Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 22:17
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe
Resource
win7-20240419-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe
-
Size
512KB
-
MD5
3ccb241fe344b7f7ecc2fd25e07db918
-
SHA1
4c87c77bfac097e4ee10036fd265591540bfd426
-
SHA256
296584ae480347959f258282a6ab5f81f7e9e90d5e29caa59f58f405b488f3db
-
SHA512
7eb6243f9a2e0b09b16b16c124ab43ef8f551e8a5721eb346c4380d46a4ea9c6382fbe53e2567691b72de42dfc1e996245218d7a6519a4a2111031661c946664
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6s:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm53
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" xxlrrhjzgw.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xxlrrhjzgw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xxlrrhjzgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xxlrrhjzgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xxlrrhjzgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xxlrrhjzgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xxlrrhjzgw.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xxlrrhjzgw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1208 xxlrrhjzgw.exe 216 liidfwrtscnopap.exe 4512 bvzctluq.exe 656 njblmlexslbev.exe 5040 bvzctluq.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xxlrrhjzgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xxlrrhjzgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" xxlrrhjzgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xxlrrhjzgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xxlrrhjzgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xxlrrhjzgw.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uulxccjq = "xxlrrhjzgw.exe" liidfwrtscnopap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mebyfmfu = "liidfwrtscnopap.exe" liidfwrtscnopap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "njblmlexslbev.exe" liidfwrtscnopap.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: xxlrrhjzgw.exe File opened (read-only) \??\z: bvzctluq.exe File opened (read-only) \??\h: bvzctluq.exe File opened (read-only) \??\p: bvzctluq.exe File opened (read-only) \??\v: bvzctluq.exe File opened (read-only) \??\h: xxlrrhjzgw.exe File opened (read-only) \??\o: bvzctluq.exe File opened (read-only) \??\p: xxlrrhjzgw.exe File opened (read-only) \??\x: xxlrrhjzgw.exe File opened (read-only) \??\m: bvzctluq.exe File opened (read-only) \??\k: bvzctluq.exe File opened (read-only) \??\b: xxlrrhjzgw.exe File opened (read-only) \??\k: xxlrrhjzgw.exe File opened (read-only) \??\m: xxlrrhjzgw.exe File opened (read-only) \??\l: bvzctluq.exe File opened (read-only) \??\z: xxlrrhjzgw.exe File opened (read-only) \??\y: bvzctluq.exe File opened (read-only) \??\i: xxlrrhjzgw.exe File opened (read-only) \??\q: bvzctluq.exe File opened (read-only) \??\w: bvzctluq.exe File opened (read-only) \??\a: xxlrrhjzgw.exe File opened (read-only) \??\n: xxlrrhjzgw.exe File opened (read-only) \??\l: bvzctluq.exe File opened (read-only) \??\g: bvzctluq.exe File opened (read-only) \??\s: bvzctluq.exe File opened (read-only) \??\w: xxlrrhjzgw.exe File opened (read-only) \??\n: bvzctluq.exe File opened (read-only) \??\o: xxlrrhjzgw.exe File opened (read-only) \??\r: xxlrrhjzgw.exe File opened (read-only) \??\s: xxlrrhjzgw.exe File opened (read-only) \??\t: xxlrrhjzgw.exe File opened (read-only) \??\h: bvzctluq.exe File opened (read-only) \??\u: bvzctluq.exe File opened (read-only) \??\e: xxlrrhjzgw.exe File opened (read-only) \??\j: xxlrrhjzgw.exe File opened (read-only) \??\b: bvzctluq.exe File opened (read-only) \??\n: bvzctluq.exe File opened (read-only) \??\z: bvzctluq.exe File opened (read-only) \??\p: bvzctluq.exe File opened (read-only) \??\s: bvzctluq.exe File opened (read-only) \??\j: bvzctluq.exe File opened (read-only) \??\m: bvzctluq.exe File opened (read-only) \??\u: xxlrrhjzgw.exe File opened (read-only) \??\v: xxlrrhjzgw.exe File opened (read-only) \??\j: bvzctluq.exe File opened (read-only) \??\k: bvzctluq.exe File opened (read-only) \??\v: bvzctluq.exe File opened (read-only) \??\a: bvzctluq.exe File opened (read-only) \??\q: bvzctluq.exe File opened (read-only) \??\x: bvzctluq.exe File opened (read-only) \??\a: bvzctluq.exe File opened (read-only) \??\x: bvzctluq.exe File opened (read-only) \??\y: bvzctluq.exe File opened (read-only) \??\i: bvzctluq.exe File opened (read-only) \??\r: bvzctluq.exe File opened (read-only) \??\e: bvzctluq.exe File opened (read-only) \??\w: bvzctluq.exe File opened (read-only) \??\e: bvzctluq.exe File opened (read-only) \??\g: bvzctluq.exe File opened (read-only) \??\o: bvzctluq.exe File opened (read-only) \??\t: bvzctluq.exe File opened (read-only) \??\b: bvzctluq.exe File opened (read-only) \??\g: xxlrrhjzgw.exe File opened (read-only) \??\y: xxlrrhjzgw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" xxlrrhjzgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" xxlrrhjzgw.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2992-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023404-5.dat autoit_exe behavioral2/files/0x000700000002328e-18.dat autoit_exe behavioral2/files/0x0007000000023405-26.dat autoit_exe behavioral2/files/0x0007000000023406-32.dat autoit_exe behavioral2/files/0x0003000000022954-66.dat autoit_exe behavioral2/files/0x00020000000229c8-69.dat autoit_exe behavioral2/files/0x0004000000023285-79.dat autoit_exe behavioral2/files/0x0008000000023390-97.dat autoit_exe behavioral2/files/0x0008000000023390-513.dat autoit_exe behavioral2/files/0x0008000000023390-518.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bvzctluq.exe File opened for modification C:\Windows\SysWOW64\liidfwrtscnopap.exe 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bvzctluq.exe 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe File created C:\Windows\SysWOW64\njblmlexslbev.exe 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\njblmlexslbev.exe 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bvzctluq.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bvzctluq.exe File created C:\Windows\SysWOW64\xxlrrhjzgw.exe 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xxlrrhjzgw.exe 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe File created C:\Windows\SysWOW64\liidfwrtscnopap.exe 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe File created C:\Windows\SysWOW64\bvzctluq.exe 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll xxlrrhjzgw.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bvzctluq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bvzctluq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bvzctluq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bvzctluq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bvzctluq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bvzctluq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bvzctluq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bvzctluq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bvzctluq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bvzctluq.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bvzctluq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bvzctluq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bvzctluq.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bvzctluq.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bvzctluq.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bvzctluq.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bvzctluq.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bvzctluq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bvzctluq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bvzctluq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bvzctluq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bvzctluq.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bvzctluq.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bvzctluq.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bvzctluq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bvzctluq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bvzctluq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bvzctluq.exe File opened for modification C:\Windows\mydoc.rtf 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bvzctluq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bvzctluq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FABDF964F1E2830F3A4681993E95B38C028C43660349E2CE429A09D1" 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B02C44E4399A52CABAA533E9D4BC" 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" xxlrrhjzgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" xxlrrhjzgw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf xxlrrhjzgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" xxlrrhjzgw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs xxlrrhjzgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" xxlrrhjzgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322D0B9C2582226D3E76A770552DAD7DF265DE" 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFF8D485D851D9135D72B7D90BCE5E631594B67456344D6E9" 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC67415E0DBB2B8B97CE9EDE337CC" 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat xxlrrhjzgw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh xxlrrhjzgw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc xxlrrhjzgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" xxlrrhjzgw.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F468B0FE6822D0D273D0D48A08906B" 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" xxlrrhjzgw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg xxlrrhjzgw.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4912 WINWORD.EXE 4912 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 1208 xxlrrhjzgw.exe 1208 xxlrrhjzgw.exe 1208 xxlrrhjzgw.exe 1208 xxlrrhjzgw.exe 1208 xxlrrhjzgw.exe 1208 xxlrrhjzgw.exe 1208 xxlrrhjzgw.exe 1208 xxlrrhjzgw.exe 1208 xxlrrhjzgw.exe 1208 xxlrrhjzgw.exe 216 liidfwrtscnopap.exe 216 liidfwrtscnopap.exe 216 liidfwrtscnopap.exe 216 liidfwrtscnopap.exe 216 liidfwrtscnopap.exe 216 liidfwrtscnopap.exe 216 liidfwrtscnopap.exe 216 liidfwrtscnopap.exe 216 liidfwrtscnopap.exe 216 liidfwrtscnopap.exe 4512 bvzctluq.exe 4512 bvzctluq.exe 4512 bvzctluq.exe 4512 bvzctluq.exe 4512 bvzctluq.exe 4512 bvzctluq.exe 4512 bvzctluq.exe 4512 bvzctluq.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 216 liidfwrtscnopap.exe 216 liidfwrtscnopap.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 5040 bvzctluq.exe 5040 bvzctluq.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 1208 xxlrrhjzgw.exe 1208 xxlrrhjzgw.exe 1208 xxlrrhjzgw.exe 216 liidfwrtscnopap.exe 216 liidfwrtscnopap.exe 216 liidfwrtscnopap.exe 4512 bvzctluq.exe 4512 bvzctluq.exe 4512 bvzctluq.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 5040 bvzctluq.exe 5040 bvzctluq.exe 5040 bvzctluq.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 1208 xxlrrhjzgw.exe 1208 xxlrrhjzgw.exe 1208 xxlrrhjzgw.exe 216 liidfwrtscnopap.exe 216 liidfwrtscnopap.exe 216 liidfwrtscnopap.exe 4512 bvzctluq.exe 4512 bvzctluq.exe 4512 bvzctluq.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 656 njblmlexslbev.exe 5040 bvzctluq.exe 5040 bvzctluq.exe 5040 bvzctluq.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4912 WINWORD.EXE 4912 WINWORD.EXE 4912 WINWORD.EXE 4912 WINWORD.EXE 4912 WINWORD.EXE 4912 WINWORD.EXE 4912 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2992 wrote to memory of 1208 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 82 PID 2992 wrote to memory of 1208 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 82 PID 2992 wrote to memory of 1208 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 82 PID 2992 wrote to memory of 216 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 83 PID 2992 wrote to memory of 216 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 83 PID 2992 wrote to memory of 216 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 83 PID 2992 wrote to memory of 4512 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 84 PID 2992 wrote to memory of 4512 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 84 PID 2992 wrote to memory of 4512 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 84 PID 2992 wrote to memory of 656 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 85 PID 2992 wrote to memory of 656 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 85 PID 2992 wrote to memory of 656 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 85 PID 2992 wrote to memory of 4912 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 86 PID 2992 wrote to memory of 4912 2992 3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe 86 PID 1208 wrote to memory of 5040 1208 xxlrrhjzgw.exe 88 PID 1208 wrote to memory of 5040 1208 xxlrrhjzgw.exe 88 PID 1208 wrote to memory of 5040 1208 xxlrrhjzgw.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3ccb241fe344b7f7ecc2fd25e07db918_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\xxlrrhjzgw.exexxlrrhjzgw.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\bvzctluq.exeC:\Windows\system32\bvzctluq.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5040
-
-
-
C:\Windows\SysWOW64\liidfwrtscnopap.exeliidfwrtscnopap.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:216
-
-
C:\Windows\SysWOW64\bvzctluq.exebvzctluq.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4512
-
-
C:\Windows\SysWOW64\njblmlexslbev.exenjblmlexslbev.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:656
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4912
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD554f221551b880ad5f1428852c4e36c1a
SHA13baf17e9ee9f06c4fcaef389eea77d1455ac7c70
SHA2568de404b8cd9e21a4ca0120199a673fd0468c6759945e42b580566fbd257e4722
SHA5125e3c38ced20347375dc15a2987a9361d6ec557629cc96a354bdb2cb5ca86c11974c79de63bce865abf9d4431ec1a985bd54c29dc06f2ab9c0346e43e5f895171
-
Filesize
512KB
MD5b69dae18f8c34aed05b6c9ab38d69dcf
SHA1ece878f1bf2055061fc2e9651a30c21541daac48
SHA25608c08383411ead4b2d28bc274c273e287552e1cc987882866f61f105a95d7e27
SHA512b4253ec7e33add100f3d262c47bcddaa863902d93922a55483657fcc68c9a0c6bd4311ceffdc6300fd79544c11f5d551f264cdabecd30dbc1f2d066944897f4e
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD540882aeead96be3458064b83c18b9f7c
SHA1dd7b37d9947700834d56bbdc1ff3a736f547ff94
SHA256c9be598825286ae977905f8ff4d7520ef2a9fdef4eed7ffc5c9cbd7950824716
SHA5124c22508d2fb92a5e38cef24ec70fb81462a0eae6815d4a336273121829e173fddfd8a6dff0d64d31a6052cfbba7316d3241fc3a69b1267129cade9cf2b815e22
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD589e7f6701a65b0a7d3624dc9b7165756
SHA13f6baa12e18be0fcb939074ec6a7885a6d283267
SHA2561855d286927ab87d02e980d365757a5edcb5bdc7893df1311656d725c4cddfb6
SHA5129d787a764c5a1a00c3351240b38304d265d94ad599792985b867102ea6b45bff82cf05ca5df175039ee41e87d6447e7b484169355ed104c47392e31761f66609
-
Filesize
512KB
MD5e4dd64dbe61f48326a8c23f023879438
SHA11f0177de34834802f7ce7e402707d8562a0409e6
SHA2564f150a5847b1eb45ffc49456046a32fb908b3c98cd2579ab5d6512324ad97649
SHA5121dd7f06148935b27fccfdec40c385d08ba8189a1e1e8221e431d0f0728818e80589d7c642fd7b23589643deb7c7c12f890a049c98fd0ffdba39722634cc48494
-
Filesize
512KB
MD5893cb8902b165a8f8ca3ee14a6c48f57
SHA1691674064e897bd28b1c0b073ba0b2737a7f3448
SHA2560c4b5f5cae56bf6258ba292d0a199f9297d1f18022ec65d8a8f531ae07859e3f
SHA512dba1bd79de181247086b96621d3663abdb323453062947d7bc24882420cab27a446ff5acf47440b3884d5c4830811df9d36addcb89e3e2169737a81ba0df26c9
-
Filesize
512KB
MD581f4d0ffd5af368e7c25d86d928f80fe
SHA1410679892af8aa2ba5c1aad2338a399676bb95ec
SHA2563e821e8c1ec18bd0a045bcdba01aa40dc7f572adaa38cb8a138e952ac2c46b32
SHA51218e98d6d5e06baf27cea2975c71e8f82869a0c15a1291020ce4d66126ae2847f070a654d57a634f6c74bbb2032d3af87651fa26501e831d8edc7cf42817f81c5
-
Filesize
512KB
MD5d1eb00dfd985ef3b3d26d0bd2c2a2ddb
SHA1a7f5b05250e8142306b522e9fb5ca2c4bcd2e69e
SHA256928aede6cb24df95eb7b307fd4283ac65c4b0f5fa33c212e569af77164efe412
SHA51200dcec7c9afb3f76de17d4e2ee2f4caa6a2550a810cc7b7409a889a6e0f6602ab1633ff7fe10b31503f682d7fc61ba2853c3c600d0ea5447cf8ba64e35cd00e7
-
Filesize
512KB
MD534ef756e71e58b1fe523f49f8e6fa339
SHA125f9fa8d6d9b88a498dc3005b9afeafcacbd6ff7
SHA256634ba9e650b5438068e77081e5f4ab52926ee21cb2bc8733c56d891b51bb24e0
SHA5122e1c0913fe764489e12409bb22af9da2683e7e883dba4396157236b065042b66e69f173507dbf2eb38e66bab845a2489adfd6713417fab7dc342e1bbe2064e29
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD51497eda935122ed25089484845383524
SHA122cbd15778d756ebe609a392257179508261632e
SHA25642c48816d2422bb59cb3327f04ca5fbfea0b9bfa8014982e0814af8d079d9052
SHA51232add5f7bb058a2e9d67b6180a9e167df4041c9144bdff2118bf8404edf62424ddc6a2edcdd6a637946e1cd9ee94c4c52ef664b07abae163bd840272839a2b67
-
Filesize
512KB
MD50ee7079217abe08d4580d7b2b6ba6c6d
SHA1d9631121398942a1329e22c9674bcbe4479bcc73
SHA256685f6d770f0eaadd035edddc2dd07861411f298a6d6fde8f9de2038bcdacf536
SHA512cb7e36c787ea4fceea3068becdb39b048c70bdbe7e70ae7e678d2170ce47499dc85e7fa45b319609e655a3b0c22de17bf5756a9c9d3c7c315aca925220ac9b72
-
Filesize
512KB
MD5490209dd41249710dfb3ef44ca17cb99
SHA1202cebfc75050dc3d87805fd5801f66959ffbbf5
SHA256eb1c22b6ea731406bff0d60d65184962d84fa57aca1f4801445850153312ee21
SHA51237a00436c15c475de1abce1e4b397d2acb81f2b7953e62d0d0bbe40fea51a01c13372bf1c42fdc42e15912e2a16008fb5e168c2738fd22f8a6ddce59566e8632