 cizrmnalnkeko.exe 4468 cizrmnalnkeko.exe 4468 cizrmnalnkeko.exe 4468 cizrmnalnkeko.exe 4468 cizrmnalnkeko.exe 4264 bscapwno.exe 4264 bscapwno.exe 4264 bscapwno.exe 4264 bscapwno.exe 4264 bscapwno.exe 4264 bscapwno.exe 4264 bscapwno.exe 4264 bscapwno.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exercuytqczbp.exebscapwno.execizrmnalnkeko.exezkniynvisqomlhb.exebscapwno.exepid process 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 4596 rcuytqczbp.exe 3868 bscapwno.exe 4596 rcuytqczbp.exe 3868 bscapwno.exe 3868 bscapwno.exe 4596 rcuytqczbp.exe 4468 cizrmnalnkeko.exe 3080 zkniynvisqomlhb.exe 4468 cizrmnalnkeko.exe 3080 zkniynvisqomlhb.exe 4468 cizrmnalnkeko.exe 3080 zkniynvisqomlhb.exe 4264 bscapwno.exe 4264 bscapwno.exe 4264 bscapwno.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exercuytqczbp.exebscapwno.execizrmnalnkeko.exezkniynvisqomlhb.exebscapwno.exepid process 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe 4596 rcuytqczbp.exe 3868 bscapwno.exe 4596 rcuytqczbp.exe 3868 bscapwno.exe 3868 bscapwno.exe 4596 rcuytqczbp.exe 4468 cizrmnalnkeko.exe 3080 zkniynvisqomlhb.exe 4468 cizrmnalnkeko.exe 3080 zkniynvisqomlhb.exe 4468 cizrmnalnkeko.exe 3080 zkniynvisqomlhb.exe 4264 bscapwno.exe 4264 bscapwno.exe 4264 bscapwno.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2988 WINWORD.EXE 2988 WINWORD.EXE 2988 WINWORD.EXE 2988 WINWORD.EXE 2988 WINWORD.EXE 2988 WINWORD.EXE 2988 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exercuytqczbp.exedescription pid process target process PID 2320 wrote to memory of 4596 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe rcuytqczbp.exe PID 2320 wrote to memory of 4596 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe rcuytqczbp.exe PID 2320 wrote to memory of 4596 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe rcuytqczbp.exe PID 2320 wrote to memory of 3080 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe zkniynvisqomlhb.exe PID 2320 wrote to memory of 3080 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe zkniynvisqomlhb.exe PID 2320 wrote to memory of 3080 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe zkniynvisqomlhb.exe PID 2320 wrote to memory of 3868 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe bscapwno.exe PID 2320 wrote to memory of 3868 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe bscapwno.exe PID 2320 wrote to memory of 3868 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe bscapwno.exe PID 2320 wrote to memory of 4468 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe cizrmnalnkeko.exe PID 2320 wrote to memory of 4468 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe cizrmnalnkeko.exe PID 2320 wrote to memory of 4468 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe cizrmnalnkeko.exe PID 2320 wrote to memory of 2988 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe WINWORD.EXE PID 2320 wrote to memory of 2988 2320 05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe WINWORD.EXE PID 4596 wrote to memory of 4264 4596 rcuytqczbp.exe bscapwno.exe PID 4596 wrote to memory of 4264 4596 rcuytqczbp.exe bscapwno.exe PID 4596 wrote to memory of 4264 4596 rcuytqczbp.exe bscapwno.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05ebbd956c5c919e011aa103cae3ccf6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\rcuytqczbp.exercuytqczbp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\bscapwno.exeC:\Windows\system32\bscapwno.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4264
-
-
-
C:\Windows\SysWOW64\zkniynvisqomlhb.exezkniynvisqomlhb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3080
-
-
C:\Windows\SysWOW64\bscapwno.exebscapwno.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3868
-
-
C:\Windows\SysWOW64\cizrmnalnkeko.execizrmnalnkeko.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4468
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2988
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD58e539a70a01e880084016495c44dc0c8
SHA17375f17a1c94926b97dc47f4c453580adafb7ff1
SHA2568ea9880b5ec4ac80ce9a7aae51e1c26fd15bd3a4613b311b5db80311cd470187
SHA5127e8cc386f8ace02a188964f7e4760d45a26ab46b803c087b5dd365e8a4a9e6becd52c611a204976f7b27365b60c338fe8c47a73e55e03a4b86a2b16879453688
-
Filesize
512KB
MD52fc7c4f4a466879dea268352d2b22972
SHA167b9ddcbc0fb348cbedb9a439f20c7ae8ac6f14b
SHA256d5d5e767cb27a1acd8a4ba52f13bb889ddbdf7acdb8499090f782e611f12c07e
SHA5121e945fb0deaab428489d94835a20db4f07d4f4abccf26dc72a72ee8d851f9dc1cf1ccc28d31da93bc50c0afdc6655c35e2fb8888cf393fdf01796cc1463fa445
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD5361ba5cdfe246f4303b0a1638e0daf43
SHA1eced7199b1af3c8e92209a68cb9a925ff3f369a3
SHA256507143acb38e64408d03a0dd98e16bd34ca557294c466ae8ec9c7c763eb3a2a5
SHA51281b9d124396d138717aea4dc71cec59426a3b65b47eaa0d13523adf030c5e3df9fa670ed48f7634d0301812d4b546dd43bc5bf863b58112570a2ab049bc7ab54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5642474998070c319bd5d933c4d31ad1c
SHA12e92d8eeb1e9accda63e36d530c2495b6d8f2ef9
SHA25645ba901b21d8d04f7f27b1e66c6fe20cd36514715398f425c522f4fe2d7dcf17
SHA512ee5b4779dea7d2f3f5a9645a08e7107f757dd7374c5a5ae696390cb4846ebf98f258488289451c11a6cf4d367c47b996098c460e4ba42afe91565246478fdfca
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a695c4c0da1e81d37b653b626bde5889
SHA14ff0a63ec97d3e3de8693ed53857aa1f714eb333
SHA256163469495e326f83ffb17baf1a358497b04d9cb931fdbf40c60b897ba4514503
SHA512cb3feb8a1016a34bf6f3f176bbbce55e665ca05933bf6ec21e28828a3b273afd658c4c333d0b0902d97a95e1cd0fb6742cfe636ad83a807f3e064bfaa49f9993
-
Filesize
512KB
MD51f6d9abba5f9062b0920b355b9daa34e
SHA15dcb510c16216f771516af001f9e42324de0201b
SHA256c028071823bb0e86f3c86ca1d5173aab09450cf912c85094180d2ceac45398ef
SHA512aa901f5de6613979053150aea15d6315095c5e6439071f6817179c36e65bd1c9b39053fd84aa8d01e73edf7dae255a5dd4988e5df2d23abd950220f070ba08f7
-
Filesize
512KB
MD5d6f82db568dbf49ee1ca79796ee957b1
SHA1dabffbc47c70fd1c39fdd3e845348ec4b143ad0f
SHA256257eb48664ea1eb39f0ceb7ce1c16ada92eb977144f86f63e13151aa34d2a163
SHA5120417e0276bae314359f215a8457894c713960cedea27c1c94128c540a81c7c29c92e08353471393718606c4e29700d3f34a944232a3fb7bef7790418a32665e8
-
Filesize
512KB
MD5415035177951db8e88f2116fe9a1d560
SHA132158efd96d468657da2cc8152bceb8d1f0a63e3
SHA256dcea785bd87b86e1e32bd80dbc1ec490f8ba5cc882b15c09c70512bd83c1d78d
SHA51230e805c831ff7fbe9fef1665777f765750957c3d779a2de96deaa042dc52da02753f4586514e5cb709bdfd864e1d5f7ee2cf4d7f174e0069529b8ea0fdae006a
-
Filesize
512KB
MD5d78bda5d9ed780d1c1f20f871460a790
SHA1bd0a7c4498be370c166b944c57619a697a7ab502
SHA256afbfc759b0b1dcdb9224e1f29a303987b2a627230824f1510df3c2e0e2920a3b
SHA512c8a4c10f94492563c0aa6bbc29c290ee640c5ecd7b7d76cc7690acc747ae6decf9a24bf5d16e0ac8c1bbeb12442246a48f59ec004e57018482989c7a32b484db
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD502cec240a180152c37f48e40819fa56d
SHA1c0159d5fd092cc02a555e825f50ab0201cc95524
SHA256b4c678a56b1cf6e9b61fb9060abfa7516107e98c6628eae7a3264d92ff2ff86e
SHA51240dc51f5fcc24166d0d814e70fd15d3609e50704b5291435e2442fa0c5c726fd59a30d9252b01d57ecebdd23272b4015dc317dfd79aee9ae6af3f18bcd0644ec
-
Filesize
512KB
MD59890efecc9aba73b8c6f7a74397a5711
SHA1c4e284e13c5d916c7ced77fbef6f735bef67090b
SHA256d5d33f6247920c6b87fe50938326df545560cfc1d17f33f3e76b33b4bf87d1c6
SHA512736d69c84c17919c64e7dac065987ee5afa5465123c3c38285560500d2cd40c13e1117f865ebf27d9b9deee77d6c29e352c8e00b10e1adce62c2ebbb8230d833