559eda8f1d3e9a742aeeda5cd024da9e6531656a00881cd4df5f28d3fdcd8809

General

Target

2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
Size

512KB
MD5

2c252045d6782f42939dd27ef98d5a9e
SHA1

92d701a2a69e1bb954c33a44c0ee2260fd19552b
SHA256

559eda8f1d3e9a742aeeda5cd024da9e6531656a00881cd4df5f28d3fdcd8809
SHA512

12e7d20cec0c4023ce2942a322ad3ab503aad2cd0c016983a4c9b185a422dd34e446c1ea940779877a594325a5187fe674a9fc87bb8e89078bca9eaf8229f1bd
SSDEEP

12288:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5ms:1gDhdkMRWfLTUO2Zu1um5ms

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	fqwwrddspy.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fqwwrddspy.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	fqwwrddspy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	fqwwrddspy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	fqwwrddspy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	fqwwrddspy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	fqwwrddspy.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	fqwwrddspy.exe

Executes dropped EXE 4 IoCs

pid	Process
2632	fqwwrddspy.exe
2748	owdbndloftqkgye.exe
2596	lvncopxq.exe
2528	eziypofpqsxus.exe

Loads dropped DLL 4 IoCs

pid	Process
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	fqwwrddspy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	fqwwrddspy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	fqwwrddspy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	fqwwrddspy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	fqwwrddspy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	fqwwrddspy.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	fqwwrddspy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	fqwwrddspy.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2176-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000d0000000144e9-20.dat	autoit_exe
behavioral1/files/0x0007000000014e5a-29.dat	autoit_exe
behavioral1/files/0x0007000000015023-39.dat	autoit_exe
behavioral1/files/0x0036000000014817-28.dat	autoit_exe
behavioral1/files/0x0006000000016056-72.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fqwwrddspy.exe	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fqwwrddspy.exe	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\owdbndloftqkgye.exe	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\owdbndloftqkgye.exe	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lvncopxq.exe	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lvncopxq.exe	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eziypofpqsxus.exe	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\eziypofpqsxus.exe	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAF9CAF910F1E0837E3B45869739E5B08903F042690332E1C945E908D6"	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BB1FF6E21D1D27CD0A98A789161"	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	fqwwrddspy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	fqwwrddspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	fqwwrddspy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	fqwwrddspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	fqwwrddspy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452D799D5582586D3E76D470222DDD7C8E65AB"	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FC8D482982189047D7287D93BC94E6335844664F6244D6EE"	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C67514E5DBBFB9B97CE2ED9F34CF"	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	fqwwrddspy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	fqwwrddspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	fqwwrddspy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	fqwwrddspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	fqwwrddspy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B02C47E0399A53B8B9D2339DD4BC"	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	fqwwrddspy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	fqwwrddspy.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2632	fqwwrddspy.exe
2632	fqwwrddspy.exe
2632	fqwwrddspy.exe
2632	fqwwrddspy.exe
2632	fqwwrddspy.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2632	fqwwrddspy.exe
2632	fqwwrddspy.exe
2632	fqwwrddspy.exe
2748	owdbndloftqkgye.exe
2748	owdbndloftqkgye.exe
2748	owdbndloftqkgye.exe
2596	lvncopxq.exe
2596	lvncopxq.exe
2596	lvncopxq.exe
2528	eziypofpqsxus.exe
2528	eziypofpqsxus.exe
2528	eziypofpqsxus.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
2632	fqwwrddspy.exe
2632	fqwwrddspy.exe
2632	fqwwrddspy.exe
2748	owdbndloftqkgye.exe
2748	owdbndloftqkgye.exe
2748	owdbndloftqkgye.exe
2596	lvncopxq.exe
2596	lvncopxq.exe
2596	lvncopxq.exe
2528	eziypofpqsxus.exe
2528	eziypofpqsxus.exe
2528	eziypofpqsxus.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2632	2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2632	2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2632	2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2632	2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2748	2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2748	2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2748	2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2748	2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2596	2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2596	2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2596	2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2596	2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2528	2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2528	2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2528	2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2528	2176	2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\fqwwrddspy.exe
  fqwwrddspy.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Windows security modification
  - Modifies WinLogon
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2632
- - C:\Windows\SysWOW64\lvncopxq.exe
    C:\Windows\system32\lvncopxq.exe
    3⤵
    PID:2296
- C:\Windows\SysWOW64\owdbndloftqkgye.exe
  owdbndloftqkgye.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2748
- C:\Windows\SysWOW64\lvncopxq.exe
  lvncopxq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2596
- C:\Windows\SysWOW64\eziypofpqsxus.exe
  eziypofpqsxus.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2528
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  PID:2272

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\CompressConvertFrom.doc.exe

Filesize
512KB

MD5
5c3967c030b70994939bb010b3408083

SHA1
b498a34f976c4cd2bc858e5d4ebd06cfbc07d399

SHA256
989d5cc4813c65978d4c7658c2f013f389effbcdd88d17e38b55322ca6173415

SHA512
a2930634896b813a423b41b522a1bfc06528bafd4dd4a8c6da3a7a96c16fef0edb263d3453fdb97e488e281656bc4467dd1fd94d114f4641a2347c7041155174

Download Submit
C:\Windows\SysWOW64\eziypofpqsxus.exe

Filesize
512KB

MD5
ec304cd53b89b918de833f10841fd9af

SHA1
2ab598753be28eba196ebd9c61ffccbfd635a8ef

SHA256
0be7ae6113b63342a6c29a1a5b076c859e0825aeb81f5421cc45416c0af6e7c8

SHA512
279b608d526719f8cd867459652b53f2d912c58e334ffa24175f8b2f0c05b14782624e6ccf955d79d3bea7a139729169782a0d87465859841ba18a292f6874fd

Download Submit
C:\Windows\SysWOW64\fqwwrddspy.exe

Filesize
512KB

MD5
9283912934a574118c38678fc446a63c

SHA1
b1c3dc98040e27c078c5f5f44695f49722bd2201

SHA256
2b7b912c8de5b9e8e13dc70edee9765bcb4b251250e1e19e425652a92f0bad2b

SHA512
640cdbc8487d13b8df3a61f74e414abfb820b5c736e987e61efcc6677feeaece6c006dfb497318e9843bc9c20f923b25e7bb0c16fa2b539e5f5be066ec094eab

Download Submit
C:\Windows\SysWOW64\owdbndloftqkgye.exe

Filesize
512KB

MD5
cd4ca9fde1ec229bb6f5ee7727d87ab7

SHA1
de5474a73e552a587e211d1a0d3a131435e11d96

SHA256
30d1ea607311249a1dedeff01bd10cdb850b3fc7c434c8b2370b83f76436300e

SHA512
110c58d8ac458b6210ba5f1161726dd22667f4f629a227421b3799a3e7fc34e4e53e778e090f487f2d9f2cdaacbf263fafe883020d8ba186c08d0e345646e2c8

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\lvncopxq.exe

Filesize
512KB

MD5
23935f0a3a95e41d2d5358f156b909d7

SHA1
60378b9dfab281671a9b2aa8a70c6229a526541b

SHA256
35c7aa6ce7d2065bcbf50f9b784210afd0aa1ae6617f46771e9b5e194ce11c7d

SHA512
33f606804e13ca8784d5e5089997f44f43ca6dbda7feacaa7d4b40e397c7a114744a3d9f90eaa35cfe6519ce6ade7fbfb082ab8eefd5ae4f92809ffa3b2bca50

Download Submit
memory/1856-79-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2176-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2272-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads