Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 23:04
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe
-
Size
512KB
-
MD5
2c252045d6782f42939dd27ef98d5a9e
-
SHA1
92d701a2a69e1bb954c33a44c0ee2260fd19552b
-
SHA256
559eda8f1d3e9a742aeeda5cd024da9e6531656a00881cd4df5f28d3fdcd8809
-
SHA512
12e7d20cec0c4023ce2942a322ad3ab503aad2cd0c016983a4c9b185a422dd34e446c1ea940779877a594325a5187fe674a9fc87bb8e89078bca9eaf8229f1bd
-
SSDEEP
12288:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5ms:1gDhdkMRWfLTUO2Zu1um5ms
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" uldqkrywkz.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" uldqkrywkz.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uldqkrywkz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uldqkrywkz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uldqkrywkz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uldqkrywkz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uldqkrywkz.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uldqkrywkz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3248 uldqkrywkz.exe 1964 fumvlpluxxcfbkd.exe 2068 rasgkqex.exe 3388 qixfjbbydhzws.exe 3616 rasgkqex.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uldqkrywkz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uldqkrywkz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uldqkrywkz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" uldqkrywkz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uldqkrywkz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uldqkrywkz.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gqbdqazi = "fumvlpluxxcfbkd.exe" fumvlpluxxcfbkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qixfjbbydhzws.exe" fumvlpluxxcfbkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dusfehzj = "uldqkrywkz.exe" fumvlpluxxcfbkd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: uldqkrywkz.exe File opened (read-only) \??\k: rasgkqex.exe File opened (read-only) \??\e: uldqkrywkz.exe File opened (read-only) \??\k: uldqkrywkz.exe File opened (read-only) \??\s: uldqkrywkz.exe File opened (read-only) \??\b: rasgkqex.exe File opened (read-only) \??\r: rasgkqex.exe File opened (read-only) \??\n: uldqkrywkz.exe File opened (read-only) \??\y: rasgkqex.exe File opened (read-only) \??\h: uldqkrywkz.exe File opened (read-only) \??\p: uldqkrywkz.exe File opened (read-only) \??\j: rasgkqex.exe File opened (read-only) \??\a: rasgkqex.exe File opened (read-only) \??\e: rasgkqex.exe File opened (read-only) \??\x: rasgkqex.exe File opened (read-only) \??\q: rasgkqex.exe File opened (read-only) \??\m: uldqkrywkz.exe File opened (read-only) \??\o: uldqkrywkz.exe File opened (read-only) \??\e: rasgkqex.exe File opened (read-only) \??\j: uldqkrywkz.exe File opened (read-only) \??\w: uldqkrywkz.exe File opened (read-only) \??\m: rasgkqex.exe File opened (read-only) \??\n: rasgkqex.exe File opened (read-only) \??\u: rasgkqex.exe File opened (read-only) \??\i: uldqkrywkz.exe File opened (read-only) \??\z: uldqkrywkz.exe File opened (read-only) \??\g: rasgkqex.exe File opened (read-only) \??\t: rasgkqex.exe File opened (read-only) \??\l: rasgkqex.exe File opened (read-only) \??\r: rasgkqex.exe File opened (read-only) \??\n: rasgkqex.exe File opened (read-only) \??\b: uldqkrywkz.exe File opened (read-only) \??\u: uldqkrywkz.exe File opened (read-only) \??\q: rasgkqex.exe File opened (read-only) \??\h: rasgkqex.exe File opened (read-only) \??\i: rasgkqex.exe File opened (read-only) \??\s: rasgkqex.exe File opened (read-only) \??\t: rasgkqex.exe File opened (read-only) \??\m: rasgkqex.exe File opened (read-only) \??\o: rasgkqex.exe File opened (read-only) \??\y: uldqkrywkz.exe File opened (read-only) \??\a: rasgkqex.exe File opened (read-only) \??\v: rasgkqex.exe File opened (read-only) \??\z: rasgkqex.exe File opened (read-only) \??\u: rasgkqex.exe File opened (read-only) \??\g: rasgkqex.exe File opened (read-only) \??\x: rasgkqex.exe File opened (read-only) \??\x: uldqkrywkz.exe File opened (read-only) \??\p: rasgkqex.exe File opened (read-only) \??\i: rasgkqex.exe File opened (read-only) \??\l: uldqkrywkz.exe File opened (read-only) \??\o: rasgkqex.exe File opened (read-only) \??\q: uldqkrywkz.exe File opened (read-only) \??\r: uldqkrywkz.exe File opened (read-only) \??\b: rasgkqex.exe File opened (read-only) \??\p: rasgkqex.exe File opened (read-only) \??\w: rasgkqex.exe File opened (read-only) \??\z: rasgkqex.exe File opened (read-only) \??\g: uldqkrywkz.exe File opened (read-only) \??\a: uldqkrywkz.exe File opened (read-only) \??\t: uldqkrywkz.exe File opened (read-only) \??\k: rasgkqex.exe File opened (read-only) \??\w: rasgkqex.exe File opened (read-only) \??\j: rasgkqex.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" uldqkrywkz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" uldqkrywkz.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4880-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000233f7-5.dat autoit_exe behavioral2/files/0x000a0000000233d8-18.dat autoit_exe behavioral2/files/0x00070000000233f8-28.dat autoit_exe behavioral2/files/0x00070000000233f9-29.dat autoit_exe behavioral2/files/0x0007000000023405-63.dat autoit_exe behavioral2/files/0x0007000000023406-68.dat autoit_exe behavioral2/files/0x0007000000023407-74.dat autoit_exe behavioral2/files/0x0007000000023408-77.dat autoit_exe behavioral2/files/0x0009000000023333-92.dat autoit_exe behavioral2/files/0x0009000000023333-454.dat autoit_exe behavioral2/files/0x0009000000023333-456.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\uldqkrywkz.exe 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fumvlpluxxcfbkd.exe 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe File created C:\Windows\SysWOW64\rasgkqex.exe 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qixfjbbydhzws.exe 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rasgkqex.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rasgkqex.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rasgkqex.exe File created C:\Windows\SysWOW64\uldqkrywkz.exe 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rasgkqex.exe 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe File created C:\Windows\SysWOW64\qixfjbbydhzws.exe 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll uldqkrywkz.exe File created C:\Windows\SysWOW64\fumvlpluxxcfbkd.exe 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe -
Drops file in Program Files directory 30 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rasgkqex.exe File opened for modification \??\c:\Program Files\TestDebug.doc.exe rasgkqex.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rasgkqex.exe File opened for modification C:\Program Files\MountUnpublish.nal rasgkqex.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rasgkqex.exe File opened for modification \??\c:\Program Files\MountUnpublish.doc.exe rasgkqex.exe File opened for modification C:\Program Files\TestDebug.doc.exe rasgkqex.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rasgkqex.exe File opened for modification C:\Program Files\TestDebug.doc.exe rasgkqex.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rasgkqex.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rasgkqex.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rasgkqex.exe File created \??\c:\Program Files\TestDebug.doc.exe rasgkqex.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rasgkqex.exe File opened for modification C:\Program Files\MountUnpublish.nal rasgkqex.exe File opened for modification C:\Program Files\TestDebug.nal rasgkqex.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rasgkqex.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rasgkqex.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rasgkqex.exe File created \??\c:\Program Files\MountUnpublish.doc.exe rasgkqex.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rasgkqex.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rasgkqex.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rasgkqex.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rasgkqex.exe File opened for modification \??\c:\Program Files\MountUnpublish.doc.exe rasgkqex.exe File opened for modification C:\Program Files\MountUnpublish.doc.exe rasgkqex.exe File opened for modification \??\c:\Program Files\TestDebug.doc.exe rasgkqex.exe File opened for modification C:\Program Files\TestDebug.nal rasgkqex.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rasgkqex.exe File opened for modification C:\Program Files\MountUnpublish.doc.exe rasgkqex.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rasgkqex.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rasgkqex.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rasgkqex.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rasgkqex.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rasgkqex.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rasgkqex.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rasgkqex.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rasgkqex.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rasgkqex.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rasgkqex.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rasgkqex.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rasgkqex.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rasgkqex.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rasgkqex.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rasgkqex.exe File opened for modification C:\Windows\mydoc.rtf 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rasgkqex.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462C0F9C2D82276A3777D2772F2DD97D8565AA" 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FF8E4F2885689132D75A7D97BCE4E136593066366242D6EE" 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs uldqkrywkz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf uldqkrywkz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC70915E0DABFB9BC7CE5EC9434B9" 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat uldqkrywkz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" uldqkrywkz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" uldqkrywkz.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh uldqkrywkz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc uldqkrywkz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" uldqkrywkz.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAF9B1F960F2E4837C3A4186973E94B3FE03FC4312033FE1CC42EB08D5" 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B12B4494399E53C5B9D332E9D4CE" 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F568B0FF6721DED20CD0A68B089160" 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" uldqkrywkz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" uldqkrywkz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" uldqkrywkz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg uldqkrywkz.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3432 WINWORD.EXE 3432 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 1964 fumvlpluxxcfbkd.exe 1964 fumvlpluxxcfbkd.exe 1964 fumvlpluxxcfbkd.exe 1964 fumvlpluxxcfbkd.exe 1964 fumvlpluxxcfbkd.exe 1964 fumvlpluxxcfbkd.exe 1964 fumvlpluxxcfbkd.exe 1964 fumvlpluxxcfbkd.exe 1964 fumvlpluxxcfbkd.exe 1964 fumvlpluxxcfbkd.exe 3248 uldqkrywkz.exe 3248 uldqkrywkz.exe 3248 uldqkrywkz.exe 3248 uldqkrywkz.exe 3248 uldqkrywkz.exe 3248 uldqkrywkz.exe 3248 uldqkrywkz.exe 3248 uldqkrywkz.exe 3248 uldqkrywkz.exe 3248 uldqkrywkz.exe 3388 qixfjbbydhzws.exe 3388 qixfjbbydhzws.exe 3388 qixfjbbydhzws.exe 3388 qixfjbbydhzws.exe 3388 qixfjbbydhzws.exe 3388 qixfjbbydhzws.exe 3388 qixfjbbydhzws.exe 3388 qixfjbbydhzws.exe 3388 qixfjbbydhzws.exe 3388 qixfjbbydhzws.exe 2068 rasgkqex.exe 2068 rasgkqex.exe 2068 rasgkqex.exe 2068 rasgkqex.exe 2068 rasgkqex.exe 2068 rasgkqex.exe 2068 rasgkqex.exe 2068 rasgkqex.exe 3388 qixfjbbydhzws.exe 3388 qixfjbbydhzws.exe 1964 fumvlpluxxcfbkd.exe 1964 fumvlpluxxcfbkd.exe 3388 qixfjbbydhzws.exe 3388 qixfjbbydhzws.exe 3388 qixfjbbydhzws.exe 3388 qixfjbbydhzws.exe 3616 rasgkqex.exe 3616 rasgkqex.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 1964 fumvlpluxxcfbkd.exe 1964 fumvlpluxxcfbkd.exe 1964 fumvlpluxxcfbkd.exe 3248 uldqkrywkz.exe 3248 uldqkrywkz.exe 3248 uldqkrywkz.exe 3388 qixfjbbydhzws.exe 2068 rasgkqex.exe 3388 qixfjbbydhzws.exe 3388 qixfjbbydhzws.exe 2068 rasgkqex.exe 2068 rasgkqex.exe 3616 rasgkqex.exe 3616 rasgkqex.exe 3616 rasgkqex.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 1964 fumvlpluxxcfbkd.exe 1964 fumvlpluxxcfbkd.exe 1964 fumvlpluxxcfbkd.exe 3248 uldqkrywkz.exe 3248 uldqkrywkz.exe 3248 uldqkrywkz.exe 3388 qixfjbbydhzws.exe 3388 qixfjbbydhzws.exe 2068 rasgkqex.exe 3388 qixfjbbydhzws.exe 2068 rasgkqex.exe 2068 rasgkqex.exe 3616 rasgkqex.exe 3616 rasgkqex.exe 3616 rasgkqex.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3432 WINWORD.EXE 3432 WINWORD.EXE 3432 WINWORD.EXE 3432 WINWORD.EXE 3432 WINWORD.EXE 3432 WINWORD.EXE 3432 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4880 wrote to memory of 3248 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 82 PID 4880 wrote to memory of 3248 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 82 PID 4880 wrote to memory of 3248 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 82 PID 4880 wrote to memory of 1964 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 83 PID 4880 wrote to memory of 1964 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 83 PID 4880 wrote to memory of 1964 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 83 PID 4880 wrote to memory of 2068 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 84 PID 4880 wrote to memory of 2068 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 84 PID 4880 wrote to memory of 2068 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 84 PID 4880 wrote to memory of 3388 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 85 PID 4880 wrote to memory of 3388 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 85 PID 4880 wrote to memory of 3388 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 85 PID 4880 wrote to memory of 3432 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 87 PID 4880 wrote to memory of 3432 4880 2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe 87 PID 3248 wrote to memory of 3616 3248 uldqkrywkz.exe 89 PID 3248 wrote to memory of 3616 3248 uldqkrywkz.exe 89 PID 3248 wrote to memory of 3616 3248 uldqkrywkz.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2c252045d6782f42939dd27ef98d5a9e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\uldqkrywkz.exeuldqkrywkz.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\rasgkqex.exeC:\Windows\system32\rasgkqex.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3616
-
-
-
C:\Windows\SysWOW64\fumvlpluxxcfbkd.exefumvlpluxxcfbkd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1964
-
-
C:\Windows\SysWOW64\rasgkqex.exerasgkqex.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2068
-
-
C:\Windows\SysWOW64\qixfjbbydhzws.exeqixfjbbydhzws.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3388
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3432
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD58b767e906b1a33a054c5f451d6ec78b8
SHA174d101d5d2ada710c692bd025374d645893ee50f
SHA2561a1a4faf232a2c890bce176d094f0cd5fc9377af8ff7ee675ab091ac024e40d5
SHA512aa3fb2af7585040cbe5c737cdc7b2c9d1a95f6d7f0f2df4d704604812aaa24413312c3ec37e9597516f3a742c7bbe0f45cc319f387d1c824c06cb55d61818d33
-
Filesize
512KB
MD51e0bba2a09396b9301b54e4bfe3a65bb
SHA1d572fe923468cda812063357dd03d23b334b2517
SHA2564ea7d16d846def190ba1feefcb43aff5ca900b300f31714a2a594ec976ecea6d
SHA512a8b8162202eabe299473cb5f9150c77f9bb1d3e43a3f750a38ace9a01132ceaf8cc8e12ad3daecdb335ed4a8bacbcca9b2798a3be0fbb96af87f35f97f4cdf31
-
Filesize
512KB
MD5b52273394a632393d4c77247c1b4d228
SHA1705bcab1fd729fe986f617ebdb574b7890d31b82
SHA2567c948caf981f10f00a057ecce94410a5ac1bd068486565998f10187d932ddcbd
SHA5123e17cf2ae6a0db6bfd5afd8a2d43d6fb2ef3d96cb5a06300d09ebadca86d1c103f14cdc0df9a2fdcc31fa55e78962eb8c1776ba8a4b4cb10f984bd1363711b89
-
Filesize
512KB
MD57902f304183a0f2e8c980419bc95aa12
SHA1c414887daee93376af9baa7e0ca1f0e68416b3de
SHA256190e08de8157f4e3eef03aeed3909633102c8a77517a31e0ca2fe8baa98cd09f
SHA51259e82b1f8df58dd4f4d82600b3478211a05beafc5ede2cfade961a911e2a4e638749e01a9ab4f04f0cbaa685de8cf513bbb0e0ebd9b2c328f668ba11b029d8ee
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f1a65da78b1e3f1b98f255b37bcd1be6
SHA1e21b9cebafc8cdab5b3bfa419f064d894340e74b
SHA256ff0e89b5bd40523f17aad52c3b7c4e31fa76d8c34ef8b444ee87ad015eb06a5b
SHA5120bd863152ca3320ea7a854b2d9130574f355fefdfbb0f8b6430d1e0a484f9c8b715bea018dc6d08a5aa85f3f63c9506be33adf5ce929425b2baa518dca023fd4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD54369117d71e0421916b524ee3a5a3ae9
SHA153c23da5c862930bbb08310d6aaf12607030a489
SHA2565edd4c3ade3e3b971f7c18a62b124b0be0c7b9b409e95b0c2116a2f70c496bd9
SHA512f6dff9ebbfda3c86e2822a58a39da4c7c69a6e258e99c7dca23d0fdcd5ae1f0f9b5ebbbe1df910041040b8d177bbd8d2465219d6ae950e59598705c66e353c11
-
Filesize
512KB
MD5dd049847fe78e3b8fc574dd1d74a3ea0
SHA1f30cf31b57020f8a4b81c01cfd368fbe4bac91ed
SHA2562b9e371f275dc32390328a7646ada5eb222f706523c2863c36087fe548bcf899
SHA5123f065edf11349bb025e34b9bd30b2cdcac501711d6fdbe38c2a8359b3da5b7c22797f0b56e4a7d893b6e58b4a66e1222be9ab851246fbbc2c66663f41adafe0b
-
Filesize
512KB
MD53b8761c087c6612f9bf93e9e44cafcb1
SHA173820bd6ac0a2cea61c0c0a77a5e44048a0d5d5c
SHA25615718702d5272561bf1fa9ac1bb23153e2824fac84bbc46862aff693ccd764d0
SHA51285a296447c203467a07cf35a7abcec6c454b7d0e67c9366b3e0d62424f60034220eaa052e776063cc4748dadedc9d06ddafcd4064f0294fe037c1bf5e1826788
-
Filesize
512KB
MD5d3b1585b7202c1198c00cd2eb9d817bf
SHA18ae0bd48a64e79b679a3dbc7f751d82a07c7c1a3
SHA25669e80b03d6cc3dbaf4cb88cbcc6b40bc4752c69058d867c5c746e43a456696d9
SHA51291eb4666780c0527dd04edfbd16f42f456085908c93f7a2bbe375b2bb3f6322e37a992f54ff349e250af7272dcb455c157365f5907d3ff4a3007161beedd537e
-
Filesize
512KB
MD5b6acb6c77d3c7ba07245fb6f90f205da
SHA1fd9a064817b4bc4fa1d1b323bb53e304b61847d5
SHA2560a8593d17ff805ea844abef2eb8fe4f579c668ca5c0fcf5f59182f0d83172834
SHA5123feb67355e9b7eab5d67582867376f7b59fbded0a376fcfc62c5e207e0ca38b36a388812d86b399cd7ab07999f1ddf137cc9621f8f24c123e6a2f14e148309d1
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5699215605b6b96c57d988ec2a9749e3f
SHA1a147601e0fe1988c1e75a47cc8103d270008b5a2
SHA25612a9ad13e2a9eff1fee890864ed56c49249e2dac3320a2cf977bf1f8c930adc3
SHA5127c7018d0bb72b4d489ad3e25f9862672ff2af3c7bb25662f9260f02561080ed656ba428f9d872bc2675cb454147b0304fa04935a7aeb5d8809c2c8cfc65ed360
-
Filesize
512KB
MD5cab98ccfc8f4c5ab9d9ea8c10f9bc7d9
SHA138a43328aeb04bf0631259ee223180eb2d0602c5
SHA256e951e61fe12953ae78c2b71e23a2a04c3bc9001beb40793f1217c6d0dfcc5fdd
SHA512f91528edf84c5016d636462fc1dc4aa03cff6adce43896bf07fcbd769499456e1536597249f88b64a9454029b8fab947488435ee4dfcdd0d6fc89b21d7fef687
-
Filesize
512KB
MD56e13786aba15e34d114aa41a1128632b
SHA1b8be58de34e209562820b7c7a1166f5c2bc03301
SHA2567f918bfc4863ab1b77ce86145aec6b7028441f88668e0e22404ce2c366d5c612
SHA51282b1d2d1d551d99fe8598d2e502f1a7e5f780585b0507a27404ec9125a0c7aee8fdd5e60ac7c0b2c5df13cc2b0da617c73ba083c58466e9cfb24780251d4f406