Analysis
-
max time kernel
150s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 20:34
Static task
static1
Behavioral task
behavioral1
Sample
06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe
-
Size
512KB
-
MD5
06043d9cecb95590ad4c3cde040dc9b9
-
SHA1
5c894c3a31042b62ad0c3d4c8590cc04dbcfc8cd
-
SHA256
1d10cb0c77fe79fd027b65194b09c2a3eebeaf9577f80141ee834014de8144b6
-
SHA512
e30b7b82cc113faa91d65b0fea4a5d4e4f1620e0f8b16cdd11e5a84efd27aeacab1950dac3289c2d4dd34abef2875a85b2b75d797704970c86eba5ee3ab6a742
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6w:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5z
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
kjdxoqvsir.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" kjdxoqvsir.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
kjdxoqvsir.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kjdxoqvsir.exe -
Processes:
kjdxoqvsir.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kjdxoqvsir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kjdxoqvsir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kjdxoqvsir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kjdxoqvsir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kjdxoqvsir.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
kjdxoqvsir.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" kjdxoqvsir.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
kjdxoqvsir.exeyzvevpapmyxjmck.exegvsvjsfa.exepagfeskczjysj.exegvsvjsfa.exepid process 4928 kjdxoqvsir.exe 4464 yzvevpapmyxjmck.exe 3600 gvsvjsfa.exe 392 pagfeskczjysj.exe 1412 gvsvjsfa.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
kjdxoqvsir.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kjdxoqvsir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kjdxoqvsir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kjdxoqvsir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kjdxoqvsir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kjdxoqvsir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" kjdxoqvsir.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
yzvevpapmyxjmck.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\omamucjo = "kjdxoqvsir.exe" yzvevpapmyxjmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\redufdgn = "yzvevpapmyxjmck.exe" yzvevpapmyxjmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pagfeskczjysj.exe" yzvevpapmyxjmck.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
kjdxoqvsir.exegvsvjsfa.exegvsvjsfa.exedescription ioc process File opened (read-only) \??\v: kjdxoqvsir.exe File opened (read-only) \??\w: kjdxoqvsir.exe File opened (read-only) \??\i: gvsvjsfa.exe File opened (read-only) \??\o: gvsvjsfa.exe File opened (read-only) \??\n: gvsvjsfa.exe File opened (read-only) \??\x: kjdxoqvsir.exe File opened (read-only) \??\a: gvsvjsfa.exe File opened (read-only) \??\k: gvsvjsfa.exe File opened (read-only) \??\n: kjdxoqvsir.exe File opened (read-only) \??\e: gvsvjsfa.exe File opened (read-only) \??\y: gvsvjsfa.exe File opened (read-only) \??\j: gvsvjsfa.exe File opened (read-only) \??\u: gvsvjsfa.exe File opened (read-only) \??\b: gvsvjsfa.exe File opened (read-only) \??\h: gvsvjsfa.exe File opened (read-only) \??\w: gvsvjsfa.exe File opened (read-only) \??\t: kjdxoqvsir.exe File opened (read-only) \??\b: gvsvjsfa.exe File opened (read-only) \??\x: gvsvjsfa.exe File opened (read-only) \??\b: kjdxoqvsir.exe File opened (read-only) \??\q: kjdxoqvsir.exe File opened (read-only) \??\n: gvsvjsfa.exe File opened (read-only) \??\s: gvsvjsfa.exe File opened (read-only) \??\y: gvsvjsfa.exe File opened (read-only) \??\s: gvsvjsfa.exe File opened (read-only) \??\t: gvsvjsfa.exe File opened (read-only) \??\z: kjdxoqvsir.exe File opened (read-only) \??\v: gvsvjsfa.exe File opened (read-only) \??\a: kjdxoqvsir.exe File opened (read-only) \??\r: kjdxoqvsir.exe File opened (read-only) \??\k: gvsvjsfa.exe File opened (read-only) \??\p: gvsvjsfa.exe File opened (read-only) \??\p: gvsvjsfa.exe File opened (read-only) \??\v: gvsvjsfa.exe File opened (read-only) \??\e: kjdxoqvsir.exe File opened (read-only) \??\m: kjdxoqvsir.exe File opened (read-only) \??\p: kjdxoqvsir.exe File opened (read-only) \??\s: kjdxoqvsir.exe File opened (read-only) \??\m: gvsvjsfa.exe File opened (read-only) \??\x: gvsvjsfa.exe File opened (read-only) \??\o: gvsvjsfa.exe File opened (read-only) \??\j: kjdxoqvsir.exe File opened (read-only) \??\k: kjdxoqvsir.exe File opened (read-only) \??\q: gvsvjsfa.exe File opened (read-only) \??\w: gvsvjsfa.exe File opened (read-only) \??\z: gvsvjsfa.exe File opened (read-only) \??\g: gvsvjsfa.exe File opened (read-only) \??\o: kjdxoqvsir.exe File opened (read-only) \??\u: kjdxoqvsir.exe File opened (read-only) \??\g: gvsvjsfa.exe File opened (read-only) \??\r: gvsvjsfa.exe File opened (read-only) \??\j: gvsvjsfa.exe File opened (read-only) \??\u: gvsvjsfa.exe File opened (read-only) \??\i: kjdxoqvsir.exe File opened (read-only) \??\e: gvsvjsfa.exe File opened (read-only) \??\l: gvsvjsfa.exe File opened (read-only) \??\r: gvsvjsfa.exe File opened (read-only) \??\z: gvsvjsfa.exe File opened (read-only) \??\h: kjdxoqvsir.exe File opened (read-only) \??\a: gvsvjsfa.exe File opened (read-only) \??\h: gvsvjsfa.exe File opened (read-only) \??\t: gvsvjsfa.exe File opened (read-only) \??\i: gvsvjsfa.exe File opened (read-only) \??\m: gvsvjsfa.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
kjdxoqvsir.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" kjdxoqvsir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" kjdxoqvsir.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4640-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\yzvevpapmyxjmck.exe autoit_exe C:\Windows\SysWOW64\kjdxoqvsir.exe autoit_exe C:\Windows\SysWOW64\pagfeskczjysj.exe autoit_exe C:\Windows\SysWOW64\gvsvjsfa.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
gvsvjsfa.exe06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exekjdxoqvsir.exegvsvjsfa.exedescription ioc process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gvsvjsfa.exe File opened for modification C:\Windows\SysWOW64\kjdxoqvsir.exe 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yzvevpapmyxjmck.exe 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gvsvjsfa.exe 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe File created C:\Windows\SysWOW64\pagfeskczjysj.exe 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll kjdxoqvsir.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gvsvjsfa.exe File created C:\Windows\SysWOW64\kjdxoqvsir.exe 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe File created C:\Windows\SysWOW64\yzvevpapmyxjmck.exe 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe File created C:\Windows\SysWOW64\gvsvjsfa.exe 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pagfeskczjysj.exe 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gvsvjsfa.exe -
Drops file in Program Files directory 15 IoCs
Processes:
gvsvjsfa.exegvsvjsfa.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gvsvjsfa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gvsvjsfa.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gvsvjsfa.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gvsvjsfa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gvsvjsfa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gvsvjsfa.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gvsvjsfa.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gvsvjsfa.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gvsvjsfa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gvsvjsfa.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gvsvjsfa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gvsvjsfa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gvsvjsfa.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gvsvjsfa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gvsvjsfa.exe -
Drops file in Windows directory 19 IoCs
Processes:
gvsvjsfa.exeWINWORD.EXEgvsvjsfa.exe06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exedescription ioc process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gvsvjsfa.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gvsvjsfa.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gvsvjsfa.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gvsvjsfa.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gvsvjsfa.exe File opened for modification C:\Windows\mydoc.rtf 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gvsvjsfa.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gvsvjsfa.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gvsvjsfa.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gvsvjsfa.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gvsvjsfa.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gvsvjsfa.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gvsvjsfa.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gvsvjsfa.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gvsvjsfa.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gvsvjsfa.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gvsvjsfa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exekjdxoqvsir.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B02C4494389D53C4B9D13293D7BC" 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7876BB8FE1C21ACD10CD0D48A089165" 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc kjdxoqvsir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" kjdxoqvsir.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh kjdxoqvsir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" kjdxoqvsir.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C0D9C2D82576A3377D177202DDD7D8765DB" 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat kjdxoqvsir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" kjdxoqvsir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" kjdxoqvsir.exe Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFFF948278568913DD65D7DE5BDEEE6415936664E6246D79E" 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C67415E6DBBEB8B97CE0EDE034C7" 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf kjdxoqvsir.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs kjdxoqvsir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCF9BEFE6BF1E5840F3A41869A3E91B0F903FD42600333E1BA429C08A1" 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" kjdxoqvsir.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg kjdxoqvsir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" kjdxoqvsir.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2792 WINWORD.EXE 2792 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exekjdxoqvsir.exeyzvevpapmyxjmck.exepagfeskczjysj.exegvsvjsfa.exegvsvjsfa.exepid process 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4928 kjdxoqvsir.exe 4928 kjdxoqvsir.exe 4928 kjdxoqvsir.exe 4928 kjdxoqvsir.exe 4928 kjdxoqvsir.exe 4928 kjdxoqvsir.exe 4928 kjdxoqvsir.exe 4928 kjdxoqvsir.exe 4928 kjdxoqvsir.exe 4928 kjdxoqvsir.exe 4464 yzvevpapmyxjmck.exe 4464 yzvevpapmyxjmck.exe 4464 yzvevpapmyxjmck.exe 4464 yzvevpapmyxjmck.exe 4464 yzvevpapmyxjmck.exe 4464 yzvevpapmyxjmck.exe 4464 yzvevpapmyxjmck.exe 4464 yzvevpapmyxjmck.exe 392 pagfeskczjysj.exe 392 pagfeskczjysj.exe 392 pagfeskczjysj.exe 392 pagfeskczjysj.exe 392 pagfeskczjysj.exe 392 pagfeskczjysj.exe 392 pagfeskczjysj.exe 392 pagfeskczjysj.exe 392 pagfeskczjysj.exe 392 pagfeskczjysj.exe 392 pagfeskczjysj.exe 392 pagfeskczjysj.exe 4464 yzvevpapmyxjmck.exe 4464 yzvevpapmyxjmck.exe 3600 gvsvjsfa.exe 3600 gvsvjsfa.exe 3600 gvsvjsfa.exe 3600 gvsvjsfa.exe 3600 gvsvjsfa.exe 3600 gvsvjsfa.exe 3600 gvsvjsfa.exe 3600 gvsvjsfa.exe 1412 gvsvjsfa.exe 1412 gvsvjsfa.exe 1412 gvsvjsfa.exe 1412 gvsvjsfa.exe 1412 gvsvjsfa.exe 1412 gvsvjsfa.exe 1412 gvsvjsfa.exe 1412 gvsvjsfa.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exekjdxoqvsir.exeyzvevpapmyxjmck.exepagfeskczjysj.exegvsvjsfa.exegvsvjsfa.exepid process 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4928 kjdxoqvsir.exe 4928 kjdxoqvsir.exe 4928 kjdxoqvsir.exe 4464 yzvevpapmyxjmck.exe 4464 yzvevpapmyxjmck.exe 4464 yzvevpapmyxjmck.exe 392 pagfeskczjysj.exe 392 pagfeskczjysj.exe 392 pagfeskczjysj.exe 3600 gvsvjsfa.exe 3600 gvsvjsfa.exe 3600 gvsvjsfa.exe 1412 gvsvjsfa.exe 1412 gvsvjsfa.exe 1412 gvsvjsfa.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exekjdxoqvsir.exeyzvevpapmyxjmck.exepagfeskczjysj.exegvsvjsfa.exegvsvjsfa.exepid process 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe 4928 kjdxoqvsir.exe 4928 kjdxoqvsir.exe 4928 kjdxoqvsir.exe 4464 yzvevpapmyxjmck.exe 4464 yzvevpapmyxjmck.exe 4464 yzvevpapmyxjmck.exe 392 pagfeskczjysj.exe 392 pagfeskczjysj.exe 392 pagfeskczjysj.exe 3600 gvsvjsfa.exe 3600 gvsvjsfa.exe 3600 gvsvjsfa.exe 1412 gvsvjsfa.exe 1412 gvsvjsfa.exe 1412 gvsvjsfa.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2792 WINWORD.EXE 2792 WINWORD.EXE 2792 WINWORD.EXE 2792 WINWORD.EXE 2792 WINWORD.EXE 2792 WINWORD.EXE 2792 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exekjdxoqvsir.exedescription pid process target process PID 4640 wrote to memory of 4928 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe kjdxoqvsir.exe PID 4640 wrote to memory of 4928 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe kjdxoqvsir.exe PID 4640 wrote to memory of 4928 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe kjdxoqvsir.exe PID 4640 wrote to memory of 4464 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe yzvevpapmyxjmck.exe PID 4640 wrote to memory of 4464 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe yzvevpapmyxjmck.exe PID 4640 wrote to memory of 4464 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe yzvevpapmyxjmck.exe PID 4640 wrote to memory of 3600 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe gvsvjsfa.exe PID 4640 wrote to memory of 3600 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe gvsvjsfa.exe PID 4640 wrote to memory of 3600 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe gvsvjsfa.exe PID 4640 wrote to memory of 392 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe pagfeskczjysj.exe PID 4640 wrote to memory of 392 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe pagfeskczjysj.exe PID 4640 wrote to memory of 392 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe pagfeskczjysj.exe PID 4640 wrote to memory of 2792 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe WINWORD.EXE PID 4640 wrote to memory of 2792 4640 06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe WINWORD.EXE PID 4928 wrote to memory of 1412 4928 kjdxoqvsir.exe gvsvjsfa.exe PID 4928 wrote to memory of 1412 4928 kjdxoqvsir.exe gvsvjsfa.exe PID 4928 wrote to memory of 1412 4928 kjdxoqvsir.exe gvsvjsfa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06043d9cecb95590ad4c3cde040dc9b9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\kjdxoqvsir.exekjdxoqvsir.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\gvsvjsfa.exeC:\Windows\system32\gvsvjsfa.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\yzvevpapmyxjmck.exeyzvevpapmyxjmck.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\gvsvjsfa.exegvsvjsfa.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\pagfeskczjysj.exepagfeskczjysj.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5bffbdcbcae980fa18c0d2426bcc25403
SHA1c6c1d68073e186307542554f9f19a74329f015e5
SHA256325fc42b276e843f4dd9a979dd4db555ec48949f16f6355c9631182bf979cf4d
SHA512680837bdbac5fb0eacbbea9410da4cd7bc05b9f2d166cea4e69e32402dac2e0c64165548daa4cd276c894f864c24e4908d4ceb7fb07c67a97e96ba64db5216f0
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5b94d1d836cc9ab1f7dc18a6ac8477df3
SHA13e405b869471ced5938401bc2d67d5db94a5b667
SHA25628efd9bfff75fa3a658da6aa73cac9f034dd59fb55eb3b7f2a933df7bd4c1219
SHA512a3fae75ed85812495a2c839d86a3b41b2fae4238ba40b92c4ef82534c8a0dacd396bb7bbab6476b2728b11812b2b856ec78b84a8ca468766d006900974d97d5d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD5602dad6ee0e60cde6698692534ef100b
SHA1c3e20be4cf62746964ff865964f4f354d412bfac
SHA256596069f7c5d4c9cea8266af60fcc730fbaec42eb5dd0c6f4203e463b742fb598
SHA512bc1fdcc479d9d46977847557985ca1744f1d4f135da27d82dd2f131419c16fbc70968eb27458a1769e59a9a166847be39aa81b82936e39e753d578ee13df8669
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD58d3454e65aaaf45c4f8b95b9c9aeb05a
SHA16323390887cd9b96230dc6ae8ae9f741ffc6983d
SHA25606b32abae87f0c404ebb1684b3a832d68efbed88facdf662d41fbd2966766be6
SHA512de3edb6d8b18a55a7f1b6abf0f004cc4539c0534e6d575dc57794f703a077ac31c22469e44d767c2cbcfa1b7e43b49d8a34f6fe22bd843b2405125d877d1494e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5747322a31d7e2e4fdc367a33c7adecfd
SHA1a9143389ccd18a472ee9bfe19eda8020a790af81
SHA2566ba46ca69793c2f97345463434653251b7398a6103a60eab124c80968fd52078
SHA512b6f40068c59e6f70c4032efa88998b698bba7892d8c39f98da331114d7e6a71521410b6885af47f60684ef6c84c7d8371ec51bab1cb48a9d3fbfa87939023435
-
C:\Windows\SysWOW64\gvsvjsfa.exeFilesize
512KB
MD5b0c79a082f3d9122ea65a517296f9745
SHA15497c7344cbc98f4b1a27789898e52daa2630d75
SHA2563abbd8f86b0ddd64dd532d48435dd66a54a4e1de115978bab4bc641e87c03057
SHA5125d60c86802c7f3b146bd36c97a70b12fe971f6d9e4f3f0f7afd332fe86a3b1b97dbc5da71aac6a4e21dbd1360ebb803f2168131423adb75af58434e0a28dc8e1
-
C:\Windows\SysWOW64\kjdxoqvsir.exeFilesize
512KB
MD5fe25ce6236f2314b76d861ba65490d29
SHA14b9081dcd4ba33c5e70498fca382cde08df9611f
SHA256b84468f4ed76b6da76277ef160afa12365ce5b95ba24021d007b21affc23d21f
SHA512289454ed4df9abd01ebf1a619350c7d75770565338308d644a91eb7527781713a075d89aed8581ea3f3dc7551da7b8aa3d793813243ba1d6d08e7883b9809f78
-
C:\Windows\SysWOW64\pagfeskczjysj.exeFilesize
512KB
MD536a167d92603aeba8c3c36852d24a8ad
SHA150a069ac74f4a24d38ae77ee25da78cd267e4bb2
SHA256796a571d93d99a062b6207f9e7a5403d60b2ac1728839c931ba65ba9601cadc9
SHA5125d97a6f57ef0c22fa1c7e794d38f1a1f083a207558b7b75c893c1c37a30c5195d13ded5911ddadc879655a899520176235a2899865eebdcce42b89735f80d61e
-
C:\Windows\SysWOW64\yzvevpapmyxjmck.exeFilesize
512KB
MD58e5e837aee8b5d54a80963c52d4d3fe1
SHA1a29addc8248a3105ccba93bb3dc5e5de9823ad79
SHA25669a689523edd050b95527269065521757eb2c5b465ff0bd7c953f8a38f8bec6f
SHA512600baebb19893dbeaace7cf278c9e24463b086cd226b6e4f28f6501597b12fda684196d6d30397d2c4942b9ddb7f1ee92899205af8e80fb3eb3763cdc22e693c
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD551a4fbb1677c482e6aaf47e5854f73e6
SHA1efecb13b4057f99963e31cead3e6a16f348b14c5
SHA256ac167c0f5624273542b68b4df8af6442c524e9551d4482bf1d5ddc7456f2a7ad
SHA51244b05592ba1b76d2220b8fb9f781e60d173bb840bb059fcab95e9997502c6bfdb5056866fb2211b2b931fc6f8ec04d24651aa81fc591a4166bb7618179546326
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5a21b99348b05ade40b483e5be7f32ace
SHA1db159fd8a1268fd8d9b8be3eee64b295fcbf4047
SHA2563f23b1fc3860eb025c3eb372e6c58e979f8b7ba140b4d7e851312d2c661e96d5
SHA51215f167721789cd91494d19dbde583e913165bac53ef507a637e041243b27bbc0999c95b7d2cf586e3a2939cc3c3ce51ac49c275c0eb7c7c25dde637ca107146f
-
memory/2792-37-0x00007FFA74950000-0x00007FFA74960000-memory.dmpFilesize
64KB
-
memory/2792-41-0x00007FFA74950000-0x00007FFA74960000-memory.dmpFilesize
64KB
-
memory/2792-40-0x00007FFA74950000-0x00007FFA74960000-memory.dmpFilesize
64KB
-
memory/2792-38-0x00007FFA74950000-0x00007FFA74960000-memory.dmpFilesize
64KB
-
memory/2792-39-0x00007FFA74950000-0x00007FFA74960000-memory.dmpFilesize
64KB
-
memory/2792-43-0x00007FFA72730000-0x00007FFA72740000-memory.dmpFilesize
64KB
-
memory/2792-42-0x00007FFA72730000-0x00007FFA72740000-memory.dmpFilesize
64KB
-
memory/2792-111-0x00007FFA74950000-0x00007FFA74960000-memory.dmpFilesize
64KB
-
memory/2792-112-0x00007FFA74950000-0x00007FFA74960000-memory.dmpFilesize
64KB
-
memory/2792-113-0x00007FFA74950000-0x00007FFA74960000-memory.dmpFilesize
64KB
-
memory/2792-110-0x00007FFA74950000-0x00007FFA74960000-memory.dmpFilesize
64KB
-
memory/4640-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB