Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 23:36
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe
Resource
win7-20240215-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe
-
Size
512KB
-
MD5
3d0a8983d1c76b9ac2c80e058138b16b
-
SHA1
a4a38c96475bd49cb078c041011ccec3296915f6
-
SHA256
e6bd8ad2ab36739fd045c556548d7af136e419669c8a2a9872a6c286ed30ac82
-
SHA512
63330948e15c5c33c3761551515eb291aa709939b777fd531bfd6ff530832c2402d1270ab509b8a45a20878ef7646db55ed0fdc28a4bdba6d8d911d7987df65f
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6e:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qwtwrbrrud.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qwtwrbrrud.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qwtwrbrrud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qwtwrbrrud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qwtwrbrrud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qwtwrbrrud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qwtwrbrrud.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qwtwrbrrud.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4820 qwtwrbrrud.exe 4312 euyacrrhuzufljb.exe 2616 cnynvzvu.exe 4372 ixeimxnewumia.exe 1156 cnynvzvu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qwtwrbrrud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qwtwrbrrud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qwtwrbrrud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qwtwrbrrud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qwtwrbrrud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qwtwrbrrud.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bsqkdqyn = "qwtwrbrrud.exe" euyacrrhuzufljb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vlseztro = "euyacrrhuzufljb.exe" euyacrrhuzufljb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ixeimxnewumia.exe" euyacrrhuzufljb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: qwtwrbrrud.exe File opened (read-only) \??\m: qwtwrbrrud.exe File opened (read-only) \??\g: cnynvzvu.exe File opened (read-only) \??\z: qwtwrbrrud.exe File opened (read-only) \??\b: cnynvzvu.exe File opened (read-only) \??\a: cnynvzvu.exe File opened (read-only) \??\l: cnynvzvu.exe File opened (read-only) \??\n: cnynvzvu.exe File opened (read-only) \??\x: cnynvzvu.exe File opened (read-only) \??\v: qwtwrbrrud.exe File opened (read-only) \??\h: cnynvzvu.exe File opened (read-only) \??\a: qwtwrbrrud.exe File opened (read-only) \??\a: cnynvzvu.exe File opened (read-only) \??\x: cnynvzvu.exe File opened (read-only) \??\s: cnynvzvu.exe File opened (read-only) \??\r: cnynvzvu.exe File opened (read-only) \??\n: qwtwrbrrud.exe File opened (read-only) \??\o: qwtwrbrrud.exe File opened (read-only) \??\w: qwtwrbrrud.exe File opened (read-only) \??\h: cnynvzvu.exe File opened (read-only) \??\g: cnynvzvu.exe File opened (read-only) \??\o: cnynvzvu.exe File opened (read-only) \??\z: cnynvzvu.exe File opened (read-only) \??\w: cnynvzvu.exe File opened (read-only) \??\t: qwtwrbrrud.exe File opened (read-only) \??\n: cnynvzvu.exe File opened (read-only) \??\q: cnynvzvu.exe File opened (read-only) \??\b: qwtwrbrrud.exe File opened (read-only) \??\g: qwtwrbrrud.exe File opened (read-only) \??\h: qwtwrbrrud.exe File opened (read-only) \??\j: qwtwrbrrud.exe File opened (read-only) \??\p: qwtwrbrrud.exe File opened (read-only) \??\v: cnynvzvu.exe File opened (read-only) \??\e: cnynvzvu.exe File opened (read-only) \??\i: cnynvzvu.exe File opened (read-only) \??\u: cnynvzvu.exe File opened (read-only) \??\q: qwtwrbrrud.exe File opened (read-only) \??\r: qwtwrbrrud.exe File opened (read-only) \??\e: qwtwrbrrud.exe File opened (read-only) \??\l: qwtwrbrrud.exe File opened (read-only) \??\w: cnynvzvu.exe File opened (read-only) \??\i: cnynvzvu.exe File opened (read-only) \??\m: cnynvzvu.exe File opened (read-only) \??\k: cnynvzvu.exe File opened (read-only) \??\e: cnynvzvu.exe File opened (read-only) \??\q: cnynvzvu.exe File opened (read-only) \??\s: qwtwrbrrud.exe File opened (read-only) \??\j: cnynvzvu.exe File opened (read-only) \??\y: cnynvzvu.exe File opened (read-only) \??\j: cnynvzvu.exe File opened (read-only) \??\z: cnynvzvu.exe File opened (read-only) \??\m: cnynvzvu.exe File opened (read-only) \??\p: cnynvzvu.exe File opened (read-only) \??\r: cnynvzvu.exe File opened (read-only) \??\b: cnynvzvu.exe File opened (read-only) \??\k: cnynvzvu.exe File opened (read-only) \??\o: cnynvzvu.exe File opened (read-only) \??\t: cnynvzvu.exe File opened (read-only) \??\i: qwtwrbrrud.exe File opened (read-only) \??\p: cnynvzvu.exe File opened (read-only) \??\x: qwtwrbrrud.exe File opened (read-only) \??\y: qwtwrbrrud.exe File opened (read-only) \??\t: cnynvzvu.exe File opened (read-only) \??\v: cnynvzvu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qwtwrbrrud.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qwtwrbrrud.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1580-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000002340f-5.dat autoit_exe behavioral2/files/0x000600000002328f-18.dat autoit_exe behavioral2/files/0x0007000000023413-29.dat autoit_exe behavioral2/files/0x0007000000023414-32.dat autoit_exe behavioral2/files/0x00020000000229c8-66.dat autoit_exe behavioral2/files/0x0008000000023405-72.dat autoit_exe behavioral2/files/0x0016000000023439-513.dat autoit_exe behavioral2/files/0x0016000000023439-572.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\euyacrrhuzufljb.exe 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cnynvzvu.exe File opened for modification C:\Windows\SysWOW64\ixeimxnewumia.exe 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cnynvzvu.exe File created C:\Windows\SysWOW64\qwtwrbrrud.exe 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cnynvzvu.exe 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe File created C:\Windows\SysWOW64\ixeimxnewumia.exe 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qwtwrbrrud.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cnynvzvu.exe File opened for modification C:\Windows\SysWOW64\qwtwrbrrud.exe 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe File created C:\Windows\SysWOW64\euyacrrhuzufljb.exe 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe File created C:\Windows\SysWOW64\cnynvzvu.exe 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cnynvzvu.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cnynvzvu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cnynvzvu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cnynvzvu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal cnynvzvu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cnynvzvu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal cnynvzvu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cnynvzvu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cnynvzvu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal cnynvzvu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cnynvzvu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cnynvzvu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cnynvzvu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cnynvzvu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal cnynvzvu.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cnynvzvu.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cnynvzvu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cnynvzvu.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cnynvzvu.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cnynvzvu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cnynvzvu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cnynvzvu.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cnynvzvu.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cnynvzvu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cnynvzvu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cnynvzvu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cnynvzvu.exe File opened for modification C:\Windows\mydoc.rtf 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cnynvzvu.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cnynvzvu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cnynvzvu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cnynvzvu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFF9B1FE64F19883083A4381993999B38A03FE4214033FE1B942EA08A8" 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qwtwrbrrud.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qwtwrbrrud.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422D7F9D2D82586D3E76D277242DDC7CF464DD" 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B15D44E739EC52C8B9A73393D4B8" 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F368B6FF1C21AAD20FD1D68B099164" 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qwtwrbrrud.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qwtwrbrrud.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qwtwrbrrud.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC67D14E1DABEB9CE7FE0ECE734C6" 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qwtwrbrrud.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qwtwrbrrud.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qwtwrbrrud.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qwtwrbrrud.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qwtwrbrrud.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FC8F485C85189135D62F7DE2BD93E635584267336337D7EC" 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qwtwrbrrud.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qwtwrbrrud.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 372 WINWORD.EXE 372 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 4820 qwtwrbrrud.exe 4820 qwtwrbrrud.exe 4820 qwtwrbrrud.exe 4820 qwtwrbrrud.exe 4820 qwtwrbrrud.exe 4820 qwtwrbrrud.exe 4820 qwtwrbrrud.exe 4820 qwtwrbrrud.exe 4820 qwtwrbrrud.exe 4820 qwtwrbrrud.exe 4312 euyacrrhuzufljb.exe 4312 euyacrrhuzufljb.exe 4312 euyacrrhuzufljb.exe 4312 euyacrrhuzufljb.exe 4312 euyacrrhuzufljb.exe 4312 euyacrrhuzufljb.exe 4312 euyacrrhuzufljb.exe 4312 euyacrrhuzufljb.exe 4372 ixeimxnewumia.exe 4372 ixeimxnewumia.exe 4372 ixeimxnewumia.exe 4372 ixeimxnewumia.exe 4372 ixeimxnewumia.exe 4372 ixeimxnewumia.exe 4372 ixeimxnewumia.exe 4372 ixeimxnewumia.exe 2616 cnynvzvu.exe 4372 ixeimxnewumia.exe 4372 ixeimxnewumia.exe 2616 cnynvzvu.exe 4372 ixeimxnewumia.exe 4372 ixeimxnewumia.exe 2616 cnynvzvu.exe 2616 cnynvzvu.exe 2616 cnynvzvu.exe 2616 cnynvzvu.exe 2616 cnynvzvu.exe 2616 cnynvzvu.exe 4312 euyacrrhuzufljb.exe 4312 euyacrrhuzufljb.exe 1156 cnynvzvu.exe 1156 cnynvzvu.exe 1156 cnynvzvu.exe 1156 cnynvzvu.exe 1156 cnynvzvu.exe 1156 cnynvzvu.exe 1156 cnynvzvu.exe 1156 cnynvzvu.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 4820 qwtwrbrrud.exe 4820 qwtwrbrrud.exe 4820 qwtwrbrrud.exe 4312 euyacrrhuzufljb.exe 2616 cnynvzvu.exe 4372 ixeimxnewumia.exe 4312 euyacrrhuzufljb.exe 2616 cnynvzvu.exe 4372 ixeimxnewumia.exe 4312 euyacrrhuzufljb.exe 2616 cnynvzvu.exe 4372 ixeimxnewumia.exe 1156 cnynvzvu.exe 1156 cnynvzvu.exe 1156 cnynvzvu.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 4820 qwtwrbrrud.exe 4820 qwtwrbrrud.exe 4820 qwtwrbrrud.exe 4312 euyacrrhuzufljb.exe 2616 cnynvzvu.exe 4372 ixeimxnewumia.exe 4312 euyacrrhuzufljb.exe 2616 cnynvzvu.exe 4372 ixeimxnewumia.exe 4312 euyacrrhuzufljb.exe 2616 cnynvzvu.exe 4372 ixeimxnewumia.exe 1156 cnynvzvu.exe 1156 cnynvzvu.exe 1156 cnynvzvu.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 372 WINWORD.EXE 372 WINWORD.EXE 372 WINWORD.EXE 372 WINWORD.EXE 372 WINWORD.EXE 372 WINWORD.EXE 372 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1580 wrote to memory of 4820 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 84 PID 1580 wrote to memory of 4820 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 84 PID 1580 wrote to memory of 4820 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 84 PID 1580 wrote to memory of 4312 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 85 PID 1580 wrote to memory of 4312 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 85 PID 1580 wrote to memory of 4312 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 85 PID 1580 wrote to memory of 2616 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 86 PID 1580 wrote to memory of 2616 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 86 PID 1580 wrote to memory of 2616 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 86 PID 1580 wrote to memory of 4372 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 87 PID 1580 wrote to memory of 4372 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 87 PID 1580 wrote to memory of 4372 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 87 PID 1580 wrote to memory of 372 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 88 PID 1580 wrote to memory of 372 1580 3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe 88 PID 4820 wrote to memory of 1156 4820 qwtwrbrrud.exe 90 PID 4820 wrote to memory of 1156 4820 qwtwrbrrud.exe 90 PID 4820 wrote to memory of 1156 4820 qwtwrbrrud.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d0a8983d1c76b9ac2c80e058138b16b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\qwtwrbrrud.exeqwtwrbrrud.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\cnynvzvu.exeC:\Windows\system32\cnynvzvu.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1156
-
-
-
C:\Windows\SysWOW64\euyacrrhuzufljb.exeeuyacrrhuzufljb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4312
-
-
C:\Windows\SysWOW64\cnynvzvu.execnynvzvu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2616
-
-
C:\Windows\SysWOW64\ixeimxnewumia.exeixeimxnewumia.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4372
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:372
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD53fa82850a647ebac0e679d5a3e6e9264
SHA17c5e87c43e7a26252dbedb4a43fae2a98faf6b0c
SHA256ebb7adc7b1c784b48e3ba49e352df3510f75340e353b401b72aabd9d7e7a366f
SHA512d26232d2d5444f37d5c959b5206a05563f205e84979c402129f836db37913df29df5270aac4cd2cc874d49dcf4ad3c17eeb3eaadc59bcf65572046d3c2b0f25a
-
Filesize
512KB
MD57a226cf6a8fa0264abcc0deacb0f9d28
SHA12f7b85f9adcf135879ba7cefdcd7cd2d1a40f051
SHA256b7472bb5c2c6546172489155bdd7a8029c5f91c3f4138bf090f2b3c977d9bc2a
SHA5122ad9ddfd3a4ca60273a23baadafeb7e09d7a5c86b499d70d6f375a494b7d655c7cfa15eb05371fd4223e9292b6b0a816758f6b8b90097ea863cf61d88a5c09a5
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5b33f6e45deec50a9483df28e49d60813
SHA1f53d1441016c9090e0506b6d6dedee76a821ec8c
SHA2569661fb3bb69f79e61f2151d4d078344d4cc6fca8cdd341056728f246a39e3a9c
SHA5127eb697e2fc41d8238e4ed41cfb6b015b02ffc2b50b1b330fc829b06af4c7afd89da6b64a6e37d45a7b9582cd5926d28fbd94e5149374a5dc5b6f43a6ee58c254
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD50041cc0df394bb0b39cbfc2f07d81a44
SHA1b6fffb15e3346b927f9bcfc17e681574dc8bf911
SHA256eb03801d361d5d4b4aedd3e1ebf0932edc2637f72bb59669b99662fcd30497e9
SHA5129de7cfd04486dc8ffac2fdfb25d533d27ee1dc1b4b46706d2d8039bc1b154a9d63ccf5ab4529cb6c491489e24f16828468e109b4088834a2ea1bce80180a2cf2
-
Filesize
512KB
MD5a395d786dd2e9e2efde82ce6cac25698
SHA1a1242d5e044080afbafafd206a145d01772a1cef
SHA256002165eec3b8a760eb171aaafc05ccb820528b60683733cc2ade40b49e27ddb9
SHA5120aa10480056b8a7c4695bcf8a564f675faf4d7a69ef944c86835bfe8fe945adccb43a8ee6b704218d9687a5c05d96c61acf65d5c125f1502d557d4c03f39c85d
-
Filesize
512KB
MD58ff7c3142cabdc7ee6d92fe19931a4fc
SHA1c02a5ffb100cd61d54e084e24b06af588cb39ef7
SHA2562282054338290f0c43df697fc7f67e7cdea0cc70454adb8740bb7618a1d52c11
SHA512185731294be35811c734df5616669f46602e58e0e42d75951808cd061b6064bf6b9764e830941ec35d8f39eefbd3e9929d0a609786a14221a744b99f84c5e55a
-
Filesize
512KB
MD5f850aa6b3f7c66a87536ad0171275aa0
SHA1d96cf5e0d969f6b28ca8fac54d84d1f683cf6a22
SHA256d3e668772649cf90ada2ca9b852d352cb4d83dee14f1e76bc7cd6cfc9f2c61af
SHA5123a5fe55fe16a8cee2507d602cf9690d3695302e2d96df48aaff8381249c57d3fb465f4f3abf6bad6831720f44b70ce4bca9557322c4e6b1e0094c9fedbbb80a1
-
Filesize
512KB
MD5b2275d36d3d86ee4d92d9bb626f8fb1b
SHA17b78c4c7c5d16c1170e820a5c05f0b937531416e
SHA25689061796a25f69515fceb9565da9880fc2545e33da7a7a8f60869863bc93605f
SHA51270ec1f3d85f1d8c2bab84ecc5279fb1b789bf81042d4f1a0bdc29ed0f44315aeabd342828a08be7a14db982c356632085f2344d92e442fa77de164c044357d25
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD513862c671d42e2b1ad74055f9c75aa90
SHA1bdbd8be0b2d6411afc4a30f53388dda8af7a4262
SHA2568f9d6d118cb000a1097191dd933496ac54c6388b4ecd447bbded11feabbdca7b
SHA512a902b70cf4130fa2d84a65464eba9633c31d8b329aa0a3ea8970c42f7f49a2a2018f1ab328d49386f9d7e4df940abdece53955dac0f591c0bb3a30d83f91d1c7
-
Filesize
512KB
MD573ca0e334f89d683f68c682ff1cb4938
SHA1d9f30c17df68a8a2dd8161718441e08aa879f544
SHA256c788647fe7436fab0bf692d13e4880296ea275254da1f931c350b14434f3e81f
SHA512a2eeb568e384f6de1395553201a61c4062637daf255c4aaeabcb60f5e06aa5a31803c46fafb66df842644f060b76772375789a7a4f381f489e36f33ce7568de6