Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 05:04
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe
-
Size
512KB
-
MD5
3865ee53d5be03444adc267720e140d1
-
SHA1
8baaf3c6c13d62b7b3f6cfdec7053ea4ea741c83
-
SHA256
e82845f903efb82a94f83e33257f0a9f69ebdb3a0e561dd1f99144a53ba1a4e5
-
SHA512
91863da3907708b7b76076161fb46b688d87797cee264dc7ff7f1294a7abafc1e84413a0a6614fa4be1db236bf4089922557bce88eb6ab5292be813eb10ba43a
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6u:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm53
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qlpmztksmq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qlpmztksmq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qlpmztksmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qlpmztksmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qlpmztksmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qlpmztksmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qlpmztksmq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qlpmztksmq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 928 qlpmztksmq.exe 312 ryknghfxxtodjmz.exe 1868 zouzodgi.exe 3476 wvlwgxpnowrro.exe 4984 zouzodgi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qlpmztksmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qlpmztksmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qlpmztksmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qlpmztksmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qlpmztksmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qlpmztksmq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qtnwyaab = "qlpmztksmq.exe" ryknghfxxtodjmz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vvwpixwm = "ryknghfxxtodjmz.exe" ryknghfxxtodjmz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wvlwgxpnowrro.exe" ryknghfxxtodjmz.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: zouzodgi.exe File opened (read-only) \??\i: zouzodgi.exe File opened (read-only) \??\n: zouzodgi.exe File opened (read-only) \??\i: qlpmztksmq.exe File opened (read-only) \??\l: qlpmztksmq.exe File opened (read-only) \??\r: qlpmztksmq.exe File opened (read-only) \??\q: qlpmztksmq.exe File opened (read-only) \??\v: zouzodgi.exe File opened (read-only) \??\x: zouzodgi.exe File opened (read-only) \??\i: zouzodgi.exe File opened (read-only) \??\k: zouzodgi.exe File opened (read-only) \??\t: zouzodgi.exe File opened (read-only) \??\e: qlpmztksmq.exe File opened (read-only) \??\j: qlpmztksmq.exe File opened (read-only) \??\p: qlpmztksmq.exe File opened (read-only) \??\l: zouzodgi.exe File opened (read-only) \??\j: zouzodgi.exe File opened (read-only) \??\z: zouzodgi.exe File opened (read-only) \??\a: qlpmztksmq.exe File opened (read-only) \??\g: qlpmztksmq.exe File opened (read-only) \??\q: zouzodgi.exe File opened (read-only) \??\r: zouzodgi.exe File opened (read-only) \??\x: qlpmztksmq.exe File opened (read-only) \??\z: zouzodgi.exe File opened (read-only) \??\z: qlpmztksmq.exe File opened (read-only) \??\k: zouzodgi.exe File opened (read-only) \??\o: zouzodgi.exe File opened (read-only) \??\p: zouzodgi.exe File opened (read-only) \??\g: zouzodgi.exe File opened (read-only) \??\u: zouzodgi.exe File opened (read-only) \??\v: zouzodgi.exe File opened (read-only) \??\k: qlpmztksmq.exe File opened (read-only) \??\m: zouzodgi.exe File opened (read-only) \??\o: qlpmztksmq.exe File opened (read-only) \??\s: qlpmztksmq.exe File opened (read-only) \??\v: qlpmztksmq.exe File opened (read-only) \??\g: zouzodgi.exe File opened (read-only) \??\o: zouzodgi.exe File opened (read-only) \??\x: zouzodgi.exe File opened (read-only) \??\b: qlpmztksmq.exe File opened (read-only) \??\t: qlpmztksmq.exe File opened (read-only) \??\y: qlpmztksmq.exe File opened (read-only) \??\u: zouzodgi.exe File opened (read-only) \??\e: zouzodgi.exe File opened (read-only) \??\h: qlpmztksmq.exe File opened (read-only) \??\u: qlpmztksmq.exe File opened (read-only) \??\b: zouzodgi.exe File opened (read-only) \??\w: qlpmztksmq.exe File opened (read-only) \??\q: zouzodgi.exe File opened (read-only) \??\t: zouzodgi.exe File opened (read-only) \??\h: zouzodgi.exe File opened (read-only) \??\w: zouzodgi.exe File opened (read-only) \??\j: zouzodgi.exe File opened (read-only) \??\s: zouzodgi.exe File opened (read-only) \??\m: zouzodgi.exe File opened (read-only) \??\y: zouzodgi.exe File opened (read-only) \??\m: qlpmztksmq.exe File opened (read-only) \??\n: zouzodgi.exe File opened (read-only) \??\p: zouzodgi.exe File opened (read-only) \??\e: zouzodgi.exe File opened (read-only) \??\y: zouzodgi.exe File opened (read-only) \??\a: zouzodgi.exe File opened (read-only) \??\a: zouzodgi.exe File opened (read-only) \??\r: zouzodgi.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qlpmztksmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qlpmztksmq.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2608-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002348c-5.dat autoit_exe behavioral2/files/0x0008000000023488-19.dat autoit_exe behavioral2/files/0x000700000002348d-26.dat autoit_exe behavioral2/files/0x000700000002348e-32.dat autoit_exe behavioral2/files/0x0008000000023479-66.dat autoit_exe behavioral2/files/0x000700000002349c-69.dat autoit_exe behavioral2/files/0x00040000000232f8-73.dat autoit_exe behavioral2/files/0x00080000000233a2-81.dat autoit_exe behavioral2/files/0x001a000000023405-577.dat autoit_exe behavioral2/files/0x001a000000023405-582.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\qlpmztksmq.exe 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ryknghfxxtodjmz.exe 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe File created C:\Windows\SysWOW64\zouzodgi.exe 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qlpmztksmq.exe 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe File created C:\Windows\SysWOW64\ryknghfxxtodjmz.exe 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wvlwgxpnowrro.exe 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zouzodgi.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qlpmztksmq.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zouzodgi.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zouzodgi.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zouzodgi.exe File opened for modification C:\Windows\SysWOW64\zouzodgi.exe 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe File created C:\Windows\SysWOW64\wvlwgxpnowrro.exe 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zouzodgi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zouzodgi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zouzodgi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zouzodgi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zouzodgi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zouzodgi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zouzodgi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zouzodgi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zouzodgi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zouzodgi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zouzodgi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zouzodgi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zouzodgi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zouzodgi.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zouzodgi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zouzodgi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zouzodgi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zouzodgi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zouzodgi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zouzodgi.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zouzodgi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zouzodgi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zouzodgi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zouzodgi.exe File opened for modification C:\Windows\mydoc.rtf 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zouzodgi.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zouzodgi.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zouzodgi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zouzodgi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zouzodgi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zouzodgi.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qlpmztksmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qlpmztksmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qlpmztksmq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B15A449238E853B8BAD63292D7CF" 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFCF8482C826F9146D62F7E95BDE3E13D584066456245D79B" 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qlpmztksmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qlpmztksmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qlpmztksmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qlpmztksmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F068B1FE6A22DFD179D0D68A789113" 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qlpmztksmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qlpmztksmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEF9BDF966F197830C3B32869D3E99B3FE03F04367033DE1C442ED09A0" 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qlpmztksmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qlpmztksmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422C0F9D5083526D3677D470562DDD7D8365D8" 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC70C14E5DBC2B8CD7F95ECE034BD" 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qlpmztksmq.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3524 WINWORD.EXE 3524 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 928 qlpmztksmq.exe 928 qlpmztksmq.exe 928 qlpmztksmq.exe 928 qlpmztksmq.exe 928 qlpmztksmq.exe 928 qlpmztksmq.exe 928 qlpmztksmq.exe 928 qlpmztksmq.exe 928 qlpmztksmq.exe 928 qlpmztksmq.exe 312 ryknghfxxtodjmz.exe 312 ryknghfxxtodjmz.exe 312 ryknghfxxtodjmz.exe 312 ryknghfxxtodjmz.exe 312 ryknghfxxtodjmz.exe 312 ryknghfxxtodjmz.exe 312 ryknghfxxtodjmz.exe 312 ryknghfxxtodjmz.exe 1868 zouzodgi.exe 1868 zouzodgi.exe 1868 zouzodgi.exe 1868 zouzodgi.exe 1868 zouzodgi.exe 1868 zouzodgi.exe 1868 zouzodgi.exe 1868 zouzodgi.exe 312 ryknghfxxtodjmz.exe 312 ryknghfxxtodjmz.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 312 ryknghfxxtodjmz.exe 312 ryknghfxxtodjmz.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 4984 zouzodgi.exe 4984 zouzodgi.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 928 qlpmztksmq.exe 928 qlpmztksmq.exe 928 qlpmztksmq.exe 312 ryknghfxxtodjmz.exe 312 ryknghfxxtodjmz.exe 312 ryknghfxxtodjmz.exe 1868 zouzodgi.exe 1868 zouzodgi.exe 1868 zouzodgi.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 4984 zouzodgi.exe 4984 zouzodgi.exe 4984 zouzodgi.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 928 qlpmztksmq.exe 928 qlpmztksmq.exe 928 qlpmztksmq.exe 312 ryknghfxxtodjmz.exe 312 ryknghfxxtodjmz.exe 312 ryknghfxxtodjmz.exe 1868 zouzodgi.exe 1868 zouzodgi.exe 1868 zouzodgi.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 3476 wvlwgxpnowrro.exe 4984 zouzodgi.exe 4984 zouzodgi.exe 4984 zouzodgi.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2608 wrote to memory of 928 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 83 PID 2608 wrote to memory of 928 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 83 PID 2608 wrote to memory of 928 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 83 PID 2608 wrote to memory of 312 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 84 PID 2608 wrote to memory of 312 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 84 PID 2608 wrote to memory of 312 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 84 PID 2608 wrote to memory of 1868 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 85 PID 2608 wrote to memory of 1868 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 85 PID 2608 wrote to memory of 1868 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 85 PID 2608 wrote to memory of 3476 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 86 PID 2608 wrote to memory of 3476 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 86 PID 2608 wrote to memory of 3476 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 86 PID 2608 wrote to memory of 3524 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 87 PID 2608 wrote to memory of 3524 2608 3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe 87 PID 928 wrote to memory of 4984 928 qlpmztksmq.exe 89 PID 928 wrote to memory of 4984 928 qlpmztksmq.exe 89 PID 928 wrote to memory of 4984 928 qlpmztksmq.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3865ee53d5be03444adc267720e140d1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\qlpmztksmq.exeqlpmztksmq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\zouzodgi.exeC:\Windows\system32\zouzodgi.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4984
-
-
-
C:\Windows\SysWOW64\ryknghfxxtodjmz.exeryknghfxxtodjmz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:312
-
-
C:\Windows\SysWOW64\zouzodgi.exezouzodgi.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1868
-
-
C:\Windows\SysWOW64\wvlwgxpnowrro.exewvlwgxpnowrro.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3476
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3524
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD54aed92bc71d83429564ddd3dd24e1798
SHA1e379a9ca430378b9945f50bf66fbe75f1acbc16e
SHA256c9f1166094a1548239f3bb746617223e804b52dc7d98fca590f220199c73e8f3
SHA512b97a9c80eae9d490c3a6596b65b0331d5a8e3d9641dcef3480b19bb79c9f679091f2fb1769fe68c1f1e1f0db2951b5eb36ef2232fd3c09f54f26db9f680e922d
-
Filesize
512KB
MD5d2439902614052e7d166b5ea8fd7dfd7
SHA18bc131b97cc05afe07e8d28b23d48b002c2c5ce5
SHA2561e9c41495de2ef4caf9e04fd85776e3877c6ce884ffcc142db16d12b0222baac
SHA512c7b8685347ed3081773fe0f30bfff5e3db3a674e0e35c3aca53deeb59c931a9f0fe58d8478d832a20f6575a6eef9fd8d3b0781ff394f1da1967b8ef562e4be7c
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD5506d7890424e69489a5be1afef5580c5
SHA1cba816211e3120c37d2714d61354265337eae683
SHA256d66db9598aaad84b8312523932d2c802eab42979172e4e1c84262688fed362e1
SHA51268f6ca745d8e50478c4ff4d2072e021187b40e94c3be42f17142f22b79d5150cdd6992cfe12a6119b3ad4ce7d43ea193a303fcffeed35ec7b765bb8f9348515c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD503936c45fea6908caaa02ce65f7443d0
SHA1efdef8905079df601bf656d2117289209e7bab5d
SHA2565f2fc208507b5d4640230716a58ef22cd2c11ee77a58ab6e7f68d9f3c79a1b61
SHA512d7ed09c8adaaf02b045f0c97450a2e769f161634d05a5ad66e3d2e2dd4dff81c416842d61e9496bf2d60072e6f37df2340f5404c0b85155c0ede4e1583b1f4fb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c0558129d5bf356c90f8e52106df68e5
SHA18626ab06a5617b4761be35f236701e7661a8b17d
SHA2567dd9c9c1f83ce273bf68d0168ba3b398cdf5348eafa428ce486bff4a257bf10b
SHA5129cdcb48c88619d3ac01eeb48f8f80a3ec9cc04c3c217a96f7605206f0884ae8d4941177d7e4c2e4f6779d4f8029ed72c52d10e57916be55f6092ebf1e6828e66
-
Filesize
512KB
MD5182663e0d176aa3f3ea1a0f9a905834c
SHA1725e92fe07157be4ce4a7410652414cc8a4fcd63
SHA256ea315bb4230a9a8fe75361b332c1646e819aec9b106703e5c98830b1e8d6d8c5
SHA512213fc30555d06eddf0c65e69fde2c2cd877388f72ea21a4df1fc2b8c1e4cf73ca7bb0e917e023df57a512b44052c58bd2d135eb29efb68d2c640151ae46bf2ff
-
Filesize
512KB
MD5caabb005e6a0854133ec18320d455935
SHA116df1b625870f2df32bd808d85bd7a101bbbd249
SHA256bee5bd87e905b7e6320ee55a75100f19a37216a0664b29a3d204c9120eaee5b4
SHA5121a4e2e79057a181608e6fb33fcb420481d1114d139f560a28332d283c9fbd58e0cef99df04bd2c9af547076ab7fa1b793ba6040f20ac70b087563ef825dd0045
-
Filesize
512KB
MD5914df608dceac4900474fb524f136c2e
SHA18eedb05bd1174cd89794baa2592c54108355aaa8
SHA256ce4e2cbca3d93bc8329aa404ab8dcb7adeb38af1af687b94d26c5749357408e5
SHA51288d320ca8a039dcf83177f264f406bf9cb1000fb5591e6afacd9d46a32734d84d2c7dc1d2b8d64726fa27dc3cb3b7695959ba28874d36731877e4bedb033d551
-
Filesize
512KB
MD5afc742358bb20afe3df50791a1ae597f
SHA1ba22de161ecc6856c16abe92480492aae2c79016
SHA256e10a47527c5868834c2fd24a3a3bd4520924112193b6909162b0e3ef4e5f1f3c
SHA5124fef82ceed7b5ebcdfc10912f85b9eac3143dcc3e80422c5c24ba5c9b06cb3705c9199e3b92756a5bd21bf117b039036750d0db155f883cbf512d4d85c2a472f
-
Filesize
512KB
MD50cf0471f10f0e5a3a770741595c80498
SHA1cae3922b381686dfd47f9ba3803572c94c9e5a60
SHA2560de0ab510b656890bba1c15e01b6f4ae81e1d34b8c5c4db53d93c5bf9c2671cf
SHA51275afcc844520d60552d941d3dd1944da01a167a961f5f14c439768b64a1a09aad2d994bdf30ea10c3af0085a9657ae797cba2e7807907fec6638160629bd50f8
-
Filesize
512KB
MD59e8d8265bae2585cc0b468c15044ec30
SHA1c8e3bcd9a1eacc1fbfcc993886a6ca258790ec35
SHA256987eb9ea3e865f23ca6fb97a937bd2b3985ae07d6428e686b08b42cc975e2825
SHA5126673fae8fdf61259d2128d8c48cb23e9b3ec33ee50780f25023b67faeda62a4f3cce79ab400a99319adc581dd51b71adecd084d220d74f108dc5ec4cd65ae63a
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5f13ea07edef26074738bac9971275e73
SHA17ffccf31610a195af1f9f233ffedf8527882c18b
SHA2567e8d2276c3f462ceca6ec7da799593217bad3d6fdc3f657fd778f07367961920
SHA512b6f7cdcc8935e4fb7c97575c23a22f578d215be0180d1c9710287b184397f17fdcb6f407312b32a54511d3460999ced3b2c429db622182fa4a9534f81ccc11ad
-
Filesize
512KB
MD5a021c3e8e37676394aafa51258cc81ea
SHA14e94e63b4175e55e3adf3d29c900207c7dfd0a0f
SHA256e341c4f99e2ec0428fd8c43bd0ef7c92c9d29d9747bd7189a73ecec75ef7a26b
SHA5120a3e802284e288a23552ab268cbc2b59f84ce2173524cbf70d226fe8b8d92a41f82646cd962b984510e93914c4f68d8c20b99708994ed9c8683efe64feb6abe8