Analysis
-
max time kernel
149s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 11:05
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe
-
Size
512KB
-
MD5
29a88bef5f71d7334a03d3ad621aa69b
-
SHA1
0a3a85168d6ce806095636efd89fb12fdb494168
-
SHA256
67350e15e0e4076fb295e8996a23d0b43c41808042bdba7ea1c9dcf42666397a
-
SHA512
ad853738a93bb19222f6261bdcdea0d555e43192c1c57801714d10af8b139c9bd9bac660c55eaefb09fe48a134abca8d21bae92c09e8653aca4249457effca74
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6x:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5u
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hlvwnqfett.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hlvwnqfett.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hlvwnqfett.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hlvwnqfett.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hlvwnqfett.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hlvwnqfett.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hlvwnqfett.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hlvwnqfett.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3312 hlvwnqfett.exe 4784 uqtkxeppdzniuyy.exe 3376 hokwfzmb.exe 1740 jgciavfaqpsmw.exe 3668 hokwfzmb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hlvwnqfett.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hlvwnqfett.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" hlvwnqfett.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hlvwnqfett.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hlvwnqfett.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hlvwnqfett.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haqnxctp = "hlvwnqfett.exe" uqtkxeppdzniuyy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahuvarwv = "uqtkxeppdzniuyy.exe" uqtkxeppdzniuyy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jgciavfaqpsmw.exe" uqtkxeppdzniuyy.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: hokwfzmb.exe File opened (read-only) \??\v: hokwfzmb.exe File opened (read-only) \??\i: hlvwnqfett.exe File opened (read-only) \??\j: hlvwnqfett.exe File opened (read-only) \??\m: hlvwnqfett.exe File opened (read-only) \??\a: hokwfzmb.exe File opened (read-only) \??\b: hokwfzmb.exe File opened (read-only) \??\r: hokwfzmb.exe File opened (read-only) \??\a: hlvwnqfett.exe File opened (read-only) \??\t: hokwfzmb.exe File opened (read-only) \??\k: hokwfzmb.exe File opened (read-only) \??\l: hokwfzmb.exe File opened (read-only) \??\h: hokwfzmb.exe File opened (read-only) \??\l: hokwfzmb.exe File opened (read-only) \??\w: hokwfzmb.exe File opened (read-only) \??\q: hlvwnqfett.exe File opened (read-only) \??\g: hokwfzmb.exe File opened (read-only) \??\n: hokwfzmb.exe File opened (read-only) \??\j: hokwfzmb.exe File opened (read-only) \??\q: hokwfzmb.exe File opened (read-only) \??\h: hlvwnqfett.exe File opened (read-only) \??\k: hlvwnqfett.exe File opened (read-only) \??\r: hokwfzmb.exe File opened (read-only) \??\w: hokwfzmb.exe File opened (read-only) \??\z: hokwfzmb.exe File opened (read-only) \??\s: hokwfzmb.exe File opened (read-only) \??\n: hlvwnqfett.exe File opened (read-only) \??\o: hokwfzmb.exe File opened (read-only) \??\s: hlvwnqfett.exe File opened (read-only) \??\e: hokwfzmb.exe File opened (read-only) \??\u: hokwfzmb.exe File opened (read-only) \??\v: hlvwnqfett.exe File opened (read-only) \??\x: hlvwnqfett.exe File opened (read-only) \??\o: hokwfzmb.exe File opened (read-only) \??\z: hlvwnqfett.exe File opened (read-only) \??\m: hokwfzmb.exe File opened (read-only) \??\w: hlvwnqfett.exe File opened (read-only) \??\u: hokwfzmb.exe File opened (read-only) \??\g: hokwfzmb.exe File opened (read-only) \??\n: hokwfzmb.exe File opened (read-only) \??\u: hlvwnqfett.exe File opened (read-only) \??\k: hokwfzmb.exe File opened (read-only) \??\p: hokwfzmb.exe File opened (read-only) \??\q: hokwfzmb.exe File opened (read-only) \??\z: hokwfzmb.exe File opened (read-only) \??\b: hlvwnqfett.exe File opened (read-only) \??\l: hlvwnqfett.exe File opened (read-only) \??\b: hokwfzmb.exe File opened (read-only) \??\i: hokwfzmb.exe File opened (read-only) \??\x: hokwfzmb.exe File opened (read-only) \??\m: hokwfzmb.exe File opened (read-only) \??\o: hlvwnqfett.exe File opened (read-only) \??\p: hlvwnqfett.exe File opened (read-only) \??\y: hlvwnqfett.exe File opened (read-only) \??\e: hokwfzmb.exe File opened (read-only) \??\p: hokwfzmb.exe File opened (read-only) \??\x: hokwfzmb.exe File opened (read-only) \??\e: hlvwnqfett.exe File opened (read-only) \??\h: hokwfzmb.exe File opened (read-only) \??\y: hokwfzmb.exe File opened (read-only) \??\a: hokwfzmb.exe File opened (read-only) \??\j: hokwfzmb.exe File opened (read-only) \??\s: hokwfzmb.exe File opened (read-only) \??\v: hokwfzmb.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" hlvwnqfett.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" hlvwnqfett.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4612-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000900000002340a-5.dat autoit_exe behavioral2/files/0x0008000000022f51-18.dat autoit_exe behavioral2/files/0x0008000000023412-26.dat autoit_exe behavioral2/files/0x0007000000023413-31.dat autoit_exe behavioral2/files/0x00030000000229c3-65.dat autoit_exe behavioral2/files/0x0004000000022ac4-71.dat autoit_exe behavioral2/files/0x0005000000022ac3-77.dat autoit_exe behavioral2/files/0x001000000002337d-92.dat autoit_exe behavioral2/files/0x001000000002337d-97.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\hlvwnqfett.exe 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe File created C:\Windows\SysWOW64\jgciavfaqpsmw.exe 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jgciavfaqpsmw.exe 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hokwfzmb.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hokwfzmb.exe File created C:\Windows\SysWOW64\uqtkxeppdzniuyy.exe 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe File created C:\Windows\SysWOW64\hokwfzmb.exe 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hokwfzmb.exe 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll hlvwnqfett.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hokwfzmb.exe File created C:\Windows\SysWOW64\hlvwnqfett.exe 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uqtkxeppdzniuyy.exe 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hokwfzmb.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hokwfzmb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hokwfzmb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hokwfzmb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hokwfzmb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hokwfzmb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hokwfzmb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hokwfzmb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hokwfzmb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hokwfzmb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hokwfzmb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hokwfzmb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hokwfzmb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hokwfzmb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hokwfzmb.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hokwfzmb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hokwfzmb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hokwfzmb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hokwfzmb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hokwfzmb.exe File opened for modification C:\Windows\mydoc.rtf 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hokwfzmb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hokwfzmb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hokwfzmb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hokwfzmb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hokwfzmb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hokwfzmb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hokwfzmb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hokwfzmb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hokwfzmb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hokwfzmb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hokwfzmb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc hlvwnqfett.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C67914E7DBC4B8BC7FE6ECE037CF" 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat hlvwnqfett.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh hlvwnqfett.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf hlvwnqfett.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" hlvwnqfett.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFF9CCFE10F19284783B44819B3E91B08B03FE4366034BE2CB45E909A3" 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B15A47E5389E53C8B9A73298D7C4" 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" hlvwnqfett.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs hlvwnqfett.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg hlvwnqfett.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" hlvwnqfett.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFFFB485A85189140D6217D93BD97E633584766446333D6EA" 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" hlvwnqfett.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7866BB4FF1C21ADD178D0D48B7D906A" 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" hlvwnqfett.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" hlvwnqfett.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C0F9D5682586A3277D170202CDB7CF365DD" 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5056 WINWORD.EXE 5056 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 3312 hlvwnqfett.exe 3312 hlvwnqfett.exe 3312 hlvwnqfett.exe 3312 hlvwnqfett.exe 3312 hlvwnqfett.exe 3312 hlvwnqfett.exe 3312 hlvwnqfett.exe 3312 hlvwnqfett.exe 3312 hlvwnqfett.exe 3312 hlvwnqfett.exe 4784 uqtkxeppdzniuyy.exe 4784 uqtkxeppdzniuyy.exe 4784 uqtkxeppdzniuyy.exe 4784 uqtkxeppdzniuyy.exe 4784 uqtkxeppdzniuyy.exe 4784 uqtkxeppdzniuyy.exe 4784 uqtkxeppdzniuyy.exe 4784 uqtkxeppdzniuyy.exe 3376 hokwfzmb.exe 3376 hokwfzmb.exe 3376 hokwfzmb.exe 3376 hokwfzmb.exe 3376 hokwfzmb.exe 3376 hokwfzmb.exe 3376 hokwfzmb.exe 3376 hokwfzmb.exe 4784 uqtkxeppdzniuyy.exe 4784 uqtkxeppdzniuyy.exe 1740 jgciavfaqpsmw.exe 1740 jgciavfaqpsmw.exe 1740 jgciavfaqpsmw.exe 1740 jgciavfaqpsmw.exe 1740 jgciavfaqpsmw.exe 1740 jgciavfaqpsmw.exe 1740 jgciavfaqpsmw.exe 1740 jgciavfaqpsmw.exe 1740 jgciavfaqpsmw.exe 1740 jgciavfaqpsmw.exe 1740 jgciavfaqpsmw.exe 1740 jgciavfaqpsmw.exe 4784 uqtkxeppdzniuyy.exe 4784 uqtkxeppdzniuyy.exe 3668 hokwfzmb.exe 3668 hokwfzmb.exe 3668 hokwfzmb.exe 3668 hokwfzmb.exe 3668 hokwfzmb.exe 3668 hokwfzmb.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 3312 hlvwnqfett.exe 3312 hlvwnqfett.exe 3312 hlvwnqfett.exe 4784 uqtkxeppdzniuyy.exe 4784 uqtkxeppdzniuyy.exe 4784 uqtkxeppdzniuyy.exe 3376 hokwfzmb.exe 3376 hokwfzmb.exe 3376 hokwfzmb.exe 1740 jgciavfaqpsmw.exe 1740 jgciavfaqpsmw.exe 1740 jgciavfaqpsmw.exe 3668 hokwfzmb.exe 3668 hokwfzmb.exe 3668 hokwfzmb.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 3312 hlvwnqfett.exe 3312 hlvwnqfett.exe 3312 hlvwnqfett.exe 4784 uqtkxeppdzniuyy.exe 4784 uqtkxeppdzniuyy.exe 4784 uqtkxeppdzniuyy.exe 3376 hokwfzmb.exe 3376 hokwfzmb.exe 3376 hokwfzmb.exe 1740 jgciavfaqpsmw.exe 1740 jgciavfaqpsmw.exe 1740 jgciavfaqpsmw.exe 3668 hokwfzmb.exe 3668 hokwfzmb.exe 3668 hokwfzmb.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5056 WINWORD.EXE 5056 WINWORD.EXE 5056 WINWORD.EXE 5056 WINWORD.EXE 5056 WINWORD.EXE 5056 WINWORD.EXE 5056 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4612 wrote to memory of 3312 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 83 PID 4612 wrote to memory of 3312 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 83 PID 4612 wrote to memory of 3312 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 83 PID 4612 wrote to memory of 4784 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 84 PID 4612 wrote to memory of 4784 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 84 PID 4612 wrote to memory of 4784 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 84 PID 4612 wrote to memory of 3376 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 86 PID 4612 wrote to memory of 3376 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 86 PID 4612 wrote to memory of 3376 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 86 PID 4612 wrote to memory of 1740 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 87 PID 4612 wrote to memory of 1740 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 87 PID 4612 wrote to memory of 1740 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 87 PID 4612 wrote to memory of 5056 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 88 PID 4612 wrote to memory of 5056 4612 29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe 88 PID 3312 wrote to memory of 3668 3312 hlvwnqfett.exe 91 PID 3312 wrote to memory of 3668 3312 hlvwnqfett.exe 91 PID 3312 wrote to memory of 3668 3312 hlvwnqfett.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\29a88bef5f71d7334a03d3ad621aa69b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\hlvwnqfett.exehlvwnqfett.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\hokwfzmb.exeC:\Windows\system32\hokwfzmb.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3668
-
-
-
C:\Windows\SysWOW64\uqtkxeppdzniuyy.exeuqtkxeppdzniuyy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4784
-
-
C:\Windows\SysWOW64\hokwfzmb.exehokwfzmb.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3376
-
-
C:\Windows\SysWOW64\jgciavfaqpsmw.exejgciavfaqpsmw.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1740
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5056
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5c185a20669cd014d1db18db492dc4d99
SHA1ac0d935b996d25f4f3e98aa76c4b714a05268005
SHA25669272c640a8c33ef0a278fc6873e3f53f1c1323bfe14aeb494b62c871970045a
SHA5120112d48b8c4709093812dde3faa1bfcbc126861f814ea7ead83f3b1b6044714d0e5ca22d46a1fe84be2c922eaa12d02f236ad62d84e698c07a6d6abe305381f8
-
Filesize
512KB
MD5d2148123d84b018fa7664db228f85afe
SHA1cd5b56c955cbf0701d0ce07c066cb88919056452
SHA256be9fbef12ae13f0f0d4df6c4567975e14d726996e1ac2d11b137383e5806a254
SHA51226022bcd1ca0eecd53bf73648ecccb30b2a7ce3a2b427f5ed020cd6a7d0aaf033a0dbb67fb54d7047d58bbdba8a2163c3e49661f61f7d69ac9dcf28b18fd6070
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5121e79d0f4e4d38e0825e866565c8571
SHA15bab692c89926a9f59e23e0c30ab746390fe34d7
SHA25670a57511ab04b08b855a338ad63de39779525ce4c9eb55c288ba89b293f6a714
SHA512fe0ff64119a7f1949e539501f0502f18a7a12bfabed650715253cb59c351190d9c60bae11b4bd811afc6e207b56612241e69668d320a6d009441aa9698690337
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD511624bc4f18201eab432cd3b18ff00e1
SHA176a1d7d3751e8e1486ff0e1ceeca8b2c0723441a
SHA256dde8ed63f79e5eac097e99db0afb1cce14c8cba2d6ddaeed95eefe2b43b82a87
SHA5126a6592aaf15fc30f8be6afc66939ba3c53ad00e314ca12dd52ec86a10aebf8e91a3d0e4c058dd01fad14cce10f49658981f10fa5c9b5e59d7b0b54448c8f1448
-
Filesize
512KB
MD52bd918f9c1821e50b8767fa97e9d44d5
SHA1f855ca1502ab6e34602dd72c6f8a283fcd796e83
SHA25689dc032dcaaceaa88c685e20d9b25be7cd4d4c478f3b6aa40636ee8d926022f9
SHA512abe5cb4f485b1d5285872f2001760a1840f4c5e645922a6efafdd9f4f5b760b924fdb55e1c7f06f968f27e6f1457296d8a2849091a1247ff00015fccf7830977
-
Filesize
512KB
MD5e11dd1f4fb9fe0aa62d6b5c8cb9933e0
SHA1ad508a29a148f6c483b1b72791829e96cddc1835
SHA25688fc4bfc3b70d50110954bc582cdcaa7ab8a3cf4b81ef259ae33478d447d109d
SHA51248c83882e9e35e5a02e95bea1b66a7817752ed3cf6cb8a8595dd0d5a815173dab7d7baa1e00265f8c4badde4dda90fb081ff99574420e88ff82e1ad1c23013b6
-
Filesize
512KB
MD54b0d6ea93a37058b23608af84fa3fee6
SHA1e535bef3dc337e36c121138f273acb49d8084602
SHA256dc44a5027fe65da03f4ba78c58b389893569a86086cc81b6de5935c387bad4b1
SHA5127106472f9ddc10bc829d1b2219ab3f389622363bcf89a6fd29a945de470915104e3cc4ff15ce57d7a55417c529770b4f3adf476edcf81d93df0258a7cd28abc9
-
Filesize
512KB
MD54c88a161f753b58339c5d86e88655fbf
SHA1986b96487726f3757f23f48ca7a4db714ad4c06e
SHA2560e7198cf93744376734d378f813e6daff27ce034f5b6903caff717b1a9e5f412
SHA512feeb76f9c7f1449bd56394534ff01eb4e7fb32ac3c1f34fcbe4d4666ef282a46e2c2bd9de3da9dd7494b6effd11d58c1fa4a0f88bf1f4a259c822ae865feaf67
-
Filesize
512KB
MD548003c5006e3ed9d63b688189a1f911f
SHA1c28e6e04f30142e2b6e396a0c8994ebac415bd57
SHA25656c0a4dfa2df03e1690c3027fbbf403dacb8ad875da1b45683377f1d75e05a90
SHA512eafc87a84ad873a91d183027ee88eeebd510fc8af61d06838a0eca1fef186c9fdce6602b03fc7e2d44fbd9379c1ac52a765ca0a9f6b77010ac32acdb5e6883cf
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD57277cd126e2dcca8b3bf1ac6699129e3
SHA11b88e30f931683909fee318e45adf615aaf5de15
SHA256bd005f6e9c0a04691cc06703a65275568ae7bda40d542622740b6c11cb58d061
SHA51213a80e497027964a31f0902c0b3cb44c00170e24e81ef4998ae652e3356280acd94dea926e231e86c0db01ffcca59a7e680412e7e0b035589c95df6a788ccf34
-
Filesize
512KB
MD52a643292557952fc4cb0d1ac23d4b9cd
SHA15b273ee48ad9feff29a196e62c39ebbc59d4d77f
SHA2562a6693d195bca583e1810f174ea7b38de9be1a7cc9bf95983a5903979519824d
SHA512bb473d203f7c3b0fd31682a518b122a60afea2f34a86f4369392c2050dfd08df9799c3bad5d61275d84f65e14474432de8710c76aba5da0416891319c28e2ce9