Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2024, 05:17
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe
-
Size
512KB
-
MD5
1624dc9535d5a83f542323e1d0a34e3a
-
SHA1
08426e094d6c34ad38d9fd39d83b02e23b6c53c1
-
SHA256
a025cb33d356a0395c4e098f8f66800ac4bb02eddbd049a26c8957b5bd6a4705
-
SHA512
9ce3c6f26cedcc4c51aabf7315d734374eb5928349927652389aa836510141a70c6b71461b19fd57d5840c63bbaf37200d57d91b97c2e61666829a4b823d4167
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj60:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mtzeurdnlq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mtzeurdnlq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mtzeurdnlq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mtzeurdnlq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mtzeurdnlq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mtzeurdnlq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mtzeurdnlq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mtzeurdnlq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2108 mtzeurdnlq.exe 2276 stjbhjdzchvpygn.exe 4256 bpoivyok.exe 2156 vkxkowgehmtjq.exe 3696 bpoivyok.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mtzeurdnlq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mtzeurdnlq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mtzeurdnlq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mtzeurdnlq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mtzeurdnlq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mtzeurdnlq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vkxkowgehmtjq.exe" stjbhjdzchvpygn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gtowqcyw = "mtzeurdnlq.exe" stjbhjdzchvpygn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bgywggwn = "stjbhjdzchvpygn.exe" stjbhjdzchvpygn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: bpoivyok.exe File opened (read-only) \??\x: bpoivyok.exe File opened (read-only) \??\w: mtzeurdnlq.exe File opened (read-only) \??\h: bpoivyok.exe File opened (read-only) \??\k: bpoivyok.exe File opened (read-only) \??\y: mtzeurdnlq.exe File opened (read-only) \??\i: bpoivyok.exe File opened (read-only) \??\x: mtzeurdnlq.exe File opened (read-only) \??\n: bpoivyok.exe File opened (read-only) \??\a: bpoivyok.exe File opened (read-only) \??\u: bpoivyok.exe File opened (read-only) \??\v: bpoivyok.exe File opened (read-only) \??\y: bpoivyok.exe File opened (read-only) \??\b: bpoivyok.exe File opened (read-only) \??\e: mtzeurdnlq.exe File opened (read-only) \??\u: bpoivyok.exe File opened (read-only) \??\e: bpoivyok.exe File opened (read-only) \??\a: mtzeurdnlq.exe File opened (read-only) \??\i: mtzeurdnlq.exe File opened (read-only) \??\j: bpoivyok.exe File opened (read-only) \??\h: bpoivyok.exe File opened (read-only) \??\q: mtzeurdnlq.exe File opened (read-only) \??\m: bpoivyok.exe File opened (read-only) \??\q: bpoivyok.exe File opened (read-only) \??\l: bpoivyok.exe File opened (read-only) \??\s: bpoivyok.exe File opened (read-only) \??\w: bpoivyok.exe File opened (read-only) \??\q: bpoivyok.exe File opened (read-only) \??\r: bpoivyok.exe File opened (read-only) \??\m: mtzeurdnlq.exe File opened (read-only) \??\o: bpoivyok.exe File opened (read-only) \??\p: bpoivyok.exe File opened (read-only) \??\l: mtzeurdnlq.exe File opened (read-only) \??\o: mtzeurdnlq.exe File opened (read-only) \??\v: mtzeurdnlq.exe File opened (read-only) \??\e: bpoivyok.exe File opened (read-only) \??\a: bpoivyok.exe File opened (read-only) \??\j: bpoivyok.exe File opened (read-only) \??\b: mtzeurdnlq.exe File opened (read-only) \??\s: mtzeurdnlq.exe File opened (read-only) \??\z: mtzeurdnlq.exe File opened (read-only) \??\t: bpoivyok.exe File opened (read-only) \??\z: bpoivyok.exe File opened (read-only) \??\k: mtzeurdnlq.exe File opened (read-only) \??\b: bpoivyok.exe File opened (read-only) \??\g: bpoivyok.exe File opened (read-only) \??\k: bpoivyok.exe File opened (read-only) \??\n: bpoivyok.exe File opened (read-only) \??\o: bpoivyok.exe File opened (read-only) \??\y: bpoivyok.exe File opened (read-only) \??\u: mtzeurdnlq.exe File opened (read-only) \??\r: bpoivyok.exe File opened (read-only) \??\s: bpoivyok.exe File opened (read-only) \??\j: mtzeurdnlq.exe File opened (read-only) \??\t: mtzeurdnlq.exe File opened (read-only) \??\v: bpoivyok.exe File opened (read-only) \??\z: bpoivyok.exe File opened (read-only) \??\m: bpoivyok.exe File opened (read-only) \??\p: bpoivyok.exe File opened (read-only) \??\n: mtzeurdnlq.exe File opened (read-only) \??\r: mtzeurdnlq.exe File opened (read-only) \??\h: mtzeurdnlq.exe File opened (read-only) \??\p: mtzeurdnlq.exe File opened (read-only) \??\g: bpoivyok.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mtzeurdnlq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mtzeurdnlq.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1840-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000a000000023b82-5.dat autoit_exe behavioral2/files/0x000c000000023b7d-18.dat autoit_exe behavioral2/files/0x000a000000023b84-31.dat autoit_exe behavioral2/files/0x000a000000023b83-25.dat autoit_exe behavioral2/files/0x000a000000023b92-75.dat autoit_exe behavioral2/files/0x000b000000023b5e-69.dat autoit_exe behavioral2/files/0x000e000000023c06-546.dat autoit_exe behavioral2/files/0x000e000000023c06-578.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll mtzeurdnlq.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bpoivyok.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bpoivyok.exe File opened for modification C:\Windows\SysWOW64\mtzeurdnlq.exe 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe File created C:\Windows\SysWOW64\stjbhjdzchvpygn.exe 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\stjbhjdzchvpygn.exe 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe File created C:\Windows\SysWOW64\bpoivyok.exe 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bpoivyok.exe 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe File created C:\Windows\SysWOW64\mtzeurdnlq.exe 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe File created C:\Windows\SysWOW64\vkxkowgehmtjq.exe 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vkxkowgehmtjq.exe 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bpoivyok.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bpoivyok.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bpoivyok.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bpoivyok.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bpoivyok.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bpoivyok.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bpoivyok.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bpoivyok.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bpoivyok.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bpoivyok.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bpoivyok.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bpoivyok.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bpoivyok.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bpoivyok.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bpoivyok.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bpoivyok.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bpoivyok.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bpoivyok.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bpoivyok.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bpoivyok.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bpoivyok.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bpoivyok.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bpoivyok.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bpoivyok.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bpoivyok.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bpoivyok.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bpoivyok.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bpoivyok.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bpoivyok.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bpoivyok.exe File opened for modification C:\Windows\mydoc.rtf 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bpoivyok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mtzeurdnlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mtzeurdnlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mtzeurdnlq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2D7C9D2383236D4277D270222CA97D8265D8" 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B02A47E139EB52C8B9A2329AD7CD" 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mtzeurdnlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C60F1490DBC7B8BA7CE3ECE034C7" 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mtzeurdnlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mtzeurdnlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mtzeurdnlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mtzeurdnlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mtzeurdnlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mtzeurdnlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDF9B0F967F1E083783B4B869F3EE2B08C02FC42150239E2BE42E708A4" 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFF8C4F28851A9137D6207D92BD93E143594A66436334D6EC" 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F668B1FE6B22DFD108D0D48B099014" 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mtzeurdnlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mtzeurdnlq.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1776 WINWORD.EXE 1776 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 4256 bpoivyok.exe 4256 bpoivyok.exe 4256 bpoivyok.exe 4256 bpoivyok.exe 4256 bpoivyok.exe 4256 bpoivyok.exe 4256 bpoivyok.exe 4256 bpoivyok.exe 2276 stjbhjdzchvpygn.exe 2276 stjbhjdzchvpygn.exe 2276 stjbhjdzchvpygn.exe 2276 stjbhjdzchvpygn.exe 2276 stjbhjdzchvpygn.exe 2276 stjbhjdzchvpygn.exe 2276 stjbhjdzchvpygn.exe 2276 stjbhjdzchvpygn.exe 2276 stjbhjdzchvpygn.exe 2276 stjbhjdzchvpygn.exe 2108 mtzeurdnlq.exe 2108 mtzeurdnlq.exe 2108 mtzeurdnlq.exe 2108 mtzeurdnlq.exe 2108 mtzeurdnlq.exe 2108 mtzeurdnlq.exe 2108 mtzeurdnlq.exe 2108 mtzeurdnlq.exe 2108 mtzeurdnlq.exe 2108 mtzeurdnlq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 2276 stjbhjdzchvpygn.exe 2276 stjbhjdzchvpygn.exe 2276 stjbhjdzchvpygn.exe 2276 stjbhjdzchvpygn.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 4256 bpoivyok.exe 4256 bpoivyok.exe 4256 bpoivyok.exe 2276 stjbhjdzchvpygn.exe 2276 stjbhjdzchvpygn.exe 2276 stjbhjdzchvpygn.exe 2108 mtzeurdnlq.exe 2108 mtzeurdnlq.exe 2108 mtzeurdnlq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 3696 bpoivyok.exe 3696 bpoivyok.exe 3696 bpoivyok.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 4256 bpoivyok.exe 4256 bpoivyok.exe 4256 bpoivyok.exe 2276 stjbhjdzchvpygn.exe 2276 stjbhjdzchvpygn.exe 2276 stjbhjdzchvpygn.exe 2108 mtzeurdnlq.exe 2108 mtzeurdnlq.exe 2108 mtzeurdnlq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 2156 vkxkowgehmtjq.exe 3696 bpoivyok.exe 3696 bpoivyok.exe 3696 bpoivyok.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1776 WINWORD.EXE 1776 WINWORD.EXE 1776 WINWORD.EXE 1776 WINWORD.EXE 1776 WINWORD.EXE 1776 WINWORD.EXE 1776 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1840 wrote to memory of 2108 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 85 PID 1840 wrote to memory of 2108 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 85 PID 1840 wrote to memory of 2108 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 85 PID 1840 wrote to memory of 2276 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 86 PID 1840 wrote to memory of 2276 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 86 PID 1840 wrote to memory of 2276 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 86 PID 1840 wrote to memory of 4256 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 87 PID 1840 wrote to memory of 4256 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 87 PID 1840 wrote to memory of 4256 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 87 PID 1840 wrote to memory of 2156 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 88 PID 1840 wrote to memory of 2156 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 88 PID 1840 wrote to memory of 2156 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 88 PID 1840 wrote to memory of 1776 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 89 PID 1840 wrote to memory of 1776 1840 1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe 89 PID 2108 wrote to memory of 3696 2108 mtzeurdnlq.exe 92 PID 2108 wrote to memory of 3696 2108 mtzeurdnlq.exe 92 PID 2108 wrote to memory of 3696 2108 mtzeurdnlq.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1624dc9535d5a83f542323e1d0a34e3a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\mtzeurdnlq.exemtzeurdnlq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\bpoivyok.exeC:\Windows\system32\bpoivyok.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3696
-
-
-
C:\Windows\SysWOW64\stjbhjdzchvpygn.exestjbhjdzchvpygn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2276
-
-
C:\Windows\SysWOW64\bpoivyok.exebpoivyok.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4256
-
-
C:\Windows\SysWOW64\vkxkowgehmtjq.exevkxkowgehmtjq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2156
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1776
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5c67e5f3ccfc5b8e6412ce0e22fcd2ec4
SHA1239a1b7a0126c3278eb333fbb87391082239efef
SHA256554fa8b4e21cde94d8d861f67e4f73c073a11b5f30adf90b96c26ef9a6a4a715
SHA512e40199648a217577f1c6fb61d6fd1607c24179b4c3205ffffce347b2e38717cdeb2b51a9de55861f885fc0759d6a834b102d1d175a4d1529e5fb4ab4180b7a4b
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
237B
MD5649bc605ae9708b085f88482b636a352
SHA1085761071b21290e8f8458f8ae88f60d78addeec
SHA25681e2206047094c149eeaabe9815da4a2fdbaeb5bc8bc53692190fa7e8fdcc55b
SHA51274bfc4b137266b314a40d36f72a39fed9f1659558eb8695cbd0543b6dbf9146b0523bf8f49c03b3bb8bff614e3c02b159187f1b55093caaff9b1ce3b366f44c7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD500dc1514989583bb7235e98681e1aa1c
SHA1a450d7d214693d76cd95c9449f536c8d060fd1d5
SHA2560274b24dd07e3629de6606a52ffc731aa2ddbb076e5c544f94dddd30a2a284fa
SHA5128f80a633811c6dffeff208e535c984fd5135f3464bf0b75d7a2475afa8afd993172a6f9450b5ae0134d61b96492f31ff46f3105f417e49c64b4622a70843021a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD54c59b44c86a13d1b9e43680d8fad46ec
SHA1ba7eb6afcd82006941ef3512e03d1a6e71a6546f
SHA2569e638d036a4870614bc4470fcfdc6dff4feddc5c41f301b144089ac8652c075c
SHA512dfe427fe411e9cb78e47242360a6182838f52e40fa247a3df7ca9e57e763e26072c9ebd1836cf0358aa2cb8cbabcd9d09de0394cb73103be0920891d0567a16c
-
Filesize
512KB
MD5b120904b16b92e0e64f5ba8ea344aada
SHA10c31d9aa1856290029aeb45586bdb5607cfdc020
SHA25603e14177735fc0bd9331d8de47e0acd85853bf760c2c1135c6246668a224c942
SHA5125365536c3aa8ee64b5689486a7a06265f9d0ca8cf09b6c6286996b98ec37855bfef303b808932c8858c5585ad7d3093e32ed94d9fecd23934224f33158440248
-
Filesize
512KB
MD544a4f8f19d64c251be57d8350a29fcf2
SHA1bebb5e43494577cb15429bb00449247c7021cc62
SHA256e30d8ab3944db46e984ed7012f0481e14d2e128a506a90b8bc0175babc6fde99
SHA512283aee3c5b995e70eeb28ea6c524b61af60110811b7e2c6be6a97c6bc8807205525ae62d9909a3db209153847c571a44d331a54ec6558e6be5f34740d1a22963
-
Filesize
512KB
MD5232d51d7ec12caca8c6e2c0db835cad9
SHA18a6a19a0205f7d5f97abd8f2b2b5b9a4a5a8606e
SHA2569799a4abfaeb34656849284e024f96f78aed9a5fcd25f2c9a72403234043a1f6
SHA512cd37f5687f71113ec9002d59518507bce85543c392f403b1f1ebf8d52fb53ef9991108e8f6dbda563910a5be1d32a7424ffd1805fd24688af2e91857d6576e90
-
Filesize
512KB
MD51115d0a96264e01bf6eb8466e6244ec7
SHA177b3033db7f3f204d93f5dab5d9930ea88d56eae
SHA256f922a2702dfc8ecefa23c8b9db972a31d808701b648bedc402fc43fdc40803c1
SHA512553c44514baf2d40578e118411831178802de23163e6fb1c4e9174e34208d477c918dea34bc9de71c91764b45991b620843a75f064e49567a1b382beb351a44c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD56414465dad18a85a3c7f97a19c9a35e4
SHA11b8309ee65c9c153465694805613d7c9640ceec9
SHA25698b60ec968516f06e98e7dc7c32eb53bb4ac814250286381ce90d66ca0b8731b
SHA5127ab3b99ae9f90fcf544e780429e8d0f6ae938806d65423f2df9884051f8caa84631162ec8b70fe8247b54b8a08e253b86fd5fa532c665ab8bdadd03a0080a741
-
Filesize
512KB
MD537098889f2c3d62b0e178962e6b408da
SHA1cacb8f5ca891a3bd08421ff84f36c4a94a1855d5
SHA256d32a43b6496c43ddd268eb25ea2f2458db0073320bb6bbf99032d9c3d4b19e72
SHA5122173cefab2bed26a82fa69d9e4513438a776cf75db5ae9ee9d7674b2a7d80f3e3d5956fc9129489c21b8026506af2a11a706ee42fa7ce263bfe36dc263b62ef2
-
Filesize
512KB
MD54481141fc1c74f4a11e3a9ec6e5d8524
SHA1be860f04765a784ea4d5a5c94f7894c11ccf9d86
SHA2567e6f4b0943a1c1b00178ba2f0c44f4ba3f4411a4ae7f647f7726db80047feaeb
SHA512f921ef8109970814338481775652fd2b18e8e13b0274ae3b1dead56278f46e9f736ea423117673e489c55168b2386033654075e9d0b2a1db9a84c3f7c1d18bcd