Analysis
-
max time kernel
149s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2024, 18:00
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe
-
Size
512KB
-
MD5
3b631ec129c29e414d3b969d08989048
-
SHA1
a884bce28d47cb3c8a463d24eb0b6eca0e185bc2
-
SHA256
40ccf34b3a7cd45322fddfea08497cb1046e38fba16a8b3f5f235556b1ea4c67
-
SHA512
d33c39b6b5e64432b0e2837ac71439e38dace602f68854ccd64aaa55d57145c2a4ad48f2bbc6cf8a9237b7c7cd5a6b91031f88145dfa299074a3267768084a2e
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6V:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm56
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" gxoqbmyevv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gxoqbmyevv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gxoqbmyevv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gxoqbmyevv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gxoqbmyevv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gxoqbmyevv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gxoqbmyevv.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gxoqbmyevv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3864 gxoqbmyevv.exe 4736 iluvrpgj.exe 2832 hrxqmkflfbilbeo.exe 3760 wpfmmevmeqcdd.exe 804 iluvrpgj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gxoqbmyevv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gxoqbmyevv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gxoqbmyevv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" gxoqbmyevv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gxoqbmyevv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gxoqbmyevv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pnqxctgs = "gxoqbmyevv.exe" hrxqmkflfbilbeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lrayyzoz = "hrxqmkflfbilbeo.exe" hrxqmkflfbilbeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wpfmmevmeqcdd.exe" hrxqmkflfbilbeo.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: gxoqbmyevv.exe File opened (read-only) \??\z: gxoqbmyevv.exe File opened (read-only) \??\b: iluvrpgj.exe File opened (read-only) \??\l: iluvrpgj.exe File opened (read-only) \??\x: iluvrpgj.exe File opened (read-only) \??\y: gxoqbmyevv.exe File opened (read-only) \??\y: iluvrpgj.exe File opened (read-only) \??\y: iluvrpgj.exe File opened (read-only) \??\g: gxoqbmyevv.exe File opened (read-only) \??\l: gxoqbmyevv.exe File opened (read-only) \??\j: iluvrpgj.exe File opened (read-only) \??\p: iluvrpgj.exe File opened (read-only) \??\n: iluvrpgj.exe File opened (read-only) \??\v: iluvrpgj.exe File opened (read-only) \??\w: iluvrpgj.exe File opened (read-only) \??\k: iluvrpgj.exe File opened (read-only) \??\e: gxoqbmyevv.exe File opened (read-only) \??\h: gxoqbmyevv.exe File opened (read-only) \??\h: iluvrpgj.exe File opened (read-only) \??\l: iluvrpgj.exe File opened (read-only) \??\r: iluvrpgj.exe File opened (read-only) \??\t: iluvrpgj.exe File opened (read-only) \??\i: iluvrpgj.exe File opened (read-only) \??\b: gxoqbmyevv.exe File opened (read-only) \??\p: gxoqbmyevv.exe File opened (read-only) \??\u: iluvrpgj.exe File opened (read-only) \??\p: iluvrpgj.exe File opened (read-only) \??\t: iluvrpgj.exe File opened (read-only) \??\j: gxoqbmyevv.exe File opened (read-only) \??\s: iluvrpgj.exe File opened (read-only) \??\x: gxoqbmyevv.exe File opened (read-only) \??\m: iluvrpgj.exe File opened (read-only) \??\x: iluvrpgj.exe File opened (read-only) \??\h: iluvrpgj.exe File opened (read-only) \??\o: iluvrpgj.exe File opened (read-only) \??\i: gxoqbmyevv.exe File opened (read-only) \??\g: iluvrpgj.exe File opened (read-only) \??\n: iluvrpgj.exe File opened (read-only) \??\u: iluvrpgj.exe File opened (read-only) \??\o: iluvrpgj.exe File opened (read-only) \??\o: gxoqbmyevv.exe File opened (read-only) \??\r: gxoqbmyevv.exe File opened (read-only) \??\e: iluvrpgj.exe File opened (read-only) \??\s: iluvrpgj.exe File opened (read-only) \??\q: iluvrpgj.exe File opened (read-only) \??\w: iluvrpgj.exe File opened (read-only) \??\m: iluvrpgj.exe File opened (read-only) \??\v: gxoqbmyevv.exe File opened (read-only) \??\b: iluvrpgj.exe File opened (read-only) \??\k: gxoqbmyevv.exe File opened (read-only) \??\q: gxoqbmyevv.exe File opened (read-only) \??\i: iluvrpgj.exe File opened (read-only) \??\k: iluvrpgj.exe File opened (read-only) \??\v: iluvrpgj.exe File opened (read-only) \??\z: iluvrpgj.exe File opened (read-only) \??\z: iluvrpgj.exe File opened (read-only) \??\a: gxoqbmyevv.exe File opened (read-only) \??\m: gxoqbmyevv.exe File opened (read-only) \??\t: gxoqbmyevv.exe File opened (read-only) \??\g: iluvrpgj.exe File opened (read-only) \??\q: iluvrpgj.exe File opened (read-only) \??\n: gxoqbmyevv.exe File opened (read-only) \??\w: gxoqbmyevv.exe File opened (read-only) \??\e: iluvrpgj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" gxoqbmyevv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" gxoqbmyevv.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/796-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000233e4-5.dat autoit_exe behavioral2/files/0x000600000002326f-18.dat autoit_exe behavioral2/files/0x00070000000233e5-23.dat autoit_exe behavioral2/files/0x00070000000233e6-30.dat autoit_exe behavioral2/files/0x00020000000229c9-63.dat autoit_exe behavioral2/files/0x00080000000233c8-69.dat autoit_exe behavioral2/files/0x000800000002331f-75.dat autoit_exe behavioral2/files/0x00080000000233f6-81.dat autoit_exe behavioral2/files/0x001600000002340a-574.dat autoit_exe behavioral2/files/0x001600000002340a-578.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe iluvrpgj.exe File created C:\Windows\SysWOW64\gxoqbmyevv.exe 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gxoqbmyevv.exe 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hrxqmkflfbilbeo.exe 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe File created C:\Windows\SysWOW64\wpfmmevmeqcdd.exe 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe iluvrpgj.exe File created C:\Windows\SysWOW64\iluvrpgj.exe 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\iluvrpgj.exe 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll gxoqbmyevv.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe iluvrpgj.exe File created C:\Windows\SysWOW64\hrxqmkflfbilbeo.exe 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wpfmmevmeqcdd.exe 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe iluvrpgj.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iluvrpgj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iluvrpgj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal iluvrpgj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iluvrpgj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iluvrpgj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iluvrpgj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal iluvrpgj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iluvrpgj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iluvrpgj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal iluvrpgj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iluvrpgj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iluvrpgj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iluvrpgj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iluvrpgj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal iluvrpgj.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe iluvrpgj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe iluvrpgj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe iluvrpgj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe iluvrpgj.exe File opened for modification C:\Windows\mydoc.rtf 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe iluvrpgj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe iluvrpgj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe iluvrpgj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe iluvrpgj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe iluvrpgj.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe iluvrpgj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe iluvrpgj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe iluvrpgj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe iluvrpgj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe iluvrpgj.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe iluvrpgj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe iluvrpgj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B15F4492389D52CCB9D23292D7CC" 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFCFE4826851C9135D75B7E93BDE0E137584667446343D790" 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc gxoqbmyevv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F16BC2FF1C22D0D273D1D18A7E9010" 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC70815E3DBB2B9CD7F97ED9137BC" 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" gxoqbmyevv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" gxoqbmyevv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" gxoqbmyevv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" gxoqbmyevv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442D0B9C2682276A3E76DD772F2CDB7CF165DF" 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" gxoqbmyevv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs gxoqbmyevv.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDF9CDFE65F298837D3B4A869D39E4B089028F4361034CE1CC429E08A5" 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat gxoqbmyevv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh gxoqbmyevv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" gxoqbmyevv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf gxoqbmyevv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg gxoqbmyevv.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2776 WINWORD.EXE 2776 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 3864 gxoqbmyevv.exe 3864 gxoqbmyevv.exe 3864 gxoqbmyevv.exe 3864 gxoqbmyevv.exe 3864 gxoqbmyevv.exe 3864 gxoqbmyevv.exe 3864 gxoqbmyevv.exe 3864 gxoqbmyevv.exe 3864 gxoqbmyevv.exe 3864 gxoqbmyevv.exe 2832 hrxqmkflfbilbeo.exe 2832 hrxqmkflfbilbeo.exe 2832 hrxqmkflfbilbeo.exe 2832 hrxqmkflfbilbeo.exe 2832 hrxqmkflfbilbeo.exe 2832 hrxqmkflfbilbeo.exe 2832 hrxqmkflfbilbeo.exe 2832 hrxqmkflfbilbeo.exe 2832 hrxqmkflfbilbeo.exe 2832 hrxqmkflfbilbeo.exe 4736 iluvrpgj.exe 4736 iluvrpgj.exe 4736 iluvrpgj.exe 4736 iluvrpgj.exe 4736 iluvrpgj.exe 4736 iluvrpgj.exe 4736 iluvrpgj.exe 4736 iluvrpgj.exe 3760 wpfmmevmeqcdd.exe 3760 wpfmmevmeqcdd.exe 3760 wpfmmevmeqcdd.exe 3760 wpfmmevmeqcdd.exe 3760 wpfmmevmeqcdd.exe 3760 wpfmmevmeqcdd.exe 3760 wpfmmevmeqcdd.exe 3760 wpfmmevmeqcdd.exe 3760 wpfmmevmeqcdd.exe 3760 wpfmmevmeqcdd.exe 3760 wpfmmevmeqcdd.exe 3760 wpfmmevmeqcdd.exe 804 iluvrpgj.exe 804 iluvrpgj.exe 804 iluvrpgj.exe 804 iluvrpgj.exe 804 iluvrpgj.exe 804 iluvrpgj.exe 804 iluvrpgj.exe 804 iluvrpgj.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 3864 gxoqbmyevv.exe 3864 gxoqbmyevv.exe 3864 gxoqbmyevv.exe 2832 hrxqmkflfbilbeo.exe 2832 hrxqmkflfbilbeo.exe 2832 hrxqmkflfbilbeo.exe 4736 iluvrpgj.exe 4736 iluvrpgj.exe 4736 iluvrpgj.exe 3760 wpfmmevmeqcdd.exe 3760 wpfmmevmeqcdd.exe 3760 wpfmmevmeqcdd.exe 804 iluvrpgj.exe 804 iluvrpgj.exe 804 iluvrpgj.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 3864 gxoqbmyevv.exe 3864 gxoqbmyevv.exe 3864 gxoqbmyevv.exe 2832 hrxqmkflfbilbeo.exe 2832 hrxqmkflfbilbeo.exe 2832 hrxqmkflfbilbeo.exe 4736 iluvrpgj.exe 4736 iluvrpgj.exe 4736 iluvrpgj.exe 3760 wpfmmevmeqcdd.exe 3760 wpfmmevmeqcdd.exe 3760 wpfmmevmeqcdd.exe 804 iluvrpgj.exe 804 iluvrpgj.exe 804 iluvrpgj.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2776 WINWORD.EXE 2776 WINWORD.EXE 2776 WINWORD.EXE 2776 WINWORD.EXE 2776 WINWORD.EXE 2776 WINWORD.EXE 2776 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 796 wrote to memory of 3864 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 81 PID 796 wrote to memory of 3864 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 81 PID 796 wrote to memory of 3864 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 81 PID 796 wrote to memory of 2832 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 82 PID 796 wrote to memory of 2832 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 82 PID 796 wrote to memory of 2832 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 82 PID 796 wrote to memory of 4736 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 83 PID 796 wrote to memory of 4736 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 83 PID 796 wrote to memory of 4736 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 83 PID 796 wrote to memory of 3760 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 84 PID 796 wrote to memory of 3760 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 84 PID 796 wrote to memory of 3760 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 84 PID 796 wrote to memory of 2776 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 85 PID 796 wrote to memory of 2776 796 3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe 85 PID 3864 wrote to memory of 804 3864 gxoqbmyevv.exe 86 PID 3864 wrote to memory of 804 3864 gxoqbmyevv.exe 86 PID 3864 wrote to memory of 804 3864 gxoqbmyevv.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3b631ec129c29e414d3b969d08989048_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\gxoqbmyevv.exegxoqbmyevv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\iluvrpgj.exeC:\Windows\system32\iluvrpgj.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:804
-
-
-
C:\Windows\SysWOW64\hrxqmkflfbilbeo.exehrxqmkflfbilbeo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2832
-
-
C:\Windows\SysWOW64\iluvrpgj.exeiluvrpgj.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4736
-
-
C:\Windows\SysWOW64\wpfmmevmeqcdd.exewpfmmevmeqcdd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3760
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2776
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5f64d03b3a6bdc6f7d8b1590f343f49b0
SHA10a84ec915faf2e1a6c48148a09b7808bf02d038c
SHA25604bc818eb86f370b2c6d007167d5774fab3a7f08ef04dcf651820fd5cd496aa6
SHA5129659fc4dacef88ee035ee04bd3a9b47d3636b2ea6a060edb2adb03577520055972f2c9c62c175515ff90af0051eefc3bc9251ce3dbc1da34d749c853b6c947ea
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
512KB
MD5f70726d3804cd4156ed577fe3511fc7f
SHA19399acf9fa1de151f9ea5536eb23eb4057cf3df6
SHA2562f9db3107fa48b62a086f546630ee318efdfbb7c0e525e9d33c2cb58aba67cb4
SHA512f10cdf04004a9aa5b04389fc2d98224f999b50cd1045ed80e04be429b084dd27d23bf5582cc5d1c042fcbdb79ba2c7783ba235c5f7fcee6474ac711c981ae5e2
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5aa5f24ccad0e7700674bf614eb6431c7
SHA10bbef83c69419a6d724cbefc6b0cd95b4caab947
SHA2560d1f7a05fe093faac8acaf96d9b9e4bdc9a415316f5f0d9a888fd7e5dbce3dc6
SHA5127da6f6be2c2f3303e6f34e7bbc84bb1f29da867029b3855992eb7c0d576817a465fe273e5f90e281d15d0dc67472ca61f75af495f165f366d8180ce36f476e91
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD57a2da2c332e8f930827e87892850a1a7
SHA1571c170fdf1edd8fe2a9d5de83a498c339d67e2f
SHA2562b3e992022b1e51af7951653f5347ae2f9c8a2d924fce242f07e58769cfa570b
SHA51226096fe01c95779e35bcb992e0176ebb2f58aa085f19498ab2f6cf58ea0428aa37b2cd34f9da15b728d8226e99732b572b60c6baab847ed7c26e23257b5ee0ed
-
Filesize
512KB
MD5503a50b54e17255932243ed9688d90a9
SHA1aa9d71ff2fc84e2ba8750e98aeec8e0c57064242
SHA25693ae46edebc2a7d95018e2ccaae0e1dd6bbabdc0350b4382fe3f9d588c44ca1b
SHA5124d17ece90ca3b0b418d77d105a4347b179a5472fd4097a10b5c9812d3be9baf9a14f22276fdeda473755fe8f27c75ea0716b7c704d8bc8b9f7c712a24cecdc17
-
Filesize
512KB
MD5c7120339eeec0cf7f1f4674aabf496c3
SHA1be62f806cb8c50c0b46670082a8020e74e34bfb6
SHA2560988956d1547ba851c4e402cb23c6ccc9debb3ca1ec05dca5b86f34d332e6d08
SHA5128d37513d4f6e143012ac81d8e0ce54840b9a9cc542927e2b31e8369bfe15f155faf40c14b6bd16de9ba89cef1963050803b5f4e2a3e060d46b9f4c2a5ccdeaf6
-
Filesize
512KB
MD527a7e56d43265e4442ddd81ebf453d99
SHA13a06e3d18fd114f60f47ed4e1e85379b5a79a294
SHA2563f5598e8e2308f27e378723ff7407e5893c2308b5929752a8c48ea35fa71ef8f
SHA512ef14a2404815f345a66f1a27ffc5fccfb5daf709c1d74fac5cb4249e25926e76fbd27a3b1dd08f5f3be74768fe8beb66521562aa7bd418b08eaf1967f98e0a8a
-
Filesize
512KB
MD59d9a179be7859a64a78de9e7c73a15c5
SHA1c2fa5e5ddfaaddbbdd9b58d21d82502a8dd3caf8
SHA2563c650a69b61990b875dcfbb554b04d0d516558ce0bd9b1cc54e6837aa3772fa3
SHA5128ce2cd30db77d4892371d9723dd767b367618cc2b7340722d9887458d15e2e0f5e4a781baf877f7a8370bccb06106bc152f18e257124f561921dd1367a92a691
-
Filesize
512KB
MD5fa5e3c182c4e7812c43bddcc3a0de84b
SHA1c66ef6360495eeccef81a60b9c56a1df441e6771
SHA2569cb8c55bc3fe568f5b9207802448871c820481f845607deab57e61dd6fc4ccb4
SHA512a899ccdeffcb53a4fcdd66c29e6db9f473f94e5c948db19259bf44ccbdb5b3b559323db04f2c27f91e83d24d22d1f80ab0963149993c70d6100bf90fd84419e2
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD59f6f7a0760f1d7055eb95d1436066042
SHA13056ceba46b1b4272d65b6b7166ad3c07a079341
SHA256168b152faf27d14d60b21c85c254d3c852a3de23119bbc2b6db6cc8f33425cae
SHA5127a34461989d7b4e00498eee900aa2fcc968ed47b18380f194bb7af3eacf2ff7592eb909f6a0b917e5f53443d1f4ed856e810e6224b4b8592e1665d1eb8ba31e8
-
Filesize
512KB
MD5fa58a9003d6278e60962b30cec4b4a7d
SHA1537b6fdb91e5e9bf40cbe53c7a2debe05c6706a3
SHA2563ad894b98da53b89468845b0bec6711f69d4ff0b7c19b030c7858199baf72de0
SHA51259008a3779f4d035df6c88cd31cffab3722d5f3c6e459a874aabbe802dd6dcc85c2fd637d5dc608e51cfbde3212a3e5b08e781c4417236eab8885d8dba477838
-
Filesize
512KB
MD5cc517307144df5a4cd3c5c6905b69b45
SHA10f1255d7c34ec9fa67b91d768de3f3034541def6
SHA2566d65ff7a2aecb92c9090804d3dfd0de3b6819e9fe0f104bd69321f12aa3d23d3
SHA512ec3bbdf9a9aa9eb3b36e9c25db0f6a4009a6c07b61024fd04f9eff311f5b30793ef4e959fd254a042272b190081bf33d3e99e9790cf281f01aad94e26f904456