Analysis
-
max time kernel
149s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
01-05-2024 15:33
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe
-
Size
512KB
-
MD5
0c2ad584d31fe206c899182dda81e46c
-
SHA1
af69f9ca058a751f340f1927c7fe3095bfc90363
-
SHA256
33a0bb3fa801f4c63f4c4cc849e2efd6561518dfcc50ee5feaa8cd3ef3418a8e
-
SHA512
005735b3cd1861c0c773f7c13c222e2b4f86fd81b3cafd20530bbf0075a4b80646ced3edc4cd0220f4cf66d2cc7e88df458d974655abd688f26f5a55d7dba299
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm58
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dnjpeyojmm.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dnjpeyojmm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dnjpeyojmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dnjpeyojmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dnjpeyojmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dnjpeyojmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dnjpeyojmm.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dnjpeyojmm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1048 dnjpeyojmm.exe 4440 ldtoydbkjjfhjwh.exe 2904 wdameyzz.exe 3256 ulcyhchapatsp.exe 2044 wdameyzz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dnjpeyojmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dnjpeyojmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dnjpeyojmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dnjpeyojmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dnjpeyojmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dnjpeyojmm.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxdxgljc = "dnjpeyojmm.exe" ldtoydbkjjfhjwh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zukfpvhd = "ldtoydbkjjfhjwh.exe" ldtoydbkjjfhjwh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ulcyhchapatsp.exe" ldtoydbkjjfhjwh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\x: dnjpeyojmm.exe File opened (read-only) \??\b: wdameyzz.exe File opened (read-only) \??\l: wdameyzz.exe File opened (read-only) \??\n: dnjpeyojmm.exe File opened (read-only) \??\u: wdameyzz.exe File opened (read-only) \??\z: wdameyzz.exe File opened (read-only) \??\p: dnjpeyojmm.exe File opened (read-only) \??\n: wdameyzz.exe File opened (read-only) \??\q: wdameyzz.exe File opened (read-only) \??\r: wdameyzz.exe File opened (read-only) \??\x: wdameyzz.exe File opened (read-only) \??\g: dnjpeyojmm.exe File opened (read-only) \??\g: wdameyzz.exe File opened (read-only) \??\t: wdameyzz.exe File opened (read-only) \??\m: wdameyzz.exe File opened (read-only) \??\n: wdameyzz.exe File opened (read-only) \??\t: dnjpeyojmm.exe File opened (read-only) \??\v: dnjpeyojmm.exe File opened (read-only) \??\y: dnjpeyojmm.exe File opened (read-only) \??\x: wdameyzz.exe File opened (read-only) \??\a: wdameyzz.exe File opened (read-only) \??\v: wdameyzz.exe File opened (read-only) \??\y: wdameyzz.exe File opened (read-only) \??\k: dnjpeyojmm.exe File opened (read-only) \??\b: wdameyzz.exe File opened (read-only) \??\j: wdameyzz.exe File opened (read-only) \??\k: wdameyzz.exe File opened (read-only) \??\y: wdameyzz.exe File opened (read-only) \??\u: dnjpeyojmm.exe File opened (read-only) \??\q: wdameyzz.exe File opened (read-only) \??\t: wdameyzz.exe File opened (read-only) \??\h: wdameyzz.exe File opened (read-only) \??\b: dnjpeyojmm.exe File opened (read-only) \??\l: dnjpeyojmm.exe File opened (read-only) \??\o: dnjpeyojmm.exe File opened (read-only) \??\q: dnjpeyojmm.exe File opened (read-only) \??\r: wdameyzz.exe File opened (read-only) \??\e: dnjpeyojmm.exe File opened (read-only) \??\l: wdameyzz.exe File opened (read-only) \??\e: wdameyzz.exe File opened (read-only) \??\p: wdameyzz.exe File opened (read-only) \??\p: wdameyzz.exe File opened (read-only) \??\s: wdameyzz.exe File opened (read-only) \??\j: wdameyzz.exe File opened (read-only) \??\w: wdameyzz.exe File opened (read-only) \??\s: dnjpeyojmm.exe File opened (read-only) \??\e: wdameyzz.exe File opened (read-only) \??\v: wdameyzz.exe File opened (read-only) \??\s: wdameyzz.exe File opened (read-only) \??\i: wdameyzz.exe File opened (read-only) \??\k: wdameyzz.exe File opened (read-only) \??\i: dnjpeyojmm.exe File opened (read-only) \??\m: dnjpeyojmm.exe File opened (read-only) \??\r: dnjpeyojmm.exe File opened (read-only) \??\g: wdameyzz.exe File opened (read-only) \??\m: wdameyzz.exe File opened (read-only) \??\h: dnjpeyojmm.exe File opened (read-only) \??\a: wdameyzz.exe File opened (read-only) \??\h: wdameyzz.exe File opened (read-only) \??\w: wdameyzz.exe File opened (read-only) \??\o: wdameyzz.exe File opened (read-only) \??\a: dnjpeyojmm.exe File opened (read-only) \??\j: dnjpeyojmm.exe File opened (read-only) \??\w: dnjpeyojmm.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dnjpeyojmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dnjpeyojmm.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1388-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000a000000023b91-5.dat autoit_exe behavioral2/files/0x000e000000023b85-18.dat autoit_exe behavioral2/files/0x000a000000023b92-26.dat autoit_exe behavioral2/files/0x000a000000023b93-30.dat autoit_exe behavioral2/files/0x000a000000023b9f-63.dat autoit_exe behavioral2/files/0x0003000000023551-68.dat autoit_exe behavioral2/files/0x00020000000229ac-90.dat autoit_exe behavioral2/files/0x00020000000229ac-92.dat autoit_exe behavioral2/files/0x00020000000229ac-94.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ldtoydbkjjfhjwh.exe 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe File created C:\Windows\SysWOW64\wdameyzz.exe 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wdameyzz.exe 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wdameyzz.exe File created C:\Windows\SysWOW64\dnjpeyojmm.exe 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe File created C:\Windows\SysWOW64\ldtoydbkjjfhjwh.exe 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe File created C:\Windows\SysWOW64\ulcyhchapatsp.exe 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ulcyhchapatsp.exe 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dnjpeyojmm.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wdameyzz.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wdameyzz.exe File opened for modification C:\Windows\SysWOW64\dnjpeyojmm.exe 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wdameyzz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wdameyzz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wdameyzz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wdameyzz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wdameyzz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wdameyzz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wdameyzz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wdameyzz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wdameyzz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wdameyzz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wdameyzz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wdameyzz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wdameyzz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wdameyzz.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wdameyzz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wdameyzz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wdameyzz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wdameyzz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wdameyzz.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wdameyzz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wdameyzz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wdameyzz.exe File opened for modification C:\Windows\mydoc.rtf 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wdameyzz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wdameyzz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wdameyzz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wdameyzz.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wdameyzz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wdameyzz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wdameyzz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wdameyzz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dnjpeyojmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" dnjpeyojmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dnjpeyojmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" dnjpeyojmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dnjpeyojmm.exe Key created \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B12E47EF39EF53CBB9A2339FD4CC" 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FF8B485A82189130D75D7D9DBD97E632594666436246D6EB" 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78368C4FE1B22D0D20ED0A28A089110" 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dnjpeyojmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dnjpeyojmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FAB0FE10F19684793B45869939E1B0FC02FE43150348E1C445E708A2" 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472C769C2382246A4277A070522CAD7D8364AF" 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dnjpeyojmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf dnjpeyojmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs dnjpeyojmm.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dnjpeyojmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dnjpeyojmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC7741596DAC4B9BB7FE2ED9634CD" 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2684 WINWORD.EXE 2684 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1048 dnjpeyojmm.exe 1048 dnjpeyojmm.exe 1048 dnjpeyojmm.exe 1048 dnjpeyojmm.exe 1048 dnjpeyojmm.exe 1048 dnjpeyojmm.exe 1048 dnjpeyojmm.exe 1048 dnjpeyojmm.exe 1048 dnjpeyojmm.exe 1048 dnjpeyojmm.exe 4440 ldtoydbkjjfhjwh.exe 4440 ldtoydbkjjfhjwh.exe 4440 ldtoydbkjjfhjwh.exe 4440 ldtoydbkjjfhjwh.exe 4440 ldtoydbkjjfhjwh.exe 4440 ldtoydbkjjfhjwh.exe 4440 ldtoydbkjjfhjwh.exe 4440 ldtoydbkjjfhjwh.exe 4440 ldtoydbkjjfhjwh.exe 4440 ldtoydbkjjfhjwh.exe 2904 wdameyzz.exe 2904 wdameyzz.exe 2904 wdameyzz.exe 2904 wdameyzz.exe 2904 wdameyzz.exe 2904 wdameyzz.exe 2904 wdameyzz.exe 2904 wdameyzz.exe 3256 ulcyhchapatsp.exe 3256 ulcyhchapatsp.exe 3256 ulcyhchapatsp.exe 3256 ulcyhchapatsp.exe 3256 ulcyhchapatsp.exe 3256 ulcyhchapatsp.exe 3256 ulcyhchapatsp.exe 3256 ulcyhchapatsp.exe 3256 ulcyhchapatsp.exe 3256 ulcyhchapatsp.exe 3256 ulcyhchapatsp.exe 3256 ulcyhchapatsp.exe 2044 wdameyzz.exe 2044 wdameyzz.exe 2044 wdameyzz.exe 2044 wdameyzz.exe 2044 wdameyzz.exe 2044 wdameyzz.exe 2044 wdameyzz.exe 2044 wdameyzz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 4440 ldtoydbkjjfhjwh.exe 4440 ldtoydbkjjfhjwh.exe 4440 ldtoydbkjjfhjwh.exe 1048 dnjpeyojmm.exe 1048 dnjpeyojmm.exe 1048 dnjpeyojmm.exe 2904 wdameyzz.exe 2904 wdameyzz.exe 2904 wdameyzz.exe 3256 ulcyhchapatsp.exe 3256 ulcyhchapatsp.exe 3256 ulcyhchapatsp.exe 2044 wdameyzz.exe 2044 wdameyzz.exe 2044 wdameyzz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 4440 ldtoydbkjjfhjwh.exe 4440 ldtoydbkjjfhjwh.exe 4440 ldtoydbkjjfhjwh.exe 1048 dnjpeyojmm.exe 1048 dnjpeyojmm.exe 1048 dnjpeyojmm.exe 2904 wdameyzz.exe 2904 wdameyzz.exe 2904 wdameyzz.exe 3256 ulcyhchapatsp.exe 3256 ulcyhchapatsp.exe 3256 ulcyhchapatsp.exe 2044 wdameyzz.exe 2044 wdameyzz.exe 2044 wdameyzz.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2684 WINWORD.EXE 2684 WINWORD.EXE 2684 WINWORD.EXE 2684 WINWORD.EXE 2684 WINWORD.EXE 2684 WINWORD.EXE 2684 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1388 wrote to memory of 1048 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 85 PID 1388 wrote to memory of 1048 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 85 PID 1388 wrote to memory of 1048 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 85 PID 1388 wrote to memory of 4440 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 86 PID 1388 wrote to memory of 4440 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 86 PID 1388 wrote to memory of 4440 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 86 PID 1388 wrote to memory of 2904 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 87 PID 1388 wrote to memory of 2904 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 87 PID 1388 wrote to memory of 2904 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 87 PID 1388 wrote to memory of 3256 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 88 PID 1388 wrote to memory of 3256 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 88 PID 1388 wrote to memory of 3256 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 88 PID 1388 wrote to memory of 2684 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 89 PID 1388 wrote to memory of 2684 1388 0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe 89 PID 1048 wrote to memory of 2044 1048 dnjpeyojmm.exe 92 PID 1048 wrote to memory of 2044 1048 dnjpeyojmm.exe 92 PID 1048 wrote to memory of 2044 1048 dnjpeyojmm.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0c2ad584d31fe206c899182dda81e46c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\dnjpeyojmm.exednjpeyojmm.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\wdameyzz.exeC:\Windows\system32\wdameyzz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2044
-
-
-
C:\Windows\SysWOW64\ldtoydbkjjfhjwh.exeldtoydbkjjfhjwh.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4440
-
-
C:\Windows\SysWOW64\wdameyzz.exewdameyzz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904
-
-
C:\Windows\SysWOW64\ulcyhchapatsp.exeulcyhchapatsp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3256
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2684
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD52d91cfe64c21a52f96c70b84bc1c03c9
SHA1a101c3b0b01995410534b16e44de598a8ba71626
SHA256134196711a1d91b243411d50fb39a73d15030a2ff3cd1725068ed794452346a6
SHA5124aad86ec6c11b8665ba171cc723ba3043fb0fe9a3c7fcbc3410ce2d848c1743fcd5a355cd42a55f8562a1e3febba90cc8ccacee3a3b7d61089acd7ac760cc300
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5ef3484d293ca109c2a9b892a3107417a
SHA136366ae44ab71141beb04bb39ca45cd1feff4fb4
SHA25675ab5e277c051878320856d03c1867d213e2464dd12b5b273c26dc513b783261
SHA512910e391410b0e287c30bfd1fab5533dd4d3267c7b5ae326431d2b6e967a884cbc3cf6963fca41abb495b36449076b92bcbe92c21365802b907fe36017ded0c7c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD55bf9b28420faa9f04c1522f337eab1bf
SHA1000f1c15e1cc88c8a32a7928611e7a9a45f4353e
SHA256c7608c8bd1d3a09862820e3e2bdb3f6284940e88bfc66e8653614343f41c5218
SHA512440f749a037942220754074fb9566aacd407526191029418a92a762e1ce6906ce7a11bccaea3f9f0feb00fe1466eca673f62ff645745be17961d5acc00f48ffc
-
Filesize
512KB
MD51f7c5d7d8fd2de044d5a62f403abf0bc
SHA1608e0cf1b61e9a72faf02ea0050401247e39bc5d
SHA25668c89877a0ed4e357a39448f2fe1a5b82215eb26c6ec991097f640ce9fe22dcb
SHA512440e9c963f6cad21299374076c701179167d1e9f5a1a81bad92dd2b1ba0b2a111e168157ff7cfd2682a268d0cb5c2d017ea0f9142989c2f356690c212f1a003b
-
Filesize
512KB
MD5fc5a684619e40203ece4337d5c4d7115
SHA13620fc1dbf1b74bacc3a21a1875d8d57a8630a6c
SHA2563c67f007098b0ca63849859f118d479cd09bdf101bed3eae418431e7c4b244c0
SHA512d247a4c5cec0dc75a6fc0b9f06e4cccbda2c1805deb8058ff75d595755cf6a2ddb65ffb5c6ca4c2a1dba08e97ab857cb3cf17736bc59226eda37fcac333c82ea
-
Filesize
512KB
MD5b89212412a19f468c0f73a3763de37a5
SHA1e3b326027c28fcc4d2514562af2d2e915159c469
SHA256dabb3a6d0d8ec6036eb86415ce34838f8924589fd1e57232d8083e95d19d8f1c
SHA5125e33a8525c3cf63dcf9e82a2e75af23c7b7ea49366f9d9151e0321ec9ac61b1b0c673c4770b9dbf162a05d5034ea2ea654e48e22ee3a03724839c3d0795dbd55
-
Filesize
512KB
MD5c9125fe85443e2552a22156611be3027
SHA17b4c2649342ed01b3a48cdc4470e80af0c12f6cf
SHA256bc815843e90d92fb73f587bf6745570d0cba87b7230318f95965c008926f8238
SHA5125f942f1bbe144d5f8113d5eb8e2a252369e0a6f525cb4f51acab289dc5d306525563e2c0c03c231cdf7dce9224b46bd2d18009004af08751471b7a92a948ff5d
-
Filesize
512KB
MD5f95eb0ad10c4a675b3fc45bb1ba584ea
SHA1129a313e6eb8bc4fe9c7e27aa184f6aa2e521341
SHA25603abcadbaddf86acba6c6e0351536841833f0b50774394716ba8621dc5686e5f
SHA51294ba906d45fa54b351a5dcb5918bffa24f43778110597f45c16b820bdb1d459e406f0e6f6ba3d58e46b0c8ece93131a253d47cf95d42da1c11339fbfb8641914
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5af4708ef799debd0e11d0b04df928b78
SHA11cb0de364a8cf98c01e1da2fdabc0b95ed7e5aa5
SHA25639fcb6398fdcd5aca428b997261f634b6dbdcef713cb702b6131b78083a3b5ad
SHA512da4afd5e3b86c108d7b815c82302c1766789dee862b01e403b8a06ee685f2131c11bf1dda69357ddcd022a17a4eb6d77e98d8800f7610f38971bcd10e5d77e9d
-
Filesize
512KB
MD51218170addf203aa0ed1799332ca5ed6
SHA101174d31919734c2074176be6e47b5240e902ee6
SHA2568074ecfd2358fbeaf8616500525c62afbd0dd78d97feb6efc642866b60f36723
SHA512dfafa4f68a1a67d536e61986d32b3c20e0c2bdaf753c5a6f6e2e823442c4de60d31e3320bd94176377c2b2335f0b7b317b1cdf8ea0b703cd36f303f04a6cfb03
-
Filesize
512KB
MD535d79c451b194072333bb142d0e23905
SHA1d5672dec2baa1d5166a5e76b29e68e2f6505fbd7
SHA256b641ce814e3789e5f0d2173c59b91b2bfa6eee856d94f6efc2054f5d0e841dd6
SHA512823f573ea39bc80c6bce219f87c534c7fefdfc72abc391377fc91cf3acd54af82c2f7b6a7e8642ae50fd277f3aadd259dafebabf0862cd0da26d615e0606686e