Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 21:00
Static task
static1
Behavioral task
behavioral1
Sample
060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe
-
Size
512KB
-
MD5
060f6dc3ccb4b63a8e37f4934fc4c619
-
SHA1
57356c0023ca344f1b5e1228d0b1a361b8543da7
-
SHA256
37688dc58ae1d75c0b6eb82a9a1463409ec6a2b07366164276f64dc257ea41e9
-
SHA512
74672fc754e525c695d9d5e3da4bd20be1672a32c7f9cdd72f2e683f972e4a0fa9cd46db4aa1b7d59a5d61a60dcdf14eb951380c0015f60102d98c04e318b0be
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6J:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5i
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
iuohfbomsz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" iuohfbomsz.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
iuohfbomsz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" iuohfbomsz.exe -
Processes:
iuohfbomsz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" iuohfbomsz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iuohfbomsz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" iuohfbomsz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" iuohfbomsz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iuohfbomsz.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
iuohfbomsz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iuohfbomsz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
iuohfbomsz.exevgsxbmvpgtufxdn.exejaougiwr.exeszdrjkuljsgsb.exejaougiwr.exepid process 4084 iuohfbomsz.exe 620 vgsxbmvpgtufxdn.exe 4988 jaougiwr.exe 3620 szdrjkuljsgsb.exe 1820 jaougiwr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
iuohfbomsz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iuohfbomsz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" iuohfbomsz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iuohfbomsz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" iuohfbomsz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" iuohfbomsz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" iuohfbomsz.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
vgsxbmvpgtufxdn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "szdrjkuljsgsb.exe" vgsxbmvpgtufxdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rafsbyht = "iuohfbomsz.exe" vgsxbmvpgtufxdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msyxyitd = "vgsxbmvpgtufxdn.exe" vgsxbmvpgtufxdn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
jaougiwr.exejaougiwr.exeiuohfbomsz.exedescription ioc process File opened (read-only) \??\b: jaougiwr.exe File opened (read-only) \??\p: jaougiwr.exe File opened (read-only) \??\j: jaougiwr.exe File opened (read-only) \??\x: jaougiwr.exe File opened (read-only) \??\l: iuohfbomsz.exe File opened (read-only) \??\g: jaougiwr.exe File opened (read-only) \??\i: jaougiwr.exe File opened (read-only) \??\n: jaougiwr.exe File opened (read-only) \??\q: jaougiwr.exe File opened (read-only) \??\w: jaougiwr.exe File opened (read-only) \??\z: jaougiwr.exe File opened (read-only) \??\g: iuohfbomsz.exe File opened (read-only) \??\v: iuohfbomsz.exe File opened (read-only) \??\z: iuohfbomsz.exe File opened (read-only) \??\i: iuohfbomsz.exe File opened (read-only) \??\l: jaougiwr.exe File opened (read-only) \??\s: jaougiwr.exe File opened (read-only) \??\v: jaougiwr.exe File opened (read-only) \??\t: jaougiwr.exe File opened (read-only) \??\x: jaougiwr.exe File opened (read-only) \??\h: iuohfbomsz.exe File opened (read-only) \??\j: iuohfbomsz.exe File opened (read-only) \??\q: iuohfbomsz.exe File opened (read-only) \??\h: jaougiwr.exe File opened (read-only) \??\o: jaougiwr.exe File opened (read-only) \??\h: jaougiwr.exe File opened (read-only) \??\o: jaougiwr.exe File opened (read-only) \??\s: iuohfbomsz.exe File opened (read-only) \??\u: iuohfbomsz.exe File opened (read-only) \??\g: jaougiwr.exe File opened (read-only) \??\t: jaougiwr.exe File opened (read-only) \??\e: iuohfbomsz.exe File opened (read-only) \??\p: jaougiwr.exe File opened (read-only) \??\y: iuohfbomsz.exe File opened (read-only) \??\a: jaougiwr.exe File opened (read-only) \??\a: jaougiwr.exe File opened (read-only) \??\l: jaougiwr.exe File opened (read-only) \??\u: jaougiwr.exe File opened (read-only) \??\p: iuohfbomsz.exe File opened (read-only) \??\s: jaougiwr.exe File opened (read-only) \??\a: iuohfbomsz.exe File opened (read-only) \??\w: iuohfbomsz.exe File opened (read-only) \??\b: jaougiwr.exe File opened (read-only) \??\e: jaougiwr.exe File opened (read-only) \??\z: jaougiwr.exe File opened (read-only) \??\k: jaougiwr.exe File opened (read-only) \??\m: iuohfbomsz.exe File opened (read-only) \??\r: iuohfbomsz.exe File opened (read-only) \??\t: iuohfbomsz.exe File opened (read-only) \??\j: jaougiwr.exe File opened (read-only) \??\m: jaougiwr.exe File opened (read-only) \??\b: iuohfbomsz.exe File opened (read-only) \??\m: jaougiwr.exe File opened (read-only) \??\e: jaougiwr.exe File opened (read-only) \??\n: jaougiwr.exe File opened (read-only) \??\x: iuohfbomsz.exe File opened (read-only) \??\y: jaougiwr.exe File opened (read-only) \??\r: jaougiwr.exe File opened (read-only) \??\k: iuohfbomsz.exe File opened (read-only) \??\k: jaougiwr.exe File opened (read-only) \??\o: iuohfbomsz.exe File opened (read-only) \??\i: jaougiwr.exe File opened (read-only) \??\q: jaougiwr.exe File opened (read-only) \??\v: jaougiwr.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
iuohfbomsz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" iuohfbomsz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" iuohfbomsz.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1480-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\vgsxbmvpgtufxdn.exe autoit_exe C:\Windows\SysWOW64\iuohfbomsz.exe autoit_exe C:\Windows\SysWOW64\jaougiwr.exe autoit_exe C:\Windows\SysWOW64\szdrjkuljsgsb.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\AppData\Roaming\DenyReceive.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exejaougiwr.exejaougiwr.exeiuohfbomsz.exedescription ioc process File opened for modification C:\Windows\SysWOW64\vgsxbmvpgtufxdn.exe 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe File created C:\Windows\SysWOW64\jaougiwr.exe 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jaougiwr.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jaougiwr.exe File created C:\Windows\SysWOW64\vgsxbmvpgtufxdn.exe 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe File created C:\Windows\SysWOW64\szdrjkuljsgsb.exe 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jaougiwr.exe File created C:\Windows\SysWOW64\iuohfbomsz.exe 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jaougiwr.exe 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\szdrjkuljsgsb.exe 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll iuohfbomsz.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jaougiwr.exe File opened for modification C:\Windows\SysWOW64\iuohfbomsz.exe 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
Processes:
jaougiwr.exejaougiwr.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jaougiwr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jaougiwr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jaougiwr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jaougiwr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jaougiwr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jaougiwr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jaougiwr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jaougiwr.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jaougiwr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jaougiwr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jaougiwr.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jaougiwr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jaougiwr.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jaougiwr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jaougiwr.exe -
Drops file in Windows directory 3 IoCs
Processes:
WINWORD.EXE060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exeiuohfbomsz.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B12B47E1389853C9BAA23392D4C4" 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" iuohfbomsz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" iuohfbomsz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc iuohfbomsz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" iuohfbomsz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" iuohfbomsz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat iuohfbomsz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh iuohfbomsz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" iuohfbomsz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg iuohfbomsz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352D7D9C2683576A4376D270522CAC7CF665AA" 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFACAFE11F291830B3B35819D3E91B08803F04214033FE2BD429D08A4" 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFC8D485F82139132D72C7E90BDE1E141584467406246D7ED" 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F36BB4FE1D22DBD272D1A78A0E9011" 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC70B1490DBB3B9CD7C92ECE534CD" 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf iuohfbomsz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs iuohfbomsz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" iuohfbomsz.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4588 WINWORD.EXE 4588 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exeiuohfbomsz.exevgsxbmvpgtufxdn.exejaougiwr.exeszdrjkuljsgsb.exejaougiwr.exepid process 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 4084 iuohfbomsz.exe 4084 iuohfbomsz.exe 4084 iuohfbomsz.exe 4084 iuohfbomsz.exe 4084 iuohfbomsz.exe 4084 iuohfbomsz.exe 4084 iuohfbomsz.exe 4084 iuohfbomsz.exe 4084 iuohfbomsz.exe 4084 iuohfbomsz.exe 620 vgsxbmvpgtufxdn.exe 620 vgsxbmvpgtufxdn.exe 620 vgsxbmvpgtufxdn.exe 620 vgsxbmvpgtufxdn.exe 620 vgsxbmvpgtufxdn.exe 620 vgsxbmvpgtufxdn.exe 620 vgsxbmvpgtufxdn.exe 620 vgsxbmvpgtufxdn.exe 4988 jaougiwr.exe 4988 jaougiwr.exe 4988 jaougiwr.exe 4988 jaougiwr.exe 4988 jaougiwr.exe 4988 jaougiwr.exe 4988 jaougiwr.exe 4988 jaougiwr.exe 620 vgsxbmvpgtufxdn.exe 620 vgsxbmvpgtufxdn.exe 3620 szdrjkuljsgsb.exe 3620 szdrjkuljsgsb.exe 3620 szdrjkuljsgsb.exe 3620 szdrjkuljsgsb.exe 3620 szdrjkuljsgsb.exe 3620 szdrjkuljsgsb.exe 3620 szdrjkuljsgsb.exe 3620 szdrjkuljsgsb.exe 3620 szdrjkuljsgsb.exe 3620 szdrjkuljsgsb.exe 3620 szdrjkuljsgsb.exe 3620 szdrjkuljsgsb.exe 620 vgsxbmvpgtufxdn.exe 620 vgsxbmvpgtufxdn.exe 3620 szdrjkuljsgsb.exe 3620 szdrjkuljsgsb.exe 3620 szdrjkuljsgsb.exe 3620 szdrjkuljsgsb.exe 1820 jaougiwr.exe 1820 jaougiwr.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exeiuohfbomsz.exevgsxbmvpgtufxdn.exejaougiwr.exeszdrjkuljsgsb.exejaougiwr.exepid process 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 4084 iuohfbomsz.exe 4084 iuohfbomsz.exe 4084 iuohfbomsz.exe 620 vgsxbmvpgtufxdn.exe 4988 jaougiwr.exe 620 vgsxbmvpgtufxdn.exe 4988 jaougiwr.exe 620 vgsxbmvpgtufxdn.exe 3620 szdrjkuljsgsb.exe 4988 jaougiwr.exe 3620 szdrjkuljsgsb.exe 3620 szdrjkuljsgsb.exe 1820 jaougiwr.exe 1820 jaougiwr.exe 1820 jaougiwr.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exeiuohfbomsz.exevgsxbmvpgtufxdn.exejaougiwr.exeszdrjkuljsgsb.exejaougiwr.exepid process 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe 4084 iuohfbomsz.exe 4084 iuohfbomsz.exe 4084 iuohfbomsz.exe 620 vgsxbmvpgtufxdn.exe 4988 jaougiwr.exe 620 vgsxbmvpgtufxdn.exe 4988 jaougiwr.exe 620 vgsxbmvpgtufxdn.exe 3620 szdrjkuljsgsb.exe 4988 jaougiwr.exe 3620 szdrjkuljsgsb.exe 3620 szdrjkuljsgsb.exe 1820 jaougiwr.exe 1820 jaougiwr.exe 1820 jaougiwr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4588 WINWORD.EXE 4588 WINWORD.EXE 4588 WINWORD.EXE 4588 WINWORD.EXE 4588 WINWORD.EXE 4588 WINWORD.EXE 4588 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exeiuohfbomsz.exedescription pid process target process PID 1480 wrote to memory of 4084 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe iuohfbomsz.exe PID 1480 wrote to memory of 4084 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe iuohfbomsz.exe PID 1480 wrote to memory of 4084 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe iuohfbomsz.exe PID 1480 wrote to memory of 620 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe vgsxbmvpgtufxdn.exe PID 1480 wrote to memory of 620 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe vgsxbmvpgtufxdn.exe PID 1480 wrote to memory of 620 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe vgsxbmvpgtufxdn.exe PID 1480 wrote to memory of 4988 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe jaougiwr.exe PID 1480 wrote to memory of 4988 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe jaougiwr.exe PID 1480 wrote to memory of 4988 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe jaougiwr.exe PID 1480 wrote to memory of 3620 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe szdrjkuljsgsb.exe PID 1480 wrote to memory of 3620 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe szdrjkuljsgsb.exe PID 1480 wrote to memory of 3620 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe szdrjkuljsgsb.exe PID 4084 wrote to memory of 1820 4084 iuohfbomsz.exe jaougiwr.exe PID 4084 wrote to memory of 1820 4084 iuohfbomsz.exe jaougiwr.exe PID 4084 wrote to memory of 1820 4084 iuohfbomsz.exe jaougiwr.exe PID 1480 wrote to memory of 4588 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe WINWORD.EXE PID 1480 wrote to memory of 4588 1480 060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\060f6dc3ccb4b63a8e37f4934fc4c619_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\iuohfbomsz.exeiuohfbomsz.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\jaougiwr.exeC:\Windows\system32\jaougiwr.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\vgsxbmvpgtufxdn.exevgsxbmvpgtufxdn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\jaougiwr.exejaougiwr.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\szdrjkuljsgsb.exeszdrjkuljsgsb.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4040 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD51565ead331af309d71f88ba6afe69b88
SHA114252a9353707fdd205298ec615c7ec83d12d245
SHA256430ab00f8ba8fde94c2023e07449782a11e038eb1486e5d6446e9463c6613ed7
SHA512cf6bc65888d5ee375afe909993c2f7a393e587d1f45d3cf0b4ee7c0540659969eca5972aae4ae2e94c27ef91a9b3134d5d988170be6a14cc130b55a1a446d3ca
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD54d2a965de891a6f991985a768886e345
SHA1f8c5975332df0a8c413dd32d2b124631c364e4d3
SHA2569027714273ef02687de1b43192fb286b4b32a15c97ea7059df20e07990e13d73
SHA5122a7737f935d5eec86133dd5bdaf1b623e3b50c7aafab82e6bca3a87110989351f3e7eee0461f2e33cbce48c61df25bc7211f85a305b1d7e3448760aa6eb43b52
-
C:\Users\Admin\AppData\Roaming\DenyReceive.doc.exeFilesize
512KB
MD5e6d8fda369fb34c9edf5d2262fedb47e
SHA1b2fde7e1c113d7e2cd03cd824ac06d6a965a7b72
SHA25680fbc73a6157741a11f82097420534116b1c773cb6e5f7d114b888996e549d5f
SHA51274e9c5dc4b3a459d81a90ee62f276f34e7390122f2eacf4ed976a5d752b189217da88f8a8076f4b86b528a22fd22c6ccc69cf3f5d5bcedb00b30cdc955728800
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD5361ba5cdfe246f4303b0a1638e0daf43
SHA1eced7199b1af3c8e92209a68cb9a925ff3f369a3
SHA256507143acb38e64408d03a0dd98e16bd34ca557294c466ae8ec9c7c763eb3a2a5
SHA51281b9d124396d138717aea4dc71cec59426a3b65b47eaa0d13523adf030c5e3df9fa670ed48f7634d0301812d4b546dd43bc5bf863b58112570a2ab049bc7ab54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD549a98dea2d3aaf6866b7d5130b71c187
SHA13cca8d79d99ba3c645cb05fb55176f5160e5d7b3
SHA25674fe01a9373e05cf3eeb449fbdc275405b1afb5c1bec5455daa520749673cef3
SHA512ac711ef77e8e2d7c66c342f2b83eacd0309586f8a4784fb33ae200a81e5af8dc370810228fe90c962b00d47b2363dce654933156b3b366a2808e404fc49b6d2e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5facddbe14079e63fe424170e02bd85da
SHA14bdfdb9abcf9fd4d9aad54c8265a0dde57160e9c
SHA256a4ffd0cfb5fb8d5f7e8427f0c20bb575d08db6d129a2407ddb38327ccd698f37
SHA512558e21200c5b4fee49367889dcbb6074541ef0fd1986a68f7efd807d9a3f02847b984fd72aad79565a1267c761262a772bb4f0ef3e3f7b0c919392fc3a5b662a
-
C:\Windows\SysWOW64\iuohfbomsz.exeFilesize
512KB
MD5cc586e5d47fcab6999e2a252bcba928c
SHA13fcafac514340449718d5c3280246124cda6d195
SHA256fca56aef00d3111e49c658652cd907c7b0842a806dd57be63ce2128708819435
SHA51270e35b4d1ef5882842711f5f6dcdc97eba107507998fdbe3d09f9eb4a3c59daf3194f0d01eff9ce94d2cb60c8400434b41b3a565d0d615143f67e0fd6cc2fe41
-
C:\Windows\SysWOW64\jaougiwr.exeFilesize
512KB
MD5a8896b6d3d66373d3caadf9ca2b07813
SHA1ae6beed798c08ba9bbb918b78dfa8f474da0dd5f
SHA256946bffc2d0c73b3c3cf13e2349759a7235522b3f91bb63da6f8c451129b4e5db
SHA5128d32c4b547676b65b00d00a3048d1317a1de0b6fb6507e6ad006fcfe545f70f7358fe9abd8efba3727224b64ea5d35b56cbdecfac6f3e80bdef4b79225ea7dde
-
C:\Windows\SysWOW64\szdrjkuljsgsb.exeFilesize
512KB
MD57fa6db8093f16c14bf26d1a1225ef7c1
SHA1bcfb76d55820de0244481ebc49745dd27ce83a6e
SHA25636c76b30518c6a43ec98e31289bbb946c5d7facb1ed25aee34e6ad2c204d575a
SHA512b6b3f7c0e18cf68f5b6128c90f2154a1015c24264bd63fbf20067c2fe4346d42c88a6f171bfbf0f6c32643be6ce792b7f2f3f8943b3cee7a93070a6910e12325
-
C:\Windows\SysWOW64\vgsxbmvpgtufxdn.exeFilesize
512KB
MD58c0453d1025ae05a19a14b6bca2e58c9
SHA1650757aa6e7fc2bc2562f64f7cbeccea9f917dc0
SHA25660a33f7c1a06215a45a5fce80325bb967670acb8fd58694a012611bdfb808474
SHA5127876bc471c80d8f7fbb76b39d71b7ccf3fe9a9ccd1b5e0ec3a3de0104eeee517f766867d5a2eb8194b786904a3aa3e55c227e2ae6767943fa101e32dc620ee8e
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5c6d054a19f0869ca0f74ffd649586103
SHA18ab55efb5d8c15c54e414bf1bd3f633422005fa3
SHA2563c1670283a61b3fca22a7543a2d0fbb969821bf3098aa8cd9b20f9417b926887
SHA512c3575d45fcf56ee43906f63cc50f2aab832cba10224658a2fc94387162abe90ad111702512bdb13fabf6f4c5cc12ea2d0cdb93ad418f08195508675507f7d5be
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5d075d2ec5860efc5129e701b5f5ee92d
SHA12f50443d4ba1292a5ce9fd89483ac8a0274c085b
SHA2560aa6d2c77a2b404c8640179d136f438cf2853e06e27f08551f1cccf5e85fe78b
SHA5129e9928fa7d4da724ad1972e43a76b5e6459ae5c70177eb51565d6a6605dcbb98be9863d6b084afd57473ea30a9df9183c5028a5377895dc21b65b8eeb4b1587b
-
memory/1480-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4588-41-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmpFilesize
64KB
-
memory/4588-40-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmpFilesize
64KB
-
memory/4588-38-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmpFilesize
64KB
-
memory/4588-39-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmpFilesize
64KB
-
memory/4588-37-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmpFilesize
64KB
-
memory/4588-43-0x00007FF964470000-0x00007FF964480000-memory.dmpFilesize
64KB
-
memory/4588-42-0x00007FF964470000-0x00007FF964480000-memory.dmpFilesize
64KB
-
memory/4588-120-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmpFilesize
64KB
-
memory/4588-122-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmpFilesize
64KB
-
memory/4588-123-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmpFilesize
64KB
-
memory/4588-121-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmpFilesize
64KB