Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2024, 03:48
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe
-
Size
512KB
-
MD5
15d837f4b7d8bf1a58ddff1ff7a130f5
-
SHA1
2ace67d4ab276d5317952e8017c653ba52dba8da
-
SHA256
e22ec1bc29c50b22cad563e04de6c31b3e89e0db50b4226f90de5aee83e00041
-
SHA512
88c63cec5be5171e7bf68919685adb61f9b1ba0ebede99307ce9d0fe0f6d549d1d99ed7a81c0d246e03b8809cc23d7d0d7d4cde076e96c683064b98055563188
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6+:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5j
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nwatittbow.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nwatittbow.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nwatittbow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nwatittbow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nwatittbow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nwatittbow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nwatittbow.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nwatittbow.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4496 nwatittbow.exe 2764 bvhfwgihsueyvfj.exe 1856 wmmoycoc.exe 2980 yxblkstedfwek.exe 4892 wmmoycoc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nwatittbow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nwatittbow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nwatittbow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" nwatittbow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nwatittbow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nwatittbow.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wvyzjtqh = "nwatittbow.exe" bvhfwgihsueyvfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hcwantzb = "bvhfwgihsueyvfj.exe" bvhfwgihsueyvfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yxblkstedfwek.exe" bvhfwgihsueyvfj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: wmmoycoc.exe File opened (read-only) \??\z: wmmoycoc.exe File opened (read-only) \??\a: wmmoycoc.exe File opened (read-only) \??\v: wmmoycoc.exe File opened (read-only) \??\y: wmmoycoc.exe File opened (read-only) \??\k: nwatittbow.exe File opened (read-only) \??\x: nwatittbow.exe File opened (read-only) \??\y: nwatittbow.exe File opened (read-only) \??\n: wmmoycoc.exe File opened (read-only) \??\e: wmmoycoc.exe File opened (read-only) \??\q: wmmoycoc.exe File opened (read-only) \??\w: wmmoycoc.exe File opened (read-only) \??\h: nwatittbow.exe File opened (read-only) \??\q: nwatittbow.exe File opened (read-only) \??\k: wmmoycoc.exe File opened (read-only) \??\m: wmmoycoc.exe File opened (read-only) \??\j: wmmoycoc.exe File opened (read-only) \??\r: wmmoycoc.exe File opened (read-only) \??\l: nwatittbow.exe File opened (read-only) \??\r: nwatittbow.exe File opened (read-only) \??\t: nwatittbow.exe File opened (read-only) \??\z: nwatittbow.exe File opened (read-only) \??\l: wmmoycoc.exe File opened (read-only) \??\o: wmmoycoc.exe File opened (read-only) \??\g: wmmoycoc.exe File opened (read-only) \??\n: wmmoycoc.exe File opened (read-only) \??\w: nwatittbow.exe File opened (read-only) \??\p: wmmoycoc.exe File opened (read-only) \??\w: wmmoycoc.exe File opened (read-only) \??\x: wmmoycoc.exe File opened (read-only) \??\u: wmmoycoc.exe File opened (read-only) \??\b: nwatittbow.exe File opened (read-only) \??\p: nwatittbow.exe File opened (read-only) \??\g: wmmoycoc.exe File opened (read-only) \??\s: wmmoycoc.exe File opened (read-only) \??\x: wmmoycoc.exe File opened (read-only) \??\l: wmmoycoc.exe File opened (read-only) \??\v: nwatittbow.exe File opened (read-only) \??\b: wmmoycoc.exe File opened (read-only) \??\k: wmmoycoc.exe File opened (read-only) \??\g: nwatittbow.exe File opened (read-only) \??\j: nwatittbow.exe File opened (read-only) \??\b: wmmoycoc.exe File opened (read-only) \??\r: wmmoycoc.exe File opened (read-only) \??\h: wmmoycoc.exe File opened (read-only) \??\a: nwatittbow.exe File opened (read-only) \??\m: nwatittbow.exe File opened (read-only) \??\i: wmmoycoc.exe File opened (read-only) \??\j: wmmoycoc.exe File opened (read-only) \??\t: wmmoycoc.exe File opened (read-only) \??\i: wmmoycoc.exe File opened (read-only) \??\v: wmmoycoc.exe File opened (read-only) \??\p: wmmoycoc.exe File opened (read-only) \??\o: nwatittbow.exe File opened (read-only) \??\o: wmmoycoc.exe File opened (read-only) \??\e: nwatittbow.exe File opened (read-only) \??\i: nwatittbow.exe File opened (read-only) \??\a: wmmoycoc.exe File opened (read-only) \??\m: wmmoycoc.exe File opened (read-only) \??\z: wmmoycoc.exe File opened (read-only) \??\t: wmmoycoc.exe File opened (read-only) \??\e: wmmoycoc.exe File opened (read-only) \??\u: wmmoycoc.exe File opened (read-only) \??\y: wmmoycoc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" nwatittbow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" nwatittbow.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/5108-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000c000000023b48-18.dat autoit_exe behavioral2/files/0x000e000000023b99-23.dat autoit_exe behavioral2/files/0x000a000000023ba6-29.dat autoit_exe behavioral2/files/0x000a000000023ba7-32.dat autoit_exe behavioral2/files/0x000b000000023b8f-67.dat autoit_exe behavioral2/files/0x0031000000023bb5-70.dat autoit_exe behavioral2/files/0x0003000000023553-76.dat autoit_exe behavioral2/files/0x000e000000023bdf-324.dat autoit_exe behavioral2/files/0x000e000000023bdf-565.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wmmoycoc.exe File created C:\Windows\SysWOW64\yxblkstedfwek.exe 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll nwatittbow.exe File created C:\Windows\SysWOW64\bvhfwgihsueyvfj.exe 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wmmoycoc.exe File opened for modification C:\Windows\SysWOW64\wmmoycoc.exe 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe File created C:\Windows\SysWOW64\nwatittbow.exe 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmmoycoc.exe 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yxblkstedfwek.exe 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wmmoycoc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wmmoycoc.exe File opened for modification C:\Windows\SysWOW64\nwatittbow.exe 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bvhfwgihsueyvfj.exe 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wmmoycoc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wmmoycoc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wmmoycoc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wmmoycoc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wmmoycoc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wmmoycoc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wmmoycoc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wmmoycoc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wmmoycoc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wmmoycoc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wmmoycoc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wmmoycoc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wmmoycoc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wmmoycoc.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wmmoycoc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wmmoycoc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wmmoycoc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wmmoycoc.exe File opened for modification C:\Windows\mydoc.rtf 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wmmoycoc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wmmoycoc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wmmoycoc.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wmmoycoc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wmmoycoc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wmmoycoc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wmmoycoc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wmmoycoc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wmmoycoc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wmmoycoc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wmmoycoc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wmmoycoc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FC8F485D851D9133D65D7E91BD93E136594166406344D79F" 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh nwatittbow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf nwatittbow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs nwatittbow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342D7F9C5782206A3577D477222CDC7D8165DE" 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C60B14E5DAC5B8CA7FE0EC9434CB" 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" nwatittbow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" nwatittbow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc nwatittbow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" nwatittbow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F668B3FF6D22A9D27AD1D18B789162" 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" nwatittbow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg nwatittbow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" nwatittbow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEF9C9F965F1E4840C3B4686EB3999B38C03F14314024BE2C842E608A0" 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B15C47E339ED52BEBAD1329AD7C5" 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat nwatittbow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" nwatittbow.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 436 WINWORD.EXE 436 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 4496 nwatittbow.exe 4496 nwatittbow.exe 4496 nwatittbow.exe 4496 nwatittbow.exe 4496 nwatittbow.exe 4496 nwatittbow.exe 4496 nwatittbow.exe 4496 nwatittbow.exe 4496 nwatittbow.exe 4496 nwatittbow.exe 2764 bvhfwgihsueyvfj.exe 2764 bvhfwgihsueyvfj.exe 2764 bvhfwgihsueyvfj.exe 2764 bvhfwgihsueyvfj.exe 2764 bvhfwgihsueyvfj.exe 2764 bvhfwgihsueyvfj.exe 2764 bvhfwgihsueyvfj.exe 2764 bvhfwgihsueyvfj.exe 2764 bvhfwgihsueyvfj.exe 2764 bvhfwgihsueyvfj.exe 1856 wmmoycoc.exe 1856 wmmoycoc.exe 1856 wmmoycoc.exe 1856 wmmoycoc.exe 1856 wmmoycoc.exe 1856 wmmoycoc.exe 1856 wmmoycoc.exe 1856 wmmoycoc.exe 2980 yxblkstedfwek.exe 2980 yxblkstedfwek.exe 2980 yxblkstedfwek.exe 2980 yxblkstedfwek.exe 2980 yxblkstedfwek.exe 2980 yxblkstedfwek.exe 2980 yxblkstedfwek.exe 2980 yxblkstedfwek.exe 2980 yxblkstedfwek.exe 2980 yxblkstedfwek.exe 2980 yxblkstedfwek.exe 2980 yxblkstedfwek.exe 2764 bvhfwgihsueyvfj.exe 2764 bvhfwgihsueyvfj.exe 4892 wmmoycoc.exe 4892 wmmoycoc.exe 4892 wmmoycoc.exe 4892 wmmoycoc.exe 4892 wmmoycoc.exe 4892 wmmoycoc.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 4496 nwatittbow.exe 4496 nwatittbow.exe 4496 nwatittbow.exe 2764 bvhfwgihsueyvfj.exe 2764 bvhfwgihsueyvfj.exe 2764 bvhfwgihsueyvfj.exe 1856 wmmoycoc.exe 2980 yxblkstedfwek.exe 1856 wmmoycoc.exe 2980 yxblkstedfwek.exe 1856 wmmoycoc.exe 2980 yxblkstedfwek.exe 4892 wmmoycoc.exe 4892 wmmoycoc.exe 4892 wmmoycoc.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 4496 nwatittbow.exe 4496 nwatittbow.exe 4496 nwatittbow.exe 2764 bvhfwgihsueyvfj.exe 2764 bvhfwgihsueyvfj.exe 2764 bvhfwgihsueyvfj.exe 1856 wmmoycoc.exe 2980 yxblkstedfwek.exe 1856 wmmoycoc.exe 2980 yxblkstedfwek.exe 1856 wmmoycoc.exe 2980 yxblkstedfwek.exe 4892 wmmoycoc.exe 4892 wmmoycoc.exe 4892 wmmoycoc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 436 WINWORD.EXE 436 WINWORD.EXE 436 WINWORD.EXE 436 WINWORD.EXE 436 WINWORD.EXE 436 WINWORD.EXE 436 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 5108 wrote to memory of 4496 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 85 PID 5108 wrote to memory of 4496 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 85 PID 5108 wrote to memory of 4496 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 85 PID 5108 wrote to memory of 2764 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 86 PID 5108 wrote to memory of 2764 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 86 PID 5108 wrote to memory of 2764 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 86 PID 5108 wrote to memory of 1856 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 87 PID 5108 wrote to memory of 1856 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 87 PID 5108 wrote to memory of 1856 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 87 PID 5108 wrote to memory of 2980 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 88 PID 5108 wrote to memory of 2980 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 88 PID 5108 wrote to memory of 2980 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 88 PID 5108 wrote to memory of 436 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 89 PID 5108 wrote to memory of 436 5108 15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe 89 PID 4496 wrote to memory of 4892 4496 nwatittbow.exe 92 PID 4496 wrote to memory of 4892 4496 nwatittbow.exe 92 PID 4496 wrote to memory of 4892 4496 nwatittbow.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\15d837f4b7d8bf1a58ddff1ff7a130f5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\nwatittbow.exenwatittbow.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\wmmoycoc.exeC:\Windows\system32\wmmoycoc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4892
-
-
-
C:\Windows\SysWOW64\bvhfwgihsueyvfj.exebvhfwgihsueyvfj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2764
-
-
C:\Windows\SysWOW64\wmmoycoc.exewmmoycoc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1856
-
-
C:\Windows\SysWOW64\yxblkstedfwek.exeyxblkstedfwek.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2980
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:436
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD58262bb3494bfff16db15bd2aa2f8fcb2
SHA1110dda4a723b84b18049f9395723732c56b077d4
SHA256213263c4ec4df20ea3d40daf5f59fa51e6d9b8da0292a10419f499b54f81cd8f
SHA512cb027858dd037e9939c0553952ae0f116cfdba5d8b8f4ff2fd1301d2f62d9982936d523d5cf8a3e6f88b6a1c531d25e5b45aefb7ff6f7fa7cf5db9c1560f6d39
-
Filesize
512KB
MD5f1e4da1a7bd008d3d3379db58fcf0a84
SHA1f4c308f4ef90d3d88a678d4a0ab8e3028380ac00
SHA2560526887f126951018d202ed41801d63e24c0f4978498e6d73376c958c61da4c3
SHA512404eca7bc6b86c132e6556e91d58b91fcffd95f0fde6b063c413ca8207aa76be0344f403167a962cc0d5dfa50050a841d03bbb785e21c4fdcf218b5b03efc769
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
247B
MD53fb08aca75a205ed73b0408fd9667f93
SHA105aabb1ef7845de033f34ff1926339da10d769af
SHA2567dfabc6abc218ee3130f94f6b26607d368bb3327c7d0f572667e8fb88501e37d
SHA5125ded4edfe8f89b7bd2805a9dd498b743fcb9b3ec5fadb8f5c822128583c49c8a6701f7d2d6ecab3e8764d3542159fad7fd6242d106ae44c28dfd96f965822d51
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5d06894a9aaec73a731fd6e1077aae066
SHA13b90cd93871d4b9119b5768e50d2fa7d9642c572
SHA25642911f1a569bd1f1291885b517e5fbb8cb1b09cb8b078253ed6c5e0658c9b453
SHA5120390c9266b7f19983a96388f7a0becec14401d05e9b23447f16c05c62b8cf0678c9d65cf750a88e3ccec9d34ac98f9e6c4957f09b19a1fb5ae2b8fa1819b52c7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5ea629e4f6b7e11950571adfe61631c1e
SHA1fdd94c3be74fe23c27a08d70b4549563aae1e966
SHA25615874d6ab0d145a06d56f1b088d80986701922a7fb174294d87fb89d3d8868ce
SHA5120393aa3cd97d9dd4dd7445ebbbf2138af88689e12c46ed46566fd26371082f37c4f9a986e262949a5d41f5af9c411a16a24f1d3b2f56358c856dba27489fbbb3
-
Filesize
512KB
MD52ae0f71bc4a8b480856c514173b1a167
SHA113b35e319670bcfb3d3986a8ec541fadeaf2a202
SHA256d3ae7e3f490531cda7eca6a4b8048932eb3d7b0f35c534ef0e8e37b5c0de4154
SHA512cd950c6106df499657aa6e1ff1434eb72a6ddf41672bc739010667a5c8808e61f2bdf20ccdf87ee4b6037a6ff828ecd9415a69fe4f15e4b89002014b001ed5ec
-
Filesize
512KB
MD5e82d5cfadbd329206fdbfe2955ea663c
SHA14bfca30b0ff4d0e74a25e148640461aee238efc7
SHA256c24a3da492b71505ddf5f50cbc44f3a3c625c6cc0d4026c8e9a409869301b8c8
SHA512c69bf39f359899947b8ae913b9d63b91a98bf57dccc83c2dc5da93a6fa57fb251b6877427481615b50507f6413d32717459e952259780a82bc8e2a2116ee9688
-
Filesize
512KB
MD5e619b3103dcffa02a79fc27a03cfe826
SHA11fd1cec81a3e682cafb02fbddb82c33380cca5e0
SHA25656fa975fac86f6b656ceb79d240da29ec49133536c2a890d05e1f5081285dc02
SHA5128b03e5101df176d698d799b7f4511128f57377551005ae43ee940acf67e922223b3bf1e50cb6023ec656fc5199307384e7620e36289ee3d38e8049deef8dfc7f
-
Filesize
512KB
MD5f295bb2319a86b3facca8bf9eb104b51
SHA176e474bfae497afd3050fda96c34c60c625010d5
SHA256241533398aefde7f16e0c0f56a9f5877f51484f7e4aba3d12676fe671b81e797
SHA512402e7eaa6dd2b18e1367232272d924b61bbe772d5d502b5cbe83e444b1f0591399a0322ce97725fef2a85376b361a52a4ce9c8facd3f53c637a7ed28ed406663
-
Filesize
512KB
MD54fc22995f367bb491f48480d0463e10f
SHA1aad0e3f665917b381296de22cc4ff705f0a85bb7
SHA25690fc53847e6b8437b742e32a5081165a10763816f759cc4dfccbbffe668eb00e
SHA5126d173243f3c7ba9320db3dd4e64a751e242c98019825b83aa40a925d74cc9901efba73c045d1e499f730d7cc10cda907aaff9e51c5393c48207517c7d7cfce28
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5abd6d2a325027cfeb93fd484e3f7e504
SHA19588d9688a34f01f923b253efaba622bed026ae2
SHA256987ff824e0849285f0b21a19a53ac5424b5a3679a6a60884bd5323982bec42a7
SHA51249698af0d6fd50a34dc183fd24d40155903c2414070ced0d1d3097132d5f96f69d7764ff90fdd88ad0110b1df1637a07aa77133801088e53b2cbeb7db126c568
-
Filesize
512KB
MD5d266e1b4383f89916c47e2e34ef0df55
SHA1d20b6b1fd9af16b4513c7e739294c72d9fc4e180
SHA25632f6710b426d3b78b6492d8984da40d663f198ede8008f7a4207beb37f627880
SHA51228e61ab0ddc6efcddaa1263ab2f2954bf681cdcdcf60f1f2db3de72d0bb4ba14dd40a3802eca325d48f564923cb92daa5f179d56be05fffeaf1fee506f33043c