Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 04:19
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe
-
Size
512KB
-
MD5
1f6c3f2c2ac45defa61441cbdd33131d
-
SHA1
90e29669bc51bda1e779938a97f2c5f0a269b1e8
-
SHA256
3db9d382be26b7bdad6764b64a07cbab2ca86cbdaf279e715e7fd0c3f4421aa3
-
SHA512
05ab38ead73d19eda22454e26068ffac04163cfcb71f7321db73d7456c90189649907fc98eaeec490bd42ad693723556775c835ab14aa803004512c378336777
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6L:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5g
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qdxintlglq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qdxintlglq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qdxintlglq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qdxintlglq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qdxintlglq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qdxintlglq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qdxintlglq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qdxintlglq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3572 qdxintlglq.exe 4120 oasecwygtchuqjr.exe 468 ydtvxgkw.exe 3604 bdnnoxfigxkaw.exe 1768 ydtvxgkw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qdxintlglq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qdxintlglq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qdxintlglq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qdxintlglq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qdxintlglq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qdxintlglq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xsvixyog = "qdxintlglq.exe" oasecwygtchuqjr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\psmisahj = "oasecwygtchuqjr.exe" oasecwygtchuqjr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bdnnoxfigxkaw.exe" oasecwygtchuqjr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: ydtvxgkw.exe File opened (read-only) \??\k: ydtvxgkw.exe File opened (read-only) \??\l: qdxintlglq.exe File opened (read-only) \??\z: qdxintlglq.exe File opened (read-only) \??\k: ydtvxgkw.exe File opened (read-only) \??\y: ydtvxgkw.exe File opened (read-only) \??\m: ydtvxgkw.exe File opened (read-only) \??\o: ydtvxgkw.exe File opened (read-only) \??\r: qdxintlglq.exe File opened (read-only) \??\o: ydtvxgkw.exe File opened (read-only) \??\s: ydtvxgkw.exe File opened (read-only) \??\z: ydtvxgkw.exe File opened (read-only) \??\w: qdxintlglq.exe File opened (read-only) \??\i: ydtvxgkw.exe File opened (read-only) \??\m: ydtvxgkw.exe File opened (read-only) \??\p: ydtvxgkw.exe File opened (read-only) \??\i: ydtvxgkw.exe File opened (read-only) \??\y: ydtvxgkw.exe File opened (read-only) \??\l: ydtvxgkw.exe File opened (read-only) \??\x: ydtvxgkw.exe File opened (read-only) \??\b: ydtvxgkw.exe File opened (read-only) \??\w: ydtvxgkw.exe File opened (read-only) \??\k: qdxintlglq.exe File opened (read-only) \??\b: ydtvxgkw.exe File opened (read-only) \??\r: ydtvxgkw.exe File opened (read-only) \??\h: ydtvxgkw.exe File opened (read-only) \??\p: ydtvxgkw.exe File opened (read-only) \??\u: ydtvxgkw.exe File opened (read-only) \??\x: qdxintlglq.exe File opened (read-only) \??\y: qdxintlglq.exe File opened (read-only) \??\h: qdxintlglq.exe File opened (read-only) \??\o: qdxintlglq.exe File opened (read-only) \??\s: qdxintlglq.exe File opened (read-only) \??\z: ydtvxgkw.exe File opened (read-only) \??\n: ydtvxgkw.exe File opened (read-only) \??\a: qdxintlglq.exe File opened (read-only) \??\a: ydtvxgkw.exe File opened (read-only) \??\q: ydtvxgkw.exe File opened (read-only) \??\w: ydtvxgkw.exe File opened (read-only) \??\g: ydtvxgkw.exe File opened (read-only) \??\e: qdxintlglq.exe File opened (read-only) \??\j: qdxintlglq.exe File opened (read-only) \??\m: qdxintlglq.exe File opened (read-only) \??\e: ydtvxgkw.exe File opened (read-only) \??\x: ydtvxgkw.exe File opened (read-only) \??\q: ydtvxgkw.exe File opened (read-only) \??\q: qdxintlglq.exe File opened (read-only) \??\g: ydtvxgkw.exe File opened (read-only) \??\h: ydtvxgkw.exe File opened (read-only) \??\b: qdxintlglq.exe File opened (read-only) \??\n: ydtvxgkw.exe File opened (read-only) \??\v: ydtvxgkw.exe File opened (read-only) \??\p: qdxintlglq.exe File opened (read-only) \??\v: qdxintlglq.exe File opened (read-only) \??\r: ydtvxgkw.exe File opened (read-only) \??\s: ydtvxgkw.exe File opened (read-only) \??\v: ydtvxgkw.exe File opened (read-only) \??\g: qdxintlglq.exe File opened (read-only) \??\i: qdxintlglq.exe File opened (read-only) \??\l: ydtvxgkw.exe File opened (read-only) \??\t: ydtvxgkw.exe File opened (read-only) \??\t: ydtvxgkw.exe File opened (read-only) \??\u: ydtvxgkw.exe File opened (read-only) \??\a: ydtvxgkw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qdxintlglq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qdxintlglq.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1920-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0031000000023bb4-5.dat autoit_exe behavioral2/files/0x000b000000023bb3-19.dat autoit_exe behavioral2/files/0x0031000000023bb5-26.dat autoit_exe behavioral2/files/0x0031000000023bb6-31.dat autoit_exe behavioral2/files/0x000b000000023b9c-75.dat autoit_exe behavioral2/files/0x00020000000229c5-73.dat autoit_exe behavioral2/files/0x0006000000022e34-81.dat autoit_exe behavioral2/files/0x0014000000023bd3-520.dat autoit_exe behavioral2/files/0x0014000000023bd3-588.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\qdxintlglq.exe 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qdxintlglq.exe 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ydtvxgkw.exe 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe File created C:\Windows\SysWOW64\bdnnoxfigxkaw.exe 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qdxintlglq.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ydtvxgkw.exe File created C:\Windows\SysWOW64\oasecwygtchuqjr.exe 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\oasecwygtchuqjr.exe 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe File created C:\Windows\SysWOW64\ydtvxgkw.exe 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bdnnoxfigxkaw.exe 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ydtvxgkw.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ydtvxgkw.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ydtvxgkw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ydtvxgkw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ydtvxgkw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ydtvxgkw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ydtvxgkw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ydtvxgkw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ydtvxgkw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ydtvxgkw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ydtvxgkw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ydtvxgkw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ydtvxgkw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ydtvxgkw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ydtvxgkw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ydtvxgkw.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ydtvxgkw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ydtvxgkw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ydtvxgkw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ydtvxgkw.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ydtvxgkw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ydtvxgkw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ydtvxgkw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ydtvxgkw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ydtvxgkw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ydtvxgkw.exe File opened for modification C:\Windows\mydoc.rtf 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ydtvxgkw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ydtvxgkw.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ydtvxgkw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ydtvxgkw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ydtvxgkw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ydtvxgkw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qdxintlglq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qdxintlglq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qdxintlglq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qdxintlglq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qdxintlglq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422C7C9D2183566A3277D470532CD97D8265D8" 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668B6FF1D21D1D178D1A78A0F9114" 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC70B1594DAB2B9BE7CE5ED9634BC" 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qdxintlglq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qdxintlglq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B12E4495389D52BDBAD5329ED4BE" 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qdxintlglq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qdxintlglq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qdxintlglq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFACCFE11F1E583083A4681EB3996B38B028C4360023CE2CF42EA09A8" 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FF83482E851F9137D62F7D93BDE4E13558306735633FD6EA" 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qdxintlglq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qdxintlglq.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5032 WINWORD.EXE 5032 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 3604 bdnnoxfigxkaw.exe 3604 bdnnoxfigxkaw.exe 3604 bdnnoxfigxkaw.exe 3604 bdnnoxfigxkaw.exe 3604 bdnnoxfigxkaw.exe 3604 bdnnoxfigxkaw.exe 3604 bdnnoxfigxkaw.exe 3572 qdxintlglq.exe 3572 qdxintlglq.exe 3572 qdxintlglq.exe 3572 qdxintlglq.exe 3572 qdxintlglq.exe 3572 qdxintlglq.exe 3572 qdxintlglq.exe 3572 qdxintlglq.exe 3572 qdxintlglq.exe 3572 qdxintlglq.exe 3604 bdnnoxfigxkaw.exe 3604 bdnnoxfigxkaw.exe 3604 bdnnoxfigxkaw.exe 3604 bdnnoxfigxkaw.exe 3604 bdnnoxfigxkaw.exe 4120 oasecwygtchuqjr.exe 4120 oasecwygtchuqjr.exe 4120 oasecwygtchuqjr.exe 4120 oasecwygtchuqjr.exe 4120 oasecwygtchuqjr.exe 4120 oasecwygtchuqjr.exe 4120 oasecwygtchuqjr.exe 4120 oasecwygtchuqjr.exe 4120 oasecwygtchuqjr.exe 4120 oasecwygtchuqjr.exe 468 ydtvxgkw.exe 468 ydtvxgkw.exe 468 ydtvxgkw.exe 468 ydtvxgkw.exe 468 ydtvxgkw.exe 468 ydtvxgkw.exe 468 ydtvxgkw.exe 468 ydtvxgkw.exe 4120 oasecwygtchuqjr.exe 4120 oasecwygtchuqjr.exe 1768 ydtvxgkw.exe 1768 ydtvxgkw.exe 1768 ydtvxgkw.exe 1768 ydtvxgkw.exe 1768 ydtvxgkw.exe 1768 ydtvxgkw.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 3572 qdxintlglq.exe 4120 oasecwygtchuqjr.exe 468 ydtvxgkw.exe 3572 qdxintlglq.exe 4120 oasecwygtchuqjr.exe 3604 bdnnoxfigxkaw.exe 3572 qdxintlglq.exe 468 ydtvxgkw.exe 4120 oasecwygtchuqjr.exe 3604 bdnnoxfigxkaw.exe 468 ydtvxgkw.exe 3604 bdnnoxfigxkaw.exe 1768 ydtvxgkw.exe 1768 ydtvxgkw.exe 1768 ydtvxgkw.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 3572 qdxintlglq.exe 4120 oasecwygtchuqjr.exe 3572 qdxintlglq.exe 468 ydtvxgkw.exe 4120 oasecwygtchuqjr.exe 3572 qdxintlglq.exe 3604 bdnnoxfigxkaw.exe 468 ydtvxgkw.exe 4120 oasecwygtchuqjr.exe 3604 bdnnoxfigxkaw.exe 468 ydtvxgkw.exe 3604 bdnnoxfigxkaw.exe 1768 ydtvxgkw.exe 1768 ydtvxgkw.exe 1768 ydtvxgkw.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1920 wrote to memory of 3572 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 84 PID 1920 wrote to memory of 3572 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 84 PID 1920 wrote to memory of 3572 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 84 PID 1920 wrote to memory of 4120 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 85 PID 1920 wrote to memory of 4120 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 85 PID 1920 wrote to memory of 4120 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 85 PID 1920 wrote to memory of 468 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 86 PID 1920 wrote to memory of 468 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 86 PID 1920 wrote to memory of 468 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 86 PID 1920 wrote to memory of 3604 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 87 PID 1920 wrote to memory of 3604 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 87 PID 1920 wrote to memory of 3604 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 87 PID 1920 wrote to memory of 5032 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 88 PID 1920 wrote to memory of 5032 1920 1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe 88 PID 3572 wrote to memory of 1768 3572 qdxintlglq.exe 90 PID 3572 wrote to memory of 1768 3572 qdxintlglq.exe 90 PID 3572 wrote to memory of 1768 3572 qdxintlglq.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f6c3f2c2ac45defa61441cbdd33131d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\qdxintlglq.exeqdxintlglq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\ydtvxgkw.exeC:\Windows\system32\ydtvxgkw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1768
-
-
-
C:\Windows\SysWOW64\oasecwygtchuqjr.exeoasecwygtchuqjr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4120
-
-
C:\Windows\SysWOW64\ydtvxgkw.exeydtvxgkw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:468
-
-
C:\Windows\SysWOW64\bdnnoxfigxkaw.exebdnnoxfigxkaw.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3604
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5032
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD596166eb9761c2be154b7c895932a88a9
SHA1b79d2dbb1f5ffd3830f4e7719cdb51a6a10ab00c
SHA2563899168f8b1c53e90d43693b7dc9c046e4dda7d0ed78df6aa72b043e72b69c56
SHA512ecafa807e1dabcd20eb699fb013404e9ded027826e8ac173f76da379791e99f1dc31c50dac840edda8c637888146251be22343ba5148c28fe02d6938e78c5be6
-
Filesize
512KB
MD544086ff266a8ff269e268fa5d85e6234
SHA1ee9de2c7577d4ed125e87b2a49a13b26575c3442
SHA256e865617fc7806c13574ec3996e9aadcd65e5348be855321bac19715636661e66
SHA5126c0e16ef1b498099aeeb69a00ff48b4759db21789b866447f4460d9a7010631cf543d2c160af69839cdac42d0a63742aca8d6d4dffdfd44d2eb0b040a2b11c9e
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl
Filesize245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52b08edc7945949044a4c43b8bcba2b7c
SHA133ee369ded66d1da51c32dc4406085724edc42d6
SHA256bb88158b98636048bff66e56622a17bdd1bbcc0b55b0a82e95a20a4ebb2c8121
SHA51265a7903ecf16b7622301ba97c53c2c4fc4b656dc85e6d5ef7fdb3a4765038c6abfd855ba1874bd36fdef3e623ee8ca05f1a98f5070a00c38a1c5a37496ab38b2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5ba0b78c42ce5c66c8bae539bd99ecbb1
SHA115e9ab99edfa2d72a129b3092facb23b21968b76
SHA256a4484efd23cef4c73a214300a09d6d569a649d17c774ba2bdc36ec34024d07d5
SHA51274cafdab7112285fa82c1cc45eadc09f1ddff8cd338ee11c1cd68179961d72a9a5857eb0cf024d885a0d178c63ea2908f3ab0697f4d63d7cb61b03d3254cea62
-
Filesize
512KB
MD55acc093b830ede1aa9a25d921bffeeaa
SHA1386a2bb2a08488aaa7b5a476ba2e01b9c51e6c8d
SHA256c419eff5c6b1f9f50e2aa1e8febd1275dfe1382f0f75ee02d1a540eb0c5066c1
SHA51267b8b89f152aa8d4791745197bb8c3cc85511ae69b515934d9b8c599a8f60cb248c80546eada9093ffa8d47193b05c273ec383e3a8d726bb1bf6d775cca20e10
-
Filesize
512KB
MD50046f8fdf454c530bee4ba2193982d66
SHA12caee975d4f0a08d028e9552b38064a6471db9c3
SHA2562d65e2a9191fc5adb7392467faf2856d74c9ae171fed594414c365efacc96536
SHA51280566afd62adbea4d9376dfbf6f40a01ae8d28334adbfb23c5e0587e2fcbae53c71963145c1f38ca98acba039b3b33caeb1eb2aac3088e17118055f46186cc4f
-
Filesize
512KB
MD5d670b7b59c7eea4cc3495774c12442ec
SHA1ce252c49385aae395c89abd11e625e48d7edb8ae
SHA2563fcee720982396bb563ab5521c787ef883abf57f175285c6135d0beb01991529
SHA512887e3a13fa978601907eec319fce794cf3754cab29511b253c1ac1c4f3a261d16d212d05a144f051c4a9787653e0475ff221c1478000ff4bfdd0af6e80b95ac1
-
Filesize
512KB
MD5ea9d1696883258eeb3aeff1a68c3c1e4
SHA1beed31f96f09db36afa13e13955c99a45631fb69
SHA256efb48eb477779d9ca42126deaea8b9df9504d32d11f191c600b5bc1053718126
SHA5123b762ca8fd3434312ba9646b3cd99e3caabe041c2e591c55575f0e471092737233d309f8a1da22ceeb0c861007ca7c003f8374e942ac2badeea36980e7cac86f
-
Filesize
512KB
MD5cee841c43b43d0ee1363e40b5caf541d
SHA19ff4d1a6d41f2f051309a67dc44c957446d159cd
SHA2568ae5c21337c63c7f43996ef24db4a6297db109510f91aaacb13cbaa868c567d9
SHA5125484cc9399e6e10ef9cfce7cb1799c7a9b6c85b7a3e4a2f5b2f0b82e26022cb2fd9d9602b5f5f82fd611ab1cc4cdad5e35f8b3bff9ad7cb0a914942ebef5b584
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5cd94b215abb96a3ef22e33f9a54be2be
SHA1c7928431d5f5e1d112ab5b70df5ba33a1808f504
SHA256dd6d454a5db01b87c5bd8608f3ae9bbe8f393e5a8f876ee190eeee01feac0317
SHA512c99b65a748adb7134bc81397505a95ee8bc7070589e02832a5c83d7700795dd877d19ec7eae3f0d3e85c6a3a3c43419d06d9e78b721fa82846ea4adb70162a7a
-
Filesize
512KB
MD5a531124cde736efd92ba6353cf0c180d
SHA14183d87561b3e1f2bcf3ae8c22b1e9ebf56d0ad8
SHA2560a2e31359df80451c6ffb2a764322ef30f375b5f82de808b3c1cc9083539794b
SHA512fc2eef2d0a0e3cb0e1fa03336d01f08078912747b38dcf552e1aeac337f647b5b1b1af1111a16c776c008c27aee62d2fa6180677fee8a4906d30931c4acef619