Analysis
-
max time kernel
150s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 19:47
Static task
static1
Behavioral task
behavioral1
Sample
05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe
-
Size
512KB
-
MD5
05f0258937d4d1a23c98d5dc52515bf1
-
SHA1
e39d7c6eb6e89f6b2505eeaf26afb4c5697fc22f
-
SHA256
bfe4c94cc551e3c6daaccee31f3803ea069e40c0e96fcaf944ed8b91b3d08503
-
SHA512
618907fda7d7a1fb72193a7b6f36b142593a4fe44292b220f9d19afc1f3ab57595549b6ff1c19eb82ed7815039322cba39184db5b935c664df12bdea541a1487
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
ligbocdkoc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ligbocdkoc.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
ligbocdkoc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ligbocdkoc.exe -
Processes:
ligbocdkoc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ligbocdkoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ligbocdkoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ligbocdkoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ligbocdkoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ligbocdkoc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ligbocdkoc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ligbocdkoc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
ligbocdkoc.exekfwnafzcwkgybeq.exevespwjuy.exeonubnxeyiznfp.exevespwjuy.exepid process 3616 ligbocdkoc.exe 3144 kfwnafzcwkgybeq.exe 780 vespwjuy.exe 4736 onubnxeyiznfp.exe 3984 vespwjuy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ligbocdkoc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ligbocdkoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ligbocdkoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ligbocdkoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ligbocdkoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ligbocdkoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ligbocdkoc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
kfwnafzcwkgybeq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\edumadgb = "ligbocdkoc.exe" kfwnafzcwkgybeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxjdnjaz = "kfwnafzcwkgybeq.exe" kfwnafzcwkgybeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "onubnxeyiznfp.exe" kfwnafzcwkgybeq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vespwjuy.exeligbocdkoc.exevespwjuy.exedescription ioc process File opened (read-only) \??\k: vespwjuy.exe File opened (read-only) \??\p: ligbocdkoc.exe File opened (read-only) \??\s: ligbocdkoc.exe File opened (read-only) \??\t: ligbocdkoc.exe File opened (read-only) \??\j: vespwjuy.exe File opened (read-only) \??\s: vespwjuy.exe File opened (read-only) \??\h: ligbocdkoc.exe File opened (read-only) \??\z: ligbocdkoc.exe File opened (read-only) \??\v: vespwjuy.exe File opened (read-only) \??\b: vespwjuy.exe File opened (read-only) \??\e: vespwjuy.exe File opened (read-only) \??\x: vespwjuy.exe File opened (read-only) \??\b: ligbocdkoc.exe File opened (read-only) \??\g: ligbocdkoc.exe File opened (read-only) \??\l: ligbocdkoc.exe File opened (read-only) \??\g: vespwjuy.exe File opened (read-only) \??\z: vespwjuy.exe File opened (read-only) \??\t: vespwjuy.exe File opened (read-only) \??\w: vespwjuy.exe File opened (read-only) \??\m: ligbocdkoc.exe File opened (read-only) \??\u: ligbocdkoc.exe File opened (read-only) \??\i: vespwjuy.exe File opened (read-only) \??\z: vespwjuy.exe File opened (read-only) \??\j: ligbocdkoc.exe File opened (read-only) \??\m: vespwjuy.exe File opened (read-only) \??\s: vespwjuy.exe File opened (read-only) \??\x: ligbocdkoc.exe File opened (read-only) \??\b: vespwjuy.exe File opened (read-only) \??\u: vespwjuy.exe File opened (read-only) \??\w: ligbocdkoc.exe File opened (read-only) \??\p: vespwjuy.exe File opened (read-only) \??\q: vespwjuy.exe File opened (read-only) \??\u: vespwjuy.exe File opened (read-only) \??\q: vespwjuy.exe File opened (read-only) \??\e: ligbocdkoc.exe File opened (read-only) \??\i: ligbocdkoc.exe File opened (read-only) \??\n: ligbocdkoc.exe File opened (read-only) \??\h: vespwjuy.exe File opened (read-only) \??\a: ligbocdkoc.exe File opened (read-only) \??\r: ligbocdkoc.exe File opened (read-only) \??\h: vespwjuy.exe File opened (read-only) \??\l: vespwjuy.exe File opened (read-only) \??\a: vespwjuy.exe File opened (read-only) \??\y: vespwjuy.exe File opened (read-only) \??\y: ligbocdkoc.exe File opened (read-only) \??\k: vespwjuy.exe File opened (read-only) \??\x: vespwjuy.exe File opened (read-only) \??\i: vespwjuy.exe File opened (read-only) \??\o: vespwjuy.exe File opened (read-only) \??\j: vespwjuy.exe File opened (read-only) \??\v: vespwjuy.exe File opened (read-only) \??\k: ligbocdkoc.exe File opened (read-only) \??\q: ligbocdkoc.exe File opened (read-only) \??\n: vespwjuy.exe File opened (read-only) \??\g: vespwjuy.exe File opened (read-only) \??\m: vespwjuy.exe File opened (read-only) \??\n: vespwjuy.exe File opened (read-only) \??\t: vespwjuy.exe File opened (read-only) \??\l: vespwjuy.exe File opened (read-only) \??\o: vespwjuy.exe File opened (read-only) \??\o: ligbocdkoc.exe File opened (read-only) \??\v: ligbocdkoc.exe File opened (read-only) \??\e: vespwjuy.exe File opened (read-only) \??\r: vespwjuy.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ligbocdkoc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ligbocdkoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ligbocdkoc.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4624-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\kfwnafzcwkgybeq.exe autoit_exe C:\Windows\SysWOW64\ligbocdkoc.exe autoit_exe C:\Windows\SysWOW64\vespwjuy.exe autoit_exe C:\Windows\SysWOW64\onubnxeyiznfp.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\UnprotectLimit.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exevespwjuy.exevespwjuy.exeligbocdkoc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ligbocdkoc.exe 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vespwjuy.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vespwjuy.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vespwjuy.exe File created C:\Windows\SysWOW64\ligbocdkoc.exe 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kfwnafzcwkgybeq.exe 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\onubnxeyiznfp.exe 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vespwjuy.exe 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe File created C:\Windows\SysWOW64\kfwnafzcwkgybeq.exe 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe File created C:\Windows\SysWOW64\vespwjuy.exe 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe File created C:\Windows\SysWOW64\onubnxeyiznfp.exe 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ligbocdkoc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vespwjuy.exe -
Drops file in Program Files directory 14 IoCs
Processes:
vespwjuy.exevespwjuy.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vespwjuy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vespwjuy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vespwjuy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vespwjuy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vespwjuy.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vespwjuy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vespwjuy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vespwjuy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vespwjuy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vespwjuy.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vespwjuy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vespwjuy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vespwjuy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vespwjuy.exe -
Drops file in Windows directory 19 IoCs
Processes:
vespwjuy.exevespwjuy.exe05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exeWINWORD.EXEdescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vespwjuy.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vespwjuy.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vespwjuy.exe File opened for modification C:\Windows\mydoc.rtf 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vespwjuy.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vespwjuy.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vespwjuy.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vespwjuy.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vespwjuy.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vespwjuy.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vespwjuy.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vespwjuy.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vespwjuy.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vespwjuy.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vespwjuy.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vespwjuy.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vespwjuy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exeligbocdkoc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2C089C5583226A3376D370222CAE7D8164DA" 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEFAC9FE6AF197830E3B4781EA3992B38802FF4316024BE1CC429E09D2" 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ligbocdkoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ligbocdkoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ligbocdkoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B12F449438E252C9BAA733E9D4CF" 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFF894F5C85139136D62F7D90BCE4E140583667326341D6EB" 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ligbocdkoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ligbocdkoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ligbocdkoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ligbocdkoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ligbocdkoc.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F46BB1FF1821ACD208D0D18A7E9113" 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC7791591DABFB8CA7C97ED9F37BC" 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ligbocdkoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ligbocdkoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ligbocdkoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ligbocdkoc.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4988 WINWORD.EXE 4988 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exeligbocdkoc.exevespwjuy.exekfwnafzcwkgybeq.exeonubnxeyiznfp.exevespwjuy.exepid process 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 3616 ligbocdkoc.exe 3616 ligbocdkoc.exe 3616 ligbocdkoc.exe 3616 ligbocdkoc.exe 3616 ligbocdkoc.exe 3616 ligbocdkoc.exe 3616 ligbocdkoc.exe 3616 ligbocdkoc.exe 3616 ligbocdkoc.exe 3616 ligbocdkoc.exe 780 vespwjuy.exe 780 vespwjuy.exe 780 vespwjuy.exe 780 vespwjuy.exe 780 vespwjuy.exe 780 vespwjuy.exe 780 vespwjuy.exe 780 vespwjuy.exe 3144 kfwnafzcwkgybeq.exe 3144 kfwnafzcwkgybeq.exe 3144 kfwnafzcwkgybeq.exe 3144 kfwnafzcwkgybeq.exe 3144 kfwnafzcwkgybeq.exe 3144 kfwnafzcwkgybeq.exe 3144 kfwnafzcwkgybeq.exe 3144 kfwnafzcwkgybeq.exe 3144 kfwnafzcwkgybeq.exe 3144 kfwnafzcwkgybeq.exe 4736 onubnxeyiznfp.exe 4736 onubnxeyiznfp.exe 4736 onubnxeyiznfp.exe 4736 onubnxeyiznfp.exe 4736 onubnxeyiznfp.exe 4736 onubnxeyiznfp.exe 4736 onubnxeyiznfp.exe 4736 onubnxeyiznfp.exe 4736 onubnxeyiznfp.exe 4736 onubnxeyiznfp.exe 4736 onubnxeyiznfp.exe 4736 onubnxeyiznfp.exe 3144 kfwnafzcwkgybeq.exe 3144 kfwnafzcwkgybeq.exe 3984 vespwjuy.exe 3984 vespwjuy.exe 3984 vespwjuy.exe 3984 vespwjuy.exe 3984 vespwjuy.exe 3984 vespwjuy.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exeligbocdkoc.exekfwnafzcwkgybeq.exevespwjuy.exeonubnxeyiznfp.exevespwjuy.exepid process 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 3616 ligbocdkoc.exe 3616 ligbocdkoc.exe 3616 ligbocdkoc.exe 3144 kfwnafzcwkgybeq.exe 3144 kfwnafzcwkgybeq.exe 3144 kfwnafzcwkgybeq.exe 780 vespwjuy.exe 780 vespwjuy.exe 780 vespwjuy.exe 4736 onubnxeyiznfp.exe 4736 onubnxeyiznfp.exe 4736 onubnxeyiznfp.exe 3984 vespwjuy.exe 3984 vespwjuy.exe 3984 vespwjuy.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exeligbocdkoc.exekfwnafzcwkgybeq.exevespwjuy.exeonubnxeyiznfp.exevespwjuy.exepid process 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe 3616 ligbocdkoc.exe 3616 ligbocdkoc.exe 3616 ligbocdkoc.exe 3144 kfwnafzcwkgybeq.exe 3144 kfwnafzcwkgybeq.exe 3144 kfwnafzcwkgybeq.exe 780 vespwjuy.exe 780 vespwjuy.exe 780 vespwjuy.exe 4736 onubnxeyiznfp.exe 4736 onubnxeyiznfp.exe 4736 onubnxeyiznfp.exe 3984 vespwjuy.exe 3984 vespwjuy.exe 3984 vespwjuy.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exeligbocdkoc.exedescription pid process target process PID 4624 wrote to memory of 3616 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe ligbocdkoc.exe PID 4624 wrote to memory of 3616 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe ligbocdkoc.exe PID 4624 wrote to memory of 3616 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe ligbocdkoc.exe PID 4624 wrote to memory of 3144 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe kfwnafzcwkgybeq.exe PID 4624 wrote to memory of 3144 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe kfwnafzcwkgybeq.exe PID 4624 wrote to memory of 3144 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe kfwnafzcwkgybeq.exe PID 4624 wrote to memory of 780 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe vespwjuy.exe PID 4624 wrote to memory of 780 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe vespwjuy.exe PID 4624 wrote to memory of 780 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe vespwjuy.exe PID 4624 wrote to memory of 4736 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe onubnxeyiznfp.exe PID 4624 wrote to memory of 4736 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe onubnxeyiznfp.exe PID 4624 wrote to memory of 4736 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe onubnxeyiznfp.exe PID 4624 wrote to memory of 4988 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe WINWORD.EXE PID 4624 wrote to memory of 4988 4624 05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe WINWORD.EXE PID 3616 wrote to memory of 3984 3616 ligbocdkoc.exe vespwjuy.exe PID 3616 wrote to memory of 3984 3616 ligbocdkoc.exe vespwjuy.exe PID 3616 wrote to memory of 3984 3616 ligbocdkoc.exe vespwjuy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\ligbocdkoc.exeligbocdkoc.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\vespwjuy.exeC:\Windows\system32\vespwjuy.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3984 -
C:\Windows\SysWOW64\kfwnafzcwkgybeq.exekfwnafzcwkgybeq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3144 -
C:\Windows\SysWOW64\vespwjuy.exevespwjuy.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:780 -
C:\Windows\SysWOW64\onubnxeyiznfp.exeonubnxeyiznfp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4736 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4988
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5d3c6f2620418922d43d37ef09de90385
SHA1d08adce0c2938dc21bfbb7e11967fca9c9dea23d
SHA256f6be871eb6d996a90832bd8d1f9fce2a921c140b8000758045a18a75c3ba049a
SHA5126396b73598eba847362ed64117575db0fe9cae42ce238055ec178560a67fda6046bfefdd183917d2c669a1296a88b36d11ae0d37654361f79a4572bf3aa17be3
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD514484f7e7dd6cfab60b5076bb4b0615a
SHA15cee943eeb54aef779094bfea7a470b6c2987806
SHA25611ac1b7045199450cac1d9f4387c94b08b0b82ef78fde9e3929f9cdf93fe37c3
SHA512adb83df1dfc7b8a57e011feec1e9a96e88794ba03500e86eb2fbbb623cc863c617e80bf23cf02356d92820a4ac22441de285bb3708794f4e6a32b3c44f9f300b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5b17bae5dab7e66d9f45e525073e33759
SHA1be161c4f081031f9eec2d9c73bb0346b10c773b6
SHA25672e9b9cf603e7f93189ef425098cc6fc61f57faf09d1b6e73ad748dd7c372c5b
SHA512407c522d49673f28d2c7ddb45cc3b94800137b36d5b815c891f7016306e6f067e14a365ca7fdb99a1e6a47523e2e2c1d6befeef17b71510515c799cef933958c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5bf602d10c2ea3ea9eb34cf0dbc787e0f
SHA183cae600df297312743671618b66b2c59eab5cc7
SHA25662989830bad4057cb720594ca4c2da5c3876f4e26785ebfb2955711b00ac6cc6
SHA512e024dadbc24ffde090974b8d0f3b26b2ef0871fcbd7ba6f894e2a26798c45fca8805c830db2f972d7b33e784e067a71be8a5d7cb54281e45ee543b72108dfb31
-
C:\Users\Admin\Documents\UnprotectLimit.doc.exeFilesize
512KB
MD5f2f3dd6ffdd728c33b0db46713d6e577
SHA1f025a5f67579c7b198f22d27d1f27c09efc85878
SHA256a6d5ff626b61e49007ab2718f5054276c7c3daeac8196dccdd5cf27c01694606
SHA512615202a9fb60d6126675400327fa3fa115e2902052cccfc0355911bdf31127cb11a08a9375b9470ec6fbf2e3444423e7ee259c734fa0cc2fcf32d563240f417a
-
C:\Windows\SysWOW64\kfwnafzcwkgybeq.exeFilesize
512KB
MD502368a30c1c7d1ada4b71f5872ac8491
SHA1d28b6570787715fa261597789000e6051b79dbcd
SHA256dda7b4bef73be1882036e601a193bb92215ed22bd3a0977ebf7f4c616ac4963d
SHA512981b2466e169afbc5f8d45af1fdb824115d28b9ec5a7df53167556b75980c6f411ea40299398d82012b06148342ab0adeb3d59970f5a1e6483ab5920e3719c54
-
C:\Windows\SysWOW64\ligbocdkoc.exeFilesize
512KB
MD5943566a199cce258347a6d23b0048745
SHA1bc22c2bb576e3c664a6872d5ed130649f372e7e6
SHA2569346d59c8c515eccd119422230137bd3c9c3af772b91781e7a59c7ca873d89c3
SHA512107eb50036a0773c6c4e0c02014f0160481b94997adb2070429931e503e1239b66b274006220a1c856ef62bebb45c10fbe48cf779c9356361074c0b01381522a
-
C:\Windows\SysWOW64\onubnxeyiznfp.exeFilesize
512KB
MD5480d0039ec7c01004c18cfc856eed301
SHA1cd26f789cd451fc8a3cae08f6501cebe8a760035
SHA256fbfb1773318cc37017d25926167af9d8f2fcec6bd0734ac4ddad8194cf4d3a35
SHA5126e6bf87094c6c9108bdb2b8443487a323b4617b66ed4f14869a571ede3638b2d4e8743b2245957c877c260fd90239e94f0aafd662b5d368b61fccbc3d063043a
-
C:\Windows\SysWOW64\vespwjuy.exeFilesize
512KB
MD59f795a54bc07931cae66cebb6c976e6b
SHA12d9095f106f18612ddab3b92a7d5dd17c33ad3a0
SHA256afb3b83773063ffaf807cd1ed4f279825b3ea548fbaa8e28567db304e01bc7ce
SHA512ca4894c261ed5dd4fe20ae21beec89618a1e64526c9ca7bd069f32919eacc1d543bd4a3795e7d1ca6ae3a0e5d6d727591b0c6448c905efbc4504147de5a25c48
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD52d3611536707bad06df07b6f1886459e
SHA19e42332e87741c04bfdad3b1d96d12887af6ab42
SHA25668e26edadc48e236b296e8e1dcb9890b39afb01609423425d201a51f4f80e1d9
SHA512b528d49364ad8b23fbdd330fecd62b63d434fb93f6c98ebecb71bf4c0bc7a3656650507ff91517cbde593a8046265fb11800b4c93c7697133e0b8f4cf6014c60
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD51f02e6924ba865a446c4e644e2248334
SHA1d4b5bf568c032f079e0dcac7827706e57423f07e
SHA2562f9929750a8fc6f60353028963ea1171976283a650b93d5775dab16cf81e8b5e
SHA512b1df94c348b04acf4479075f9989ceb46e1b7eabaf9ef08a3a6c39938e945d1d04d68bf87cba3991bab7f08f0a54678a5916a15aae08a63903cfc3775d5ed324
-
memory/4624-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4988-39-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmpFilesize
64KB
-
memory/4988-38-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmpFilesize
64KB
-
memory/4988-37-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmpFilesize
64KB
-
memory/4988-35-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmpFilesize
64KB
-
memory/4988-36-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmpFilesize
64KB
-
memory/4988-41-0x00007FFD5E810000-0x00007FFD5E820000-memory.dmpFilesize
64KB
-
memory/4988-40-0x00007FFD5E810000-0x00007FFD5E820000-memory.dmpFilesize
64KB
-
memory/4988-111-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmpFilesize
64KB
-
memory/4988-112-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmpFilesize
64KB
-
memory/4988-114-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmpFilesize
64KB
-
memory/4988-113-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmpFilesize
64KB