Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2024, 01:40
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe
-
Size
512KB
-
MD5
3d6a2ef0df4cb9a9a085942bd58b8622
-
SHA1
9249a03a64c4ba4d8ca1b72c86f3c1716b3c1e10
-
SHA256
5b3211ed5c341c42ae0e97ca9a1e38073d3b0bd94c37b8c997a5aece5439082b
-
SHA512
7201e34a6433d8a4b740d6c30b92c012eb5fe60dbf3731b40b917051d21ae77872685f0f278f07f6c96c1d27bd469dc7fe8c25bb2e4b681b081c8ddb8dc2e5d3
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6i:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm51
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" kvjjdmcwtm.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kvjjdmcwtm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kvjjdmcwtm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kvjjdmcwtm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kvjjdmcwtm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kvjjdmcwtm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kvjjdmcwtm.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" kvjjdmcwtm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1588 kvjjdmcwtm.exe 628 smjrtrazlrshyma.exe 4460 ppszkwvi.exe 3140 mbxetsjjjgyua.exe 3740 ppszkwvi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kvjjdmcwtm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kvjjdmcwtm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kvjjdmcwtm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kvjjdmcwtm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" kvjjdmcwtm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kvjjdmcwtm.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rlrudftx = "kvjjdmcwtm.exe" smjrtrazlrshyma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhwasjpx = "smjrtrazlrshyma.exe" smjrtrazlrshyma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mbxetsjjjgyua.exe" smjrtrazlrshyma.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: kvjjdmcwtm.exe File opened (read-only) \??\t: kvjjdmcwtm.exe File opened (read-only) \??\u: kvjjdmcwtm.exe File opened (read-only) \??\x: kvjjdmcwtm.exe File opened (read-only) \??\y: kvjjdmcwtm.exe File opened (read-only) \??\q: ppszkwvi.exe File opened (read-only) \??\h: ppszkwvi.exe File opened (read-only) \??\y: ppszkwvi.exe File opened (read-only) \??\k: kvjjdmcwtm.exe File opened (read-only) \??\l: kvjjdmcwtm.exe File opened (read-only) \??\n: kvjjdmcwtm.exe File opened (read-only) \??\k: ppszkwvi.exe File opened (read-only) \??\n: ppszkwvi.exe File opened (read-only) \??\r: ppszkwvi.exe File opened (read-only) \??\g: ppszkwvi.exe File opened (read-only) \??\s: ppszkwvi.exe File opened (read-only) \??\y: ppszkwvi.exe File opened (read-only) \??\i: ppszkwvi.exe File opened (read-only) \??\o: ppszkwvi.exe File opened (read-only) \??\p: ppszkwvi.exe File opened (read-only) \??\x: ppszkwvi.exe File opened (read-only) \??\j: kvjjdmcwtm.exe File opened (read-only) \??\o: ppszkwvi.exe File opened (read-only) \??\l: ppszkwvi.exe File opened (read-only) \??\n: ppszkwvi.exe File opened (read-only) \??\q: kvjjdmcwtm.exe File opened (read-only) \??\g: ppszkwvi.exe File opened (read-only) \??\b: kvjjdmcwtm.exe File opened (read-only) \??\v: kvjjdmcwtm.exe File opened (read-only) \??\t: ppszkwvi.exe File opened (read-only) \??\x: ppszkwvi.exe File opened (read-only) \??\t: ppszkwvi.exe File opened (read-only) \??\j: ppszkwvi.exe File opened (read-only) \??\m: ppszkwvi.exe File opened (read-only) \??\a: ppszkwvi.exe File opened (read-only) \??\w: ppszkwvi.exe File opened (read-only) \??\v: ppszkwvi.exe File opened (read-only) \??\e: kvjjdmcwtm.exe File opened (read-only) \??\h: kvjjdmcwtm.exe File opened (read-only) \??\p: kvjjdmcwtm.exe File opened (read-only) \??\z: ppszkwvi.exe File opened (read-only) \??\u: ppszkwvi.exe File opened (read-only) \??\w: ppszkwvi.exe File opened (read-only) \??\a: kvjjdmcwtm.exe File opened (read-only) \??\g: kvjjdmcwtm.exe File opened (read-only) \??\o: kvjjdmcwtm.exe File opened (read-only) \??\w: kvjjdmcwtm.exe File opened (read-only) \??\z: kvjjdmcwtm.exe File opened (read-only) \??\b: ppszkwvi.exe File opened (read-only) \??\b: ppszkwvi.exe File opened (read-only) \??\l: ppszkwvi.exe File opened (read-only) \??\h: ppszkwvi.exe File opened (read-only) \??\k: ppszkwvi.exe File opened (read-only) \??\v: ppszkwvi.exe File opened (read-only) \??\e: ppszkwvi.exe File opened (read-only) \??\i: kvjjdmcwtm.exe File opened (read-only) \??\e: ppszkwvi.exe File opened (read-only) \??\p: ppszkwvi.exe File opened (read-only) \??\a: ppszkwvi.exe File opened (read-only) \??\j: ppszkwvi.exe File opened (read-only) \??\q: ppszkwvi.exe File opened (read-only) \??\s: ppszkwvi.exe File opened (read-only) \??\m: kvjjdmcwtm.exe File opened (read-only) \??\m: ppszkwvi.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" kvjjdmcwtm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" kvjjdmcwtm.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1924-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000233c9-5.dat autoit_exe behavioral2/files/0x0006000000023276-18.dat autoit_exe behavioral2/files/0x00070000000233cd-26.dat autoit_exe behavioral2/files/0x00070000000233ce-32.dat autoit_exe behavioral2/files/0x0002000000022999-63.dat autoit_exe behavioral2/files/0x000800000002338d-66.dat autoit_exe behavioral2/files/0x00070000000233e2-69.dat autoit_exe behavioral2/files/0x001b0000000233f8-559.dat autoit_exe behavioral2/files/0x001b0000000233f8-576.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ppszkwvi.exe 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe File created C:\Windows\SysWOW64\mbxetsjjjgyua.exe 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe File created C:\Windows\SysWOW64\kvjjdmcwtm.exe 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe File created C:\Windows\SysWOW64\ppszkwvi.exe 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ppszkwvi.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ppszkwvi.exe File opened for modification C:\Windows\SysWOW64\kvjjdmcwtm.exe 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\smjrtrazlrshyma.exe 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll kvjjdmcwtm.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ppszkwvi.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ppszkwvi.exe File created C:\Windows\SysWOW64\smjrtrazlrshyma.exe 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mbxetsjjjgyua.exe 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ppszkwvi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ppszkwvi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ppszkwvi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ppszkwvi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ppszkwvi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ppszkwvi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ppszkwvi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ppszkwvi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ppszkwvi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ppszkwvi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ppszkwvi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ppszkwvi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ppszkwvi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ppszkwvi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ppszkwvi.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ppszkwvi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ppszkwvi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ppszkwvi.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ppszkwvi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ppszkwvi.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ppszkwvi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ppszkwvi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ppszkwvi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ppszkwvi.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ppszkwvi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ppszkwvi.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ppszkwvi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ppszkwvi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ppszkwvi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ppszkwvi.exe File opened for modification C:\Windows\mydoc.rtf 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ppszkwvi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFFFC4F28856D903CD65D7DE6BDE7E1415940664E6244D7EC" 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" kvjjdmcwtm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc kvjjdmcwtm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" kvjjdmcwtm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf kvjjdmcwtm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" kvjjdmcwtm.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECBB02A449438E853C5B9D53393D7CF" 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" kvjjdmcwtm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg kvjjdmcwtm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh kvjjdmcwtm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332D7E9C2383556A4176DD70252DD97CF364AF" 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFAB9F967F2E084743A43869A3EE2B0FA038F42120348E2BE42ED08D2" 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C67914E5DAC5B9BE7C97EC9E37BA" 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat kvjjdmcwtm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" kvjjdmcwtm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs kvjjdmcwtm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" kvjjdmcwtm.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F36BB9FF6622DDD20FD0A88B7D9062" 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2932 WINWORD.EXE 2932 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1588 kvjjdmcwtm.exe 1588 kvjjdmcwtm.exe 1588 kvjjdmcwtm.exe 1588 kvjjdmcwtm.exe 1588 kvjjdmcwtm.exe 1588 kvjjdmcwtm.exe 1588 kvjjdmcwtm.exe 1588 kvjjdmcwtm.exe 1588 kvjjdmcwtm.exe 1588 kvjjdmcwtm.exe 628 smjrtrazlrshyma.exe 628 smjrtrazlrshyma.exe 628 smjrtrazlrshyma.exe 628 smjrtrazlrshyma.exe 628 smjrtrazlrshyma.exe 4460 ppszkwvi.exe 628 smjrtrazlrshyma.exe 4460 ppszkwvi.exe 628 smjrtrazlrshyma.exe 628 smjrtrazlrshyma.exe 4460 ppszkwvi.exe 4460 ppszkwvi.exe 4460 ppszkwvi.exe 4460 ppszkwvi.exe 4460 ppszkwvi.exe 4460 ppszkwvi.exe 628 smjrtrazlrshyma.exe 628 smjrtrazlrshyma.exe 3140 mbxetsjjjgyua.exe 3140 mbxetsjjjgyua.exe 3140 mbxetsjjjgyua.exe 3140 mbxetsjjjgyua.exe 3140 mbxetsjjjgyua.exe 3140 mbxetsjjjgyua.exe 3140 mbxetsjjjgyua.exe 3140 mbxetsjjjgyua.exe 3140 mbxetsjjjgyua.exe 3140 mbxetsjjjgyua.exe 3140 mbxetsjjjgyua.exe 3140 mbxetsjjjgyua.exe 3740 ppszkwvi.exe 3740 ppszkwvi.exe 3740 ppszkwvi.exe 3740 ppszkwvi.exe 3740 ppszkwvi.exe 3740 ppszkwvi.exe 3740 ppszkwvi.exe 3740 ppszkwvi.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1588 kvjjdmcwtm.exe 1588 kvjjdmcwtm.exe 1588 kvjjdmcwtm.exe 628 smjrtrazlrshyma.exe 4460 ppszkwvi.exe 628 smjrtrazlrshyma.exe 4460 ppszkwvi.exe 628 smjrtrazlrshyma.exe 4460 ppszkwvi.exe 3140 mbxetsjjjgyua.exe 3140 mbxetsjjjgyua.exe 3140 mbxetsjjjgyua.exe 3740 ppszkwvi.exe 3740 ppszkwvi.exe 3740 ppszkwvi.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 1588 kvjjdmcwtm.exe 1588 kvjjdmcwtm.exe 1588 kvjjdmcwtm.exe 628 smjrtrazlrshyma.exe 4460 ppszkwvi.exe 628 smjrtrazlrshyma.exe 4460 ppszkwvi.exe 628 smjrtrazlrshyma.exe 4460 ppszkwvi.exe 3140 mbxetsjjjgyua.exe 3140 mbxetsjjjgyua.exe 3140 mbxetsjjjgyua.exe 3740 ppszkwvi.exe 3740 ppszkwvi.exe 3740 ppszkwvi.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2932 WINWORD.EXE 2932 WINWORD.EXE 2932 WINWORD.EXE 2932 WINWORD.EXE 2932 WINWORD.EXE 2932 WINWORD.EXE 2932 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1924 wrote to memory of 1588 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 81 PID 1924 wrote to memory of 1588 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 81 PID 1924 wrote to memory of 1588 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 81 PID 1924 wrote to memory of 628 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 82 PID 1924 wrote to memory of 628 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 82 PID 1924 wrote to memory of 628 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 82 PID 1924 wrote to memory of 4460 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 83 PID 1924 wrote to memory of 4460 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 83 PID 1924 wrote to memory of 4460 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 83 PID 1924 wrote to memory of 3140 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 84 PID 1924 wrote to memory of 3140 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 84 PID 1924 wrote to memory of 3140 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 84 PID 1588 wrote to memory of 3740 1588 kvjjdmcwtm.exe 85 PID 1588 wrote to memory of 3740 1588 kvjjdmcwtm.exe 85 PID 1588 wrote to memory of 3740 1588 kvjjdmcwtm.exe 85 PID 1924 wrote to memory of 2932 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 86 PID 1924 wrote to memory of 2932 1924 3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d6a2ef0df4cb9a9a085942bd58b8622_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\kvjjdmcwtm.exekvjjdmcwtm.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\ppszkwvi.exeC:\Windows\system32\ppszkwvi.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3740
-
-
-
C:\Windows\SysWOW64\smjrtrazlrshyma.exesmjrtrazlrshyma.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:628
-
-
C:\Windows\SysWOW64\ppszkwvi.exeppszkwvi.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4460
-
-
C:\Windows\SysWOW64\mbxetsjjjgyua.exembxetsjjjgyua.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3140
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2932
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5cfb3e36aa4f49c4c643f6fa85c135dbc
SHA1e4447a372cae8f61e8ef6746cecebb2de9badf16
SHA2560f577cf7ba0081e29ac86538e2d95cb1a8e8fb61a726e8c7ae93b4f20bb29cf0
SHA512c080995dd425267bb6930d5971957ba6a91d1c20f3243ca9cff994c9569b45176c9ff00736949c05767f3030eb5a3c0436a7f8aed685ff16e24d6a740810a54b
-
Filesize
512KB
MD57360baea468754fb1c84ec25e735e7d0
SHA12042aa47305345d4275e58c16503416873250c48
SHA2561c486168b5cb4a9b0e0ab023dfb1dcc72a179deaabd6a749c34d38174bf920c0
SHA512b109ab2b0c9f66a0777533af2ec0a8477d463d853a60a7d9268e671ab15b5d1d17cab7888911f12a8dca2c605c0faed69a8d3a458196aa68daa398e792153ff6
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q9CR2JOTA1XT4KCZZBNI.temp
Filesize3KB
MD53f14e512b4f5959a9995b68b8a9b5c68
SHA1ca6824bfdeffc9fd03cf2ecc4e51f19529bc4335
SHA2560457d3baa2d22f03772ab92e8142ef265654b47eeb92f188889595fc7af7e532
SHA512c99f0ad3b9f8fc8805b92aeb006c7b782d322f06dcb2da29563ffb8f75b8e80cc5add67a8b2e82b65fa91448b9866a6fb8f6cd81a70d7febefa171b930c2803f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f0f46d6128170e1b37f51f72818b8828
SHA123412ea07419e656be1e47fcd0b1022b6ed7b6d9
SHA256f16b228ba5d2de39a19dd3e164dd277ad21ba51f5127bd2b400f43c39945e111
SHA5123a6595572d3200a68ba2f3904ca51565c1b9b1167d8578c9b8deb9a8855bba80527eb43e90669b62cb13e9d06f8569cbf65cb2dbe3627cfd3db768df74965e89
-
Filesize
512KB
MD546c15e8d515455cb8674bfed413c8c35
SHA1ecf8078f19f644b10d6f1052ba897308aa462b7e
SHA25637d9fd92e5032f68786d81023919fb17ad3a2cdbeadf2ada51eae620cd622c42
SHA512b4859f8cfb0775bafe89598c9dfde636b6a7e5826b1a11a60c2fc679b9094550eb3dda6e5db164579506b7e0ad8f9a0f01b87be874b87340e358be055fd57b53
-
Filesize
512KB
MD557e10d99e2b13d207216514f89bf914e
SHA170c481a8d4bc3b9aef0d27d7b48de07c1ae5757e
SHA2566c73eba134adff855f7f258c6d44661b5d8ceb607bca46b999bfadd09bfd1747
SHA51221734525325a8bded4e26fe0bdb9c86eade9b3d4164bb04abd0ce9c35309e241ff7079d456e043d92548c488eefa21fb0a03b817888afaf151b0db4d1d319482
-
Filesize
512KB
MD5a201783cd87f5fed22e47abc9e50e5b4
SHA15bb23fff81a602c81fba04dee5395cad4e9c15cb
SHA256a603704b8fb5a153f2190afd369b5c4ba37547ae04a347a55763cf7809d411f8
SHA51224fc59233bd8221c585089258e582dfd19844d881d758760f34e32141c7a87027910d6de804d447da971b5665c66da22112e5ae837775641187dfcccee0b707a
-
Filesize
512KB
MD5a455d4e312e74ca745df61a9371ccefd
SHA1fa3f833cb138529c2ec4ca509a9f01766f38f525
SHA2566956cf1a4e6d6c805edb85716bfde20350fdc51dd18baeb692e3aef2f371b484
SHA51267b3e33c40a078211770b0f9dbe7ee7ea60f335ebb776197ce34809e4e75a8643980580d383ea0be56dbbd25ca06ce4d12712fca61e20c828a1a5b49dff4f96d
-
Filesize
512KB
MD5de5eb69fc0ac81d3cf9e80c59e2bbd7c
SHA1fd8ea4d6144695bfd6db80f38f926e02e8b6a2d4
SHA256c6fbc2793076016832336dcaaff23651b8c2afe1f9b20da16250b867b666369d
SHA51286a955aa242f36d5e5c42e6d31fef89c7975a0126a420ee86fa1c2ad18a21de9cf69670561ad6b9738cec1ff04dc3531cd49d88109281521d0d6c9ce8c94ebf0
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5f65c03a33eef77a96995ae9966c5a383
SHA1e5754839aef781bc1babb8f36252f9db1cbaecc6
SHA2566421367b17a193374ec1080c91b3b3d905bfffe99d8e2c6d21218540b82f9bbc
SHA5128526c5d3f4c706d44709a7e8b9b3970c673fbe14b892d4809284d69eac7b0db398ebc16964f10bf6a9535a5d62f13c14d69983ea7a0910685e3d237bd2b54eb8
-
Filesize
512KB
MD53b7b458f0109484377ab57bd63f3bc75
SHA13c535ba04f1cb7e68f725aa08f77c44c5077c825
SHA2560ac14e36efaf9159c62fdc5ad2495d058847871f1b6a1841b5e660028c49a353
SHA512c20d84540a6e437e17287633fd67a644142257fd4054e6d04daf9cf78a4f3c5d7da60b680edeb3351c79118abb13b9ed2e3fac8b58922c599ec814aa3a4a669a