Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 19:04
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe
-
Size
512KB
-
MD5
3616476105cd41328bd246c25e3aa9c0
-
SHA1
6fb054a4b054ac735e27e198c6dab8fd4ed9f0c3
-
SHA256
9eb732967143f34e60ffe5186f5efa4c02c3bcd933b68bc44a6664cf5bab420c
-
SHA512
6e23c9601e29fcf3bf46da3aa6f7920947b1c3aa3888638f1637b828e72a41b9940ac184dc7d319c2c076a2b1d7fddf3216f8ebbc2d807c4700c2f0cf50650d6
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6+:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm59
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rjitrsmljk.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rjitrsmljk.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rjitrsmljk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rjitrsmljk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rjitrsmljk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rjitrsmljk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rjitrsmljk.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rjitrsmljk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3944 rjitrsmljk.exe 2400 omrgajybvdlgxfh.exe 2036 wncvucri.exe 3576 tzoaussmwwrhj.exe 3896 wncvucri.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rjitrsmljk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rjitrsmljk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rjitrsmljk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rjitrsmljk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rjitrsmljk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rjitrsmljk.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oomciwtv = "omrgajybvdlgxfh.exe" omrgajybvdlgxfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tzoaussmwwrhj.exe" omrgajybvdlgxfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oetdnxjg = "rjitrsmljk.exe" omrgajybvdlgxfh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: wncvucri.exe File opened (read-only) \??\p: wncvucri.exe File opened (read-only) \??\t: wncvucri.exe File opened (read-only) \??\q: wncvucri.exe File opened (read-only) \??\w: wncvucri.exe File opened (read-only) \??\k: wncvucri.exe File opened (read-only) \??\n: wncvucri.exe File opened (read-only) \??\o: wncvucri.exe File opened (read-only) \??\p: rjitrsmljk.exe File opened (read-only) \??\r: rjitrsmljk.exe File opened (read-only) \??\v: rjitrsmljk.exe File opened (read-only) \??\v: wncvucri.exe File opened (read-only) \??\j: wncvucri.exe File opened (read-only) \??\k: wncvucri.exe File opened (read-only) \??\t: wncvucri.exe File opened (read-only) \??\h: wncvucri.exe File opened (read-only) \??\w: wncvucri.exe File opened (read-only) \??\a: wncvucri.exe File opened (read-only) \??\k: rjitrsmljk.exe File opened (read-only) \??\l: rjitrsmljk.exe File opened (read-only) \??\v: wncvucri.exe File opened (read-only) \??\i: wncvucri.exe File opened (read-only) \??\r: wncvucri.exe File opened (read-only) \??\j: wncvucri.exe File opened (read-only) \??\u: rjitrsmljk.exe File opened (read-only) \??\y: rjitrsmljk.exe File opened (read-only) \??\b: wncvucri.exe File opened (read-only) \??\z: wncvucri.exe File opened (read-only) \??\e: wncvucri.exe File opened (read-only) \??\j: rjitrsmljk.exe File opened (read-only) \??\s: rjitrsmljk.exe File opened (read-only) \??\a: rjitrsmljk.exe File opened (read-only) \??\q: wncvucri.exe File opened (read-only) \??\t: rjitrsmljk.exe File opened (read-only) \??\e: wncvucri.exe File opened (read-only) \??\x: wncvucri.exe File opened (read-only) \??\y: wncvucri.exe File opened (read-only) \??\l: wncvucri.exe File opened (read-only) \??\o: wncvucri.exe File opened (read-only) \??\b: rjitrsmljk.exe File opened (read-only) \??\n: rjitrsmljk.exe File opened (read-only) \??\w: rjitrsmljk.exe File opened (read-only) \??\g: wncvucri.exe File opened (read-only) \??\s: wncvucri.exe File opened (read-only) \??\x: wncvucri.exe File opened (read-only) \??\m: rjitrsmljk.exe File opened (read-only) \??\q: rjitrsmljk.exe File opened (read-only) \??\m: wncvucri.exe File opened (read-only) \??\p: wncvucri.exe File opened (read-only) \??\b: wncvucri.exe File opened (read-only) \??\n: wncvucri.exe File opened (read-only) \??\u: wncvucri.exe File opened (read-only) \??\o: rjitrsmljk.exe File opened (read-only) \??\a: wncvucri.exe File opened (read-only) \??\e: rjitrsmljk.exe File opened (read-only) \??\g: rjitrsmljk.exe File opened (read-only) \??\i: rjitrsmljk.exe File opened (read-only) \??\g: wncvucri.exe File opened (read-only) \??\m: wncvucri.exe File opened (read-only) \??\r: wncvucri.exe File opened (read-only) \??\s: wncvucri.exe File opened (read-only) \??\y: wncvucri.exe File opened (read-only) \??\h: rjitrsmljk.exe File opened (read-only) \??\z: rjitrsmljk.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rjitrsmljk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rjitrsmljk.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2868-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023433-5.dat autoit_exe behavioral2/files/0x000800000002342f-18.dat autoit_exe behavioral2/files/0x0007000000023434-27.dat autoit_exe behavioral2/files/0x0007000000023435-32.dat autoit_exe behavioral2/files/0x0008000000023411-73.dat autoit_exe behavioral2/files/0x0007000000023443-75.dat autoit_exe behavioral2/files/0x000700000002344e-96.dat autoit_exe behavioral2/files/0x000700000002344e-551.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\rjitrsmljk.exe 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe File created C:\Windows\SysWOW64\wncvucri.exe 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tzoaussmwwrhj.exe 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wncvucri.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wncvucri.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rjitrsmljk.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wncvucri.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wncvucri.exe File opened for modification C:\Windows\SysWOW64\omrgajybvdlgxfh.exe 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe File created C:\Windows\SysWOW64\tzoaussmwwrhj.exe 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe File created C:\Windows\SysWOW64\rjitrsmljk.exe 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe File created C:\Windows\SysWOW64\omrgajybvdlgxfh.exe 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wncvucri.exe 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wncvucri.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wncvucri.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wncvucri.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wncvucri.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wncvucri.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wncvucri.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wncvucri.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wncvucri.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wncvucri.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wncvucri.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wncvucri.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wncvucri.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wncvucri.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wncvucri.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wncvucri.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wncvucri.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wncvucri.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wncvucri.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wncvucri.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wncvucri.exe File opened for modification C:\Windows\mydoc.rtf 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wncvucri.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wncvucri.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wncvucri.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wncvucri.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wncvucri.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wncvucri.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wncvucri.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wncvucri.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wncvucri.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wncvucri.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rjitrsmljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B15D4794389D52CBBAD133E8D7CF" 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7876BB0FF1B21DCD27ED1A68A089114" 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rjitrsmljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rjitrsmljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rjitrsmljk.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rjitrsmljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rjitrsmljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rjitrsmljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC67E1594DAC3B8CD7FE3ECE537CF" 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rjitrsmljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rjitrsmljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rjitrsmljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412C0D9C2082206D3E77D370542CAB7D8464AD" 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFAB9FE16F1E7830E3B4B81EB3993B38902F04364033EE2BD42E608A2" 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FC8D482F8569903DD65D7E96BDE0E635584066456336D79E" 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rjitrsmljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rjitrsmljk.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 732 WINWORD.EXE 732 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 3944 rjitrsmljk.exe 3944 rjitrsmljk.exe 3944 rjitrsmljk.exe 3944 rjitrsmljk.exe 3944 rjitrsmljk.exe 3944 rjitrsmljk.exe 3944 rjitrsmljk.exe 3944 rjitrsmljk.exe 3944 rjitrsmljk.exe 3944 rjitrsmljk.exe 2400 omrgajybvdlgxfh.exe 2400 omrgajybvdlgxfh.exe 2400 omrgajybvdlgxfh.exe 2400 omrgajybvdlgxfh.exe 2400 omrgajybvdlgxfh.exe 2400 omrgajybvdlgxfh.exe 2400 omrgajybvdlgxfh.exe 2400 omrgajybvdlgxfh.exe 2400 omrgajybvdlgxfh.exe 2400 omrgajybvdlgxfh.exe 2036 wncvucri.exe 2036 wncvucri.exe 2036 wncvucri.exe 2036 wncvucri.exe 2036 wncvucri.exe 2036 wncvucri.exe 2036 wncvucri.exe 2036 wncvucri.exe 3576 tzoaussmwwrhj.exe 3576 tzoaussmwwrhj.exe 3576 tzoaussmwwrhj.exe 3576 tzoaussmwwrhj.exe 3576 tzoaussmwwrhj.exe 3576 tzoaussmwwrhj.exe 3576 tzoaussmwwrhj.exe 3576 tzoaussmwwrhj.exe 3576 tzoaussmwwrhj.exe 3576 tzoaussmwwrhj.exe 3576 tzoaussmwwrhj.exe 3576 tzoaussmwwrhj.exe 3896 wncvucri.exe 3896 wncvucri.exe 3896 wncvucri.exe 3896 wncvucri.exe 3896 wncvucri.exe 3896 wncvucri.exe 3896 wncvucri.exe 3896 wncvucri.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 3944 rjitrsmljk.exe 3944 rjitrsmljk.exe 3944 rjitrsmljk.exe 2400 omrgajybvdlgxfh.exe 2400 omrgajybvdlgxfh.exe 2400 omrgajybvdlgxfh.exe 2036 wncvucri.exe 2036 wncvucri.exe 2036 wncvucri.exe 3576 tzoaussmwwrhj.exe 3576 tzoaussmwwrhj.exe 3576 tzoaussmwwrhj.exe 3896 wncvucri.exe 3896 wncvucri.exe 3896 wncvucri.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 3944 rjitrsmljk.exe 3944 rjitrsmljk.exe 3944 rjitrsmljk.exe 2400 omrgajybvdlgxfh.exe 2400 omrgajybvdlgxfh.exe 2400 omrgajybvdlgxfh.exe 2036 wncvucri.exe 2036 wncvucri.exe 2036 wncvucri.exe 3576 tzoaussmwwrhj.exe 3576 tzoaussmwwrhj.exe 3576 tzoaussmwwrhj.exe 3896 wncvucri.exe 3896 wncvucri.exe 3896 wncvucri.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2868 wrote to memory of 3944 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 83 PID 2868 wrote to memory of 3944 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 83 PID 2868 wrote to memory of 3944 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 83 PID 2868 wrote to memory of 2400 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 84 PID 2868 wrote to memory of 2400 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 84 PID 2868 wrote to memory of 2400 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 84 PID 2868 wrote to memory of 2036 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 85 PID 2868 wrote to memory of 2036 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 85 PID 2868 wrote to memory of 2036 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 85 PID 2868 wrote to memory of 3576 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 86 PID 2868 wrote to memory of 3576 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 86 PID 2868 wrote to memory of 3576 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 86 PID 2868 wrote to memory of 732 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 87 PID 2868 wrote to memory of 732 2868 3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe 87 PID 3944 wrote to memory of 3896 3944 rjitrsmljk.exe 89 PID 3944 wrote to memory of 3896 3944 rjitrsmljk.exe 89 PID 3944 wrote to memory of 3896 3944 rjitrsmljk.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3616476105cd41328bd246c25e3aa9c0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\rjitrsmljk.exerjitrsmljk.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\wncvucri.exeC:\Windows\system32\wncvucri.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3896
-
-
-
C:\Windows\SysWOW64\omrgajybvdlgxfh.exeomrgajybvdlgxfh.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2400
-
-
C:\Windows\SysWOW64\wncvucri.exewncvucri.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2036
-
-
C:\Windows\SysWOW64\tzoaussmwwrhj.exetzoaussmwwrhj.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3576
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:732
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5f09b6df3a4d68b2bc3883b7d629c9fa3
SHA1a4cd058f7c62143e3bdb8fee42d2145586de297b
SHA2564550954178e9142a2cfc500dc2e1c1dc5e7bf5222066c36bdb0b0f43838965c1
SHA512be1750e96a19ccb68f6a37052501abf711db4f83b8f4fe96af5a53568ccb4e4e5c0ebbf468707820f83d1cac771cba65d116d4e45626518ac3eb5debcaf3247a
-
Filesize
512KB
MD559a3cd0cc928d6159f252ebd927b07f6
SHA1c82d02e1db25e8ce2a3ff9c4125b85fde4d7aebb
SHA2566e67ec5b1a042c060d5083c19fd51711c3e7f4a16d0b78c4e06293da67865754
SHA5125acc93f7662702ad1cbc15494de142019ad22103aa5a97a4c7559486e75c77fa6f0982f2169b46c385f98fb8aca7075750d4b793eb094069b347a3decba972ff
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD565ea77d30998c2bac5001736e9c47b5c
SHA10a1bb3164b16760e4e3a92065e284b1847f414c1
SHA25661b069c4af3695cad2dec9d20d00b1e141a653ac603ae2f21a0ea36ba07cd889
SHA5125db6caa8d202cd68332e6ba4e2e42f82dfd16ebf4b0bc3891598034b6dce95901dba7afda25dbc7c42f3ae58e81a6ec1cae372addb562c798c196dcc53443b57
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD581c25b41389961c09ec9cb072fa4aa7a
SHA15e3997c71c7db45c5ef32b507daa121ef8d23102
SHA2567c1080d18fbf74a4aecc5f9b573df55b4f90af08ddc94a5a630533226da28dd9
SHA512c48dcdbffa03c79ed76cffff1712d8f544a9b7f62c529cbdf8b0c1ef46a6440aed53f9e1a08e81490632070bd1c13a20edaea25df39b9cd2df1756d54e40f6f8
-
Filesize
512KB
MD549595e0a0993b65a227d3e0b6fef4b95
SHA15a1ca745d2b0a9b733171999bf7f1b8c50da5973
SHA256e967684d6349306637c9f33d3e4ec96f3d01b2a7ed277c5f6166151ebf33df14
SHA51221680bf2b3057a7f2006947c4517058d9dde740d9978fe8cb5f276a96f1202f0ea8e9fdc41fdf86c09358d72505a34c2eacc849251dde28a978ca935ab067e1c
-
Filesize
512KB
MD5485c6ffb50471e1e0ded27ec3807b202
SHA11c10f37a1fcadaf94399ddda1cef8a975788bb78
SHA256f815629fe5d8462d502f5e5872a1cb5f6eccb2d77684ad94280807513f5db75a
SHA51212a1177ad115d3aa982c5eed1eaa96942031d8973d5fc161728b48c7e8754a18e2e06b023a37e573a93c225b5c95a468d6aa8f0e508bff2c443ef9c1c0a01762
-
Filesize
512KB
MD5847f3a52e1d053e96f736ef9be826237
SHA1a5c843cb791b46150804ab2014683c1d2ebe4ea5
SHA25675113f13bf59e2c037770f86084347c76c2927410d4e788e0d409a88e3e47c21
SHA5125d2ce43c55bcce608ded64738bbffde62fbbe89473e5c35949bb6822b6070a8a3e6f7029e8bd0b7a0dd88d6672bedcc7472669b01fb67112cdb77ced39fa3155
-
Filesize
512KB
MD5136c3e893fc4eca0a6e42d1337d4f893
SHA1435d07fa7e9d4cb1610269020139792010a7e91b
SHA256118407e57cbcfe8a22770031633bacaeb704aa69faf3ca6b6aecb20f7f1159c4
SHA5124d37a35c4c0e401dc2a1aff7dac3328550ab2e3deef8bf312cd51a80496e9238fcef96ee3a2723e2795893b777fb27edcdc9900218a2cde734850a23fc703ddd
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD53f4685a76f9caf2a2a26fdbb1eec820a
SHA1f0283a6250cb7e06e8ddc6c41a5028e33c164f26
SHA256684337018b5d30778a0f0a348a2aaf3a429ff1ca2b1518b46d8d6f558f045dac
SHA512c93c98be630a5139980061428bf1b9e387678cd3173abe6299a4e53d83cdab6e5b9409e6c00cfbcfcbd848333ffd9665d71d7a8782e8f99001bb45cb42f86b30
-
Filesize
512KB
MD5429ca88ac796c1aef55022e06b9a9299
SHA1524f43626a21d94fa0f376f44e81fd981e376f96
SHA2566163045a15be3b9f17d52f1c9ff26612b76f893b8fb0b3a61d14e0b95714e899
SHA512d3e20b1237c3d7e9086235c1ad4c68c4dad3aca2262347797b525fb49d8aa4876f40629c225735e68be13e3222a16c403fa723506ee3b14c685d2fdc527b5956