Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2024, 02:31
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe
-
Size
512KB
-
MD5
37c9021b5c604c13ddcb215e45522baf
-
SHA1
2a3b8dd39e99d64af92f43627b988194eea5181e
-
SHA256
6336e604f1684cf483355dae37979b9ae66f039c0caaf616f64c4df715b8d12f
-
SHA512
59fe6b199a15ac0013aac62f6698e584d3b0bc7107e38571bf34e2b4bd6bc5a221a6afcf3fb59912f37fb9530037ce7afeb4e420dd9f9ebb247264bd513c5811
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6j:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5O
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wrcetegoyo.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wrcetegoyo.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wrcetegoyo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wrcetegoyo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wrcetegoyo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wrcetegoyo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wrcetegoyo.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wrcetegoyo.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4028 wrcetegoyo.exe 4284 llenkqobymangxt.exe 2216 aljzzmrt.exe 2872 vbgfxaovnozgb.exe 3104 aljzzmrt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wrcetegoyo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wrcetegoyo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wrcetegoyo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wrcetegoyo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wrcetegoyo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wrcetegoyo.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jxcmafvi = "wrcetegoyo.exe" llenkqobymangxt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kyexzxjo = "llenkqobymangxt.exe" llenkqobymangxt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vbgfxaovnozgb.exe" llenkqobymangxt.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: wrcetegoyo.exe File opened (read-only) \??\h: aljzzmrt.exe File opened (read-only) \??\n: aljzzmrt.exe File opened (read-only) \??\v: aljzzmrt.exe File opened (read-only) \??\v: wrcetegoyo.exe File opened (read-only) \??\i: aljzzmrt.exe File opened (read-only) \??\m: aljzzmrt.exe File opened (read-only) \??\p: aljzzmrt.exe File opened (read-only) \??\q: aljzzmrt.exe File opened (read-only) \??\r: aljzzmrt.exe File opened (read-only) \??\w: aljzzmrt.exe File opened (read-only) \??\b: aljzzmrt.exe File opened (read-only) \??\a: wrcetegoyo.exe File opened (read-only) \??\h: wrcetegoyo.exe File opened (read-only) \??\s: wrcetegoyo.exe File opened (read-only) \??\z: wrcetegoyo.exe File opened (read-only) \??\j: aljzzmrt.exe File opened (read-only) \??\s: aljzzmrt.exe File opened (read-only) \??\j: aljzzmrt.exe File opened (read-only) \??\r: aljzzmrt.exe File opened (read-only) \??\u: aljzzmrt.exe File opened (read-only) \??\x: aljzzmrt.exe File opened (read-only) \??\k: wrcetegoyo.exe File opened (read-only) \??\a: aljzzmrt.exe File opened (read-only) \??\o: aljzzmrt.exe File opened (read-only) \??\g: aljzzmrt.exe File opened (read-only) \??\v: aljzzmrt.exe File opened (read-only) \??\j: wrcetegoyo.exe File opened (read-only) \??\o: wrcetegoyo.exe File opened (read-only) \??\q: wrcetegoyo.exe File opened (read-only) \??\x: wrcetegoyo.exe File opened (read-only) \??\y: wrcetegoyo.exe File opened (read-only) \??\t: aljzzmrt.exe File opened (read-only) \??\m: aljzzmrt.exe File opened (read-only) \??\y: aljzzmrt.exe File opened (read-only) \??\r: wrcetegoyo.exe File opened (read-only) \??\e: aljzzmrt.exe File opened (read-only) \??\e: aljzzmrt.exe File opened (read-only) \??\h: aljzzmrt.exe File opened (read-only) \??\p: aljzzmrt.exe File opened (read-only) \??\q: aljzzmrt.exe File opened (read-only) \??\a: aljzzmrt.exe File opened (read-only) \??\t: aljzzmrt.exe File opened (read-only) \??\o: aljzzmrt.exe File opened (read-only) \??\y: aljzzmrt.exe File opened (read-only) \??\k: aljzzmrt.exe File opened (read-only) \??\l: aljzzmrt.exe File opened (read-only) \??\b: wrcetegoyo.exe File opened (read-only) \??\p: wrcetegoyo.exe File opened (read-only) \??\b: aljzzmrt.exe File opened (read-only) \??\x: aljzzmrt.exe File opened (read-only) \??\i: wrcetegoyo.exe File opened (read-only) \??\w: wrcetegoyo.exe File opened (read-only) \??\z: aljzzmrt.exe File opened (read-only) \??\z: aljzzmrt.exe File opened (read-only) \??\g: wrcetegoyo.exe File opened (read-only) \??\n: wrcetegoyo.exe File opened (read-only) \??\k: aljzzmrt.exe File opened (read-only) \??\l: aljzzmrt.exe File opened (read-only) \??\u: aljzzmrt.exe File opened (read-only) \??\n: aljzzmrt.exe File opened (read-only) \??\s: aljzzmrt.exe File opened (read-only) \??\m: wrcetegoyo.exe File opened (read-only) \??\l: wrcetegoyo.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wrcetegoyo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wrcetegoyo.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3552-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023405-5.dat autoit_exe behavioral2/files/0x00090000000233ee-19.dat autoit_exe behavioral2/files/0x0007000000023406-27.dat autoit_exe behavioral2/files/0x0007000000023407-31.dat autoit_exe behavioral2/files/0x000800000002293a-68.dat autoit_exe behavioral2/files/0x000200000002293b-71.dat autoit_exe behavioral2/files/0x0008000000023418-77.dat autoit_exe behavioral2/files/0x0008000000023421-92.dat autoit_exe behavioral2/files/0x0008000000023421-485.dat autoit_exe behavioral2/files/0x0008000000023421-487.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe aljzzmrt.exe File created C:\Windows\SysWOW64\wrcetegoyo.exe 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe File created C:\Windows\SysWOW64\vbgfxaovnozgb.exe 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe File created C:\Windows\SysWOW64\aljzzmrt.exe 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wrcetegoyo.exe 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\llenkqobymangxt.exe 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vbgfxaovnozgb.exe 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wrcetegoyo.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe aljzzmrt.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe aljzzmrt.exe File created C:\Windows\SysWOW64\llenkqobymangxt.exe 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\aljzzmrt.exe 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe aljzzmrt.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal aljzzmrt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aljzzmrt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aljzzmrt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aljzzmrt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal aljzzmrt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aljzzmrt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal aljzzmrt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aljzzmrt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aljzzmrt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aljzzmrt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aljzzmrt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aljzzmrt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aljzzmrt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal aljzzmrt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aljzzmrt.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe aljzzmrt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe aljzzmrt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe aljzzmrt.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe aljzzmrt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe aljzzmrt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe aljzzmrt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe aljzzmrt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe aljzzmrt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe aljzzmrt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe aljzzmrt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe aljzzmrt.exe File opened for modification C:\Windows\mydoc.rtf 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe aljzzmrt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe aljzzmrt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe aljzzmrt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe aljzzmrt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe aljzzmrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC77815E7DBB3B9CE7F95ED9434C6" 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf wrcetegoyo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wrcetegoyo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" wrcetegoyo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wrcetegoyo.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442D7A9C5183236D4176D570212CAA7C8764D6" 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FAB8F913F197837B3A4086ED3993B3FD02F94369034EE1C945E809D5" 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" wrcetegoyo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wrcetegoyo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" wrcetegoyo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" wrcetegoyo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wrcetegoyo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wrcetegoyo.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB15F47E438E852C4BAA633E8D4BB" 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFFFC482785689030D75F7DE1BC92E13C593166366342D7ED" 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78068C4FE6721ACD208D0A88B7F9163" 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wrcetegoyo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh wrcetegoyo.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3668 WINWORD.EXE 3668 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 4028 wrcetegoyo.exe 4028 wrcetegoyo.exe 4028 wrcetegoyo.exe 4028 wrcetegoyo.exe 4028 wrcetegoyo.exe 4028 wrcetegoyo.exe 4028 wrcetegoyo.exe 4028 wrcetegoyo.exe 4028 wrcetegoyo.exe 4028 wrcetegoyo.exe 4284 llenkqobymangxt.exe 4284 llenkqobymangxt.exe 4284 llenkqobymangxt.exe 4284 llenkqobymangxt.exe 4284 llenkqobymangxt.exe 4284 llenkqobymangxt.exe 4284 llenkqobymangxt.exe 4284 llenkqobymangxt.exe 4284 llenkqobymangxt.exe 4284 llenkqobymangxt.exe 2216 aljzzmrt.exe 2216 aljzzmrt.exe 2216 aljzzmrt.exe 2216 aljzzmrt.exe 2216 aljzzmrt.exe 2216 aljzzmrt.exe 2216 aljzzmrt.exe 2216 aljzzmrt.exe 2872 vbgfxaovnozgb.exe 2872 vbgfxaovnozgb.exe 2872 vbgfxaovnozgb.exe 2872 vbgfxaovnozgb.exe 2872 vbgfxaovnozgb.exe 2872 vbgfxaovnozgb.exe 2872 vbgfxaovnozgb.exe 2872 vbgfxaovnozgb.exe 2872 vbgfxaovnozgb.exe 2872 vbgfxaovnozgb.exe 2872 vbgfxaovnozgb.exe 2872 vbgfxaovnozgb.exe 3104 aljzzmrt.exe 3104 aljzzmrt.exe 3104 aljzzmrt.exe 3104 aljzzmrt.exe 3104 aljzzmrt.exe 3104 aljzzmrt.exe 3104 aljzzmrt.exe 3104 aljzzmrt.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 4028 wrcetegoyo.exe 4028 wrcetegoyo.exe 4028 wrcetegoyo.exe 4284 llenkqobymangxt.exe 4284 llenkqobymangxt.exe 4284 llenkqobymangxt.exe 2216 aljzzmrt.exe 2216 aljzzmrt.exe 2216 aljzzmrt.exe 2872 vbgfxaovnozgb.exe 2872 vbgfxaovnozgb.exe 2872 vbgfxaovnozgb.exe 3104 aljzzmrt.exe 3104 aljzzmrt.exe 3104 aljzzmrt.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 4028 wrcetegoyo.exe 4028 wrcetegoyo.exe 4028 wrcetegoyo.exe 4284 llenkqobymangxt.exe 4284 llenkqobymangxt.exe 4284 llenkqobymangxt.exe 2216 aljzzmrt.exe 2216 aljzzmrt.exe 2216 aljzzmrt.exe 2872 vbgfxaovnozgb.exe 2872 vbgfxaovnozgb.exe 2872 vbgfxaovnozgb.exe 3104 aljzzmrt.exe 3104 aljzzmrt.exe 3104 aljzzmrt.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3668 WINWORD.EXE 3668 WINWORD.EXE 3668 WINWORD.EXE 3668 WINWORD.EXE 3668 WINWORD.EXE 3668 WINWORD.EXE 3668 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3552 wrote to memory of 4028 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 84 PID 3552 wrote to memory of 4028 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 84 PID 3552 wrote to memory of 4028 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 84 PID 3552 wrote to memory of 4284 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 85 PID 3552 wrote to memory of 4284 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 85 PID 3552 wrote to memory of 4284 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 85 PID 3552 wrote to memory of 2216 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 86 PID 3552 wrote to memory of 2216 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 86 PID 3552 wrote to memory of 2216 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 86 PID 3552 wrote to memory of 2872 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 87 PID 3552 wrote to memory of 2872 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 87 PID 3552 wrote to memory of 2872 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 87 PID 3552 wrote to memory of 3668 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 88 PID 3552 wrote to memory of 3668 3552 37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe 88 PID 4028 wrote to memory of 3104 4028 wrcetegoyo.exe 90 PID 4028 wrote to memory of 3104 4028 wrcetegoyo.exe 90 PID 4028 wrote to memory of 3104 4028 wrcetegoyo.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\wrcetegoyo.exewrcetegoyo.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\aljzzmrt.exeC:\Windows\system32\aljzzmrt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3104
-
-
-
C:\Windows\SysWOW64\llenkqobymangxt.exellenkqobymangxt.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4284
-
-
C:\Windows\SysWOW64\aljzzmrt.exealjzzmrt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2216
-
-
C:\Windows\SysWOW64\vbgfxaovnozgb.exevbgfxaovnozgb.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2872
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3668
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD591b7fb6cd0da31e0a3b87e0f902e6c12
SHA13d2d4ceed0908dca7716eec3a167be56abb8578c
SHA256664be05144d739d44ef1820de095c718157333543a3efdbc00cdf7d44773c9fb
SHA5125d3173ec50cff083a22bcd2e5e87bf3e0ec8801b34f8005a7d471be8829c153f6f2a7b261f2478058534df4118b09486746ddcb4bdd2e44582272d7d028f4a1f
-
Filesize
512KB
MD571c0d5ae5614898764a89df8ca2868b8
SHA1cf78377c3e4c193d71edf10762cbb8fd6102ebbf
SHA2564bddd2e61ddc41167f02fe0971ab37d9f845e7b899ee9bb61749fb68edb707cb
SHA51251fd14d0ce6ad4317048adf76d6be2c65255e34ccaf712a47b70ae208cf9218a933724bd8307336f0677ac4d99b005eaeea5057cdc4d84b1495448b874c4d24f
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5ff03e448e7484bb289387c7a71165cbf
SHA1d9ba05cce720a1374ddd854f733dce817b76ac35
SHA2560dc3ca74480913ae59a8e94c973a866fa00eb2dc2d37cebc6a3d1f8293f94bb3
SHA512d5caf5ae8a52f90c479f8eb5cea75291a018215d53400f5a79a9b1ce9a6d8a1c76f39a722b6d8f12411b23649b9a9f20d6f58cedc8c4e15b621ca14183f20b85
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5687ce4d2b0d6b71050f954e53e1041c9
SHA187431751f666ef2f7184caab864561ae72e2cfdd
SHA256034e898afe0bf6bc4a023a7f3cbc71b59ac8c3bf88546524f837139e453f65f6
SHA51261aa3cb39bd2cf8cbcebb7e3cd76e878fe63d4c3eba3fabfd336704278455870bce425fbf5a0465ac0e06fa0f9c65dfdac706e6533af27dd8f36dc009bdcb68b
-
Filesize
512KB
MD5b99aeb97414a0a6f581606f4d515d017
SHA13dc218d724b98f3f947dcb581b56fe3641aaaceb
SHA256f2394b889ee9a8186d59cbe892b7bc664c840b489740ed89464e38d19e377103
SHA51276d87df7be602856dd278131e1f16d5e544b6a0c0295b07be9337bf58cf1d7df6f94b0455ccd0a85eeab9adcca98259149a04394e5ee301aec235d4e91fb1066
-
Filesize
512KB
MD5ab139eab60a182c16051efe79846c921
SHA1f8168dda295e2585099ee040e2f1329677be3f53
SHA25665ae13ca38ef44bb13a48f2a6764f8004949cb50507c52ec4d81941efae6a164
SHA512be210b06516c8c6adec50186563a4d6b70c40b9c4a336837ebbcbae82e0e48f21998d955598fc41cb43398166f6dee0d25eb0c157903467661cb7713fc8d16fc
-
Filesize
512KB
MD5033feaf34115554896f68bc6cecaf0ea
SHA13dcc64cc3bafe2aa3cac79d533ebcfe27d0e8270
SHA2564444d22135d75d5c072714b59aa19419b62945f53c2f6ad418b22383a32a9ecc
SHA512ae1f68b2a5f38d156e7a0b4f44eed896d0dda2e9da962dedda04f6b5501522bb6825bb434c3b2162b99694eaed026178d8ab2ea83dc16870aec233800c3f311a
-
Filesize
512KB
MD524d567b4e49f609a1ab2641d1d52316b
SHA1e58c57d6272c6889c2a9f17f64b233bbdce0b2f6
SHA256be9ff497f015b9bec6916bc183a48d20acd408801b9eb115d543958d25c903a4
SHA512a940d6685dfa3bb407172829d8d8cd6dfb559b25be75a5a7995215a63f9f3ee2ba83372703b11cb43ee6431c6dda41f0ec304a0891e385578f16f696796d2cb9
-
Filesize
512KB
MD566c11e91bb51280c6ab4d33b4dafe56d
SHA17a01f84be17b187a6c4987b768933b03eaedc694
SHA2561b024c26408e7aa08bf6ee4ebbca9a6a1b50da1400520532b729c0c9318a8e85
SHA512509ba6282cde1a3ed21705a44ba3e1bca4d1a69f67a9ac1ed1f22dff4b4fa41f60c6e253435d17871189b5044e0e9a703c00aec75ea161c5102f68e044fc07a1
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5434fd65ce4ff922354a7143c9cd8ae24
SHA1753b8c4f33c648658a7c97e09cf71fdc4fc82da6
SHA2561d38413f82b2a25f03c6c6b8f6cc405cfc7a77be034ebc6b805485c82ed49c22
SHA512052ffec96363074f9dd516c680030828c28188daa97dc51c7bd2f176955dacd58e4e6155d543ac95065f0501fe96f5f49bfd07570713923d8949e9dc6591b5e3
-
Filesize
512KB
MD558a9c9679ac1d04d035004256b4026eb
SHA1dbc7fced6935209ec3e9e3e51c5956b87fbc77c2
SHA2566133acabefca91159d4ea48962407300b4ad245680efe4422aad20765a7cf637
SHA51285e1bc780af8ddc609d90ff6d38468830c50c49412ec471ab45c0810fde3e7be0b2a17f9417636567eea4b5a5e41f2c9c725d3409f7e2cacca890846f3a98ac8
-
Filesize
512KB
MD58a773050b19cf6abe3383e7105bb819c
SHA1e01240fd6866d67d7d27de843b37ee142641eae6
SHA256deb2267377cd10535be19dc86d8e01d5e3511162ce952a007d332e18cf1a75dc
SHA51261fad56c29153a36e3ab02c2796e832087373a6c134e76d8ad059e04c2f4005e1f72873168413bbe8bfbba2cf785aa6781db3e326e81f2ebc5b380903137430a