Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 02:44
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe
Resource
win7-20240215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe
-
Size
512KB
-
MD5
44395757d2f92a2d6727e89e087888bf
-
SHA1
8817185efe5650ef595a2608befa85784a0a159f
-
SHA256
b3334dbff3a618a7278b17f5e938906f4608a320ae186374864bbe754e3e896a
-
SHA512
6094e3089b6743946df4a581615ae2b74dcd72bb4fa8cd7a57ee92c50ea29cc5cb754d973ae77d32981abacb1e8e557967bf7a9052a2c2314e7a760834de31f1
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5D
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" kfygakudrd.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kfygakudrd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kfygakudrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kfygakudrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kfygakudrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kfygakudrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kfygakudrd.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" kfygakudrd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 968 kfygakudrd.exe 1744 lthldqbb.exe 1792 sejawqdrrrbvcjs.exe 4480 rclctxxwytvbv.exe 1688 lthldqbb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kfygakudrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kfygakudrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kfygakudrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" kfygakudrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kfygakudrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kfygakudrd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tirboqwy = "kfygakudrd.exe" sejawqdrrrbvcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qekhvgcy = "sejawqdrrrbvcjs.exe" sejawqdrrrbvcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rclctxxwytvbv.exe" sejawqdrrrbvcjs.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: lthldqbb.exe File opened (read-only) \??\s: kfygakudrd.exe File opened (read-only) \??\t: lthldqbb.exe File opened (read-only) \??\v: lthldqbb.exe File opened (read-only) \??\m: lthldqbb.exe File opened (read-only) \??\q: lthldqbb.exe File opened (read-only) \??\r: lthldqbb.exe File opened (read-only) \??\l: lthldqbb.exe File opened (read-only) \??\t: lthldqbb.exe File opened (read-only) \??\b: lthldqbb.exe File opened (read-only) \??\h: lthldqbb.exe File opened (read-only) \??\h: lthldqbb.exe File opened (read-only) \??\o: lthldqbb.exe File opened (read-only) \??\s: lthldqbb.exe File opened (read-only) \??\z: kfygakudrd.exe File opened (read-only) \??\e: kfygakudrd.exe File opened (read-only) \??\o: lthldqbb.exe File opened (read-only) \??\z: lthldqbb.exe File opened (read-only) \??\i: lthldqbb.exe File opened (read-only) \??\p: lthldqbb.exe File opened (read-only) \??\l: kfygakudrd.exe File opened (read-only) \??\q: lthldqbb.exe File opened (read-only) \??\b: lthldqbb.exe File opened (read-only) \??\j: lthldqbb.exe File opened (read-only) \??\l: lthldqbb.exe File opened (read-only) \??\b: kfygakudrd.exe File opened (read-only) \??\u: kfygakudrd.exe File opened (read-only) \??\p: lthldqbb.exe File opened (read-only) \??\r: lthldqbb.exe File opened (read-only) \??\e: lthldqbb.exe File opened (read-only) \??\g: lthldqbb.exe File opened (read-only) \??\m: kfygakudrd.exe File opened (read-only) \??\i: lthldqbb.exe File opened (read-only) \??\s: lthldqbb.exe File opened (read-only) \??\e: lthldqbb.exe File opened (read-only) \??\x: lthldqbb.exe File opened (read-only) \??\u: lthldqbb.exe File opened (read-only) \??\g: kfygakudrd.exe File opened (read-only) \??\j: kfygakudrd.exe File opened (read-only) \??\r: kfygakudrd.exe File opened (read-only) \??\g: lthldqbb.exe File opened (read-only) \??\m: lthldqbb.exe File opened (read-only) \??\u: lthldqbb.exe File opened (read-only) \??\a: lthldqbb.exe File opened (read-only) \??\k: lthldqbb.exe File opened (read-only) \??\w: lthldqbb.exe File opened (read-only) \??\k: kfygakudrd.exe File opened (read-only) \??\n: kfygakudrd.exe File opened (read-only) \??\p: kfygakudrd.exe File opened (read-only) \??\t: kfygakudrd.exe File opened (read-only) \??\x: kfygakudrd.exe File opened (read-only) \??\w: lthldqbb.exe File opened (read-only) \??\x: lthldqbb.exe File opened (read-only) \??\z: lthldqbb.exe File opened (read-only) \??\h: kfygakudrd.exe File opened (read-only) \??\q: kfygakudrd.exe File opened (read-only) \??\a: lthldqbb.exe File opened (read-only) \??\a: kfygakudrd.exe File opened (read-only) \??\i: kfygakudrd.exe File opened (read-only) \??\o: kfygakudrd.exe File opened (read-only) \??\k: lthldqbb.exe File opened (read-only) \??\n: lthldqbb.exe File opened (read-only) \??\y: lthldqbb.exe File opened (read-only) \??\n: lthldqbb.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" kfygakudrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" kfygakudrd.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2408-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000002340c-5.dat autoit_exe behavioral2/files/0x000700000002340d-24.dat autoit_exe behavioral2/files/0x0008000000023409-19.dat autoit_exe behavioral2/files/0x000700000002340e-31.dat autoit_exe behavioral2/files/0x00020000000229c3-63.dat autoit_exe behavioral2/files/0x000700000002341c-73.dat autoit_exe behavioral2/files/0x0008000000023425-76.dat autoit_exe behavioral2/files/0x0018000000021f87-91.dat autoit_exe behavioral2/files/0x0018000000021f87-117.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\sejawqdrrrbvcjs.exe 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lthldqbb.exe 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lthldqbb.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lthldqbb.exe File created C:\Windows\SysWOW64\kfygakudrd.exe 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe File created C:\Windows\SysWOW64\lthldqbb.exe 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kfygakudrd.exe 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe File created C:\Windows\SysWOW64\rclctxxwytvbv.exe 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll kfygakudrd.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lthldqbb.exe File opened for modification C:\Windows\SysWOW64\sejawqdrrrbvcjs.exe 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rclctxxwytvbv.exe 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lthldqbb.exe -
Drops file in Program Files directory 23 IoCs
description ioc Process File created \??\c:\Program Files\RenameJoin.doc.exe lthldqbb.exe File opened for modification C:\Program Files\RenameJoin.nal lthldqbb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lthldqbb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lthldqbb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lthldqbb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lthldqbb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lthldqbb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lthldqbb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lthldqbb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lthldqbb.exe File opened for modification C:\Program Files\RenameJoin.doc.exe lthldqbb.exe File opened for modification C:\Program Files\RenameJoin.nal lthldqbb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lthldqbb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lthldqbb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lthldqbb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lthldqbb.exe File opened for modification \??\c:\Program Files\RenameJoin.doc.exe lthldqbb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lthldqbb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lthldqbb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lthldqbb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lthldqbb.exe File opened for modification C:\Program Files\RenameJoin.doc.exe lthldqbb.exe File opened for modification \??\c:\Program Files\RenameJoin.doc.exe lthldqbb.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lthldqbb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lthldqbb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lthldqbb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lthldqbb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lthldqbb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lthldqbb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lthldqbb.exe File opened for modification C:\Windows\mydoc.rtf 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lthldqbb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lthldqbb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lthldqbb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lthldqbb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lthldqbb.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lthldqbb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lthldqbb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lthldqbb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lthldqbb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" kfygakudrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C6741596DAB3B9B97CE3EDE437B9" 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh kfygakudrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFAB1F967F198840C3A40869F3E93B38D038F4311023FE1CD42EA09A9" 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B02E47E639EE53CAB9D332E8D7C4" 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F56BC3FF6621DAD27FD1D68B7E9063" 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" kfygakudrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs kfygakudrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg kfygakudrd.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C7E9D2083586A4676A277232CDA7CF564DD" 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc kfygakudrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" kfygakudrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" kfygakudrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat kfygakudrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" kfygakudrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf kfygakudrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" kfygakudrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FFFF482C8512903CD62F7E9DBC95E640584366416345D6E9" 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1764 WINWORD.EXE 1764 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 968 kfygakudrd.exe 968 kfygakudrd.exe 968 kfygakudrd.exe 968 kfygakudrd.exe 968 kfygakudrd.exe 968 kfygakudrd.exe 968 kfygakudrd.exe 968 kfygakudrd.exe 968 kfygakudrd.exe 968 kfygakudrd.exe 1792 sejawqdrrrbvcjs.exe 1792 sejawqdrrrbvcjs.exe 1792 sejawqdrrrbvcjs.exe 1792 sejawqdrrrbvcjs.exe 1792 sejawqdrrrbvcjs.exe 1792 sejawqdrrrbvcjs.exe 1792 sejawqdrrrbvcjs.exe 1792 sejawqdrrrbvcjs.exe 1792 sejawqdrrrbvcjs.exe 1792 sejawqdrrrbvcjs.exe 1744 lthldqbb.exe 1744 lthldqbb.exe 1744 lthldqbb.exe 1744 lthldqbb.exe 1744 lthldqbb.exe 1744 lthldqbb.exe 1744 lthldqbb.exe 1744 lthldqbb.exe 1792 sejawqdrrrbvcjs.exe 1792 sejawqdrrrbvcjs.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 1688 lthldqbb.exe 1688 lthldqbb.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 1792 sejawqdrrrbvcjs.exe 968 kfygakudrd.exe 1744 lthldqbb.exe 1792 sejawqdrrrbvcjs.exe 968 kfygakudrd.exe 1744 lthldqbb.exe 1792 sejawqdrrrbvcjs.exe 968 kfygakudrd.exe 1744 lthldqbb.exe 1688 lthldqbb.exe 1688 lthldqbb.exe 1688 lthldqbb.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 4480 rclctxxwytvbv.exe 1792 sejawqdrrrbvcjs.exe 968 kfygakudrd.exe 1744 lthldqbb.exe 1792 sejawqdrrrbvcjs.exe 968 kfygakudrd.exe 1744 lthldqbb.exe 1792 sejawqdrrrbvcjs.exe 968 kfygakudrd.exe 1744 lthldqbb.exe 1688 lthldqbb.exe 1688 lthldqbb.exe 1688 lthldqbb.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1764 WINWORD.EXE 1764 WINWORD.EXE 1764 WINWORD.EXE 1764 WINWORD.EXE 1764 WINWORD.EXE 1764 WINWORD.EXE 1764 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2408 wrote to memory of 968 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 81 PID 2408 wrote to memory of 968 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 81 PID 2408 wrote to memory of 968 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 81 PID 2408 wrote to memory of 1792 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 82 PID 2408 wrote to memory of 1792 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 82 PID 2408 wrote to memory of 1792 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 82 PID 2408 wrote to memory of 1744 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 83 PID 2408 wrote to memory of 1744 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 83 PID 2408 wrote to memory of 1744 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 83 PID 2408 wrote to memory of 4480 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 84 PID 2408 wrote to memory of 4480 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 84 PID 2408 wrote to memory of 4480 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 84 PID 2408 wrote to memory of 1764 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 85 PID 2408 wrote to memory of 1764 2408 44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe 85 PID 968 wrote to memory of 1688 968 kfygakudrd.exe 88 PID 968 wrote to memory of 1688 968 kfygakudrd.exe 88 PID 968 wrote to memory of 1688 968 kfygakudrd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\44395757d2f92a2d6727e89e087888bf_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\kfygakudrd.exekfygakudrd.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\lthldqbb.exeC:\Windows\system32\lthldqbb.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1688
-
-
-
C:\Windows\SysWOW64\sejawqdrrrbvcjs.exesejawqdrrrbvcjs.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1792
-
-
C:\Windows\SysWOW64\lthldqbb.exelthldqbb.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1744
-
-
C:\Windows\SysWOW64\rclctxxwytvbv.exerclctxxwytvbv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4480
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1764
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD58b3f7feb5104402905a3318fc67cca22
SHA196d6d2566814f173f476fa891c7b0d9b3074ae9c
SHA256066b7462799abe387d4f62a4cf5cc4c09f4cd0d3bfcdd397349aafc08bc20b3d
SHA512e84843518ce3f24aff11581ee655381819fd07e9695bbb25ec08ff718b445b7bdcf768a2ecbfa055bf895ee3b8de0371ae0b74a54650c9d7c3cfc47025b38b86
-
Filesize
512KB
MD5cf6827463cc8c9af108092b6fcca4bd2
SHA1e5494376a47df9269a74e7ed12d651c1eda77c76
SHA256552d80d2302a9d8cb832889b35304c21de9a5afad72ad4619cab296176c3f897
SHA5128435eebda25d76bbdbd08c77731f39d7629cec381e4d3b7feaabdc850eb2cace311e859bf7dbd166627e26581adece291a75f2e5b1c1298720c927d1ec8778e4
-
Filesize
247B
MD5ba31e27b309887962eae7bff5520de3e
SHA12bcf17b49c22ed6511df4c83dce94292deda7fc1
SHA2569fe257af2a11412b5545d1b0296eea58fab5ed88df337aa6c7370c96b45368a3
SHA51251293703930fea31241aae28446b0a98ea3505f632382671cef7fe870ee45712b09e44afec485c1650f3fc41e1a33449eb3cb7177d7e88a0a855e9db83163f8a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl
Filesize262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5bcf208043b9c071da40e5c741664fed3
SHA1e2ae2da7b31936e65fd0a9f6d8f1b69a55373630
SHA2563abc6f01655f55990ba97bf009ce85829682e3ae2c30b53d8964a690ad1e4f3d
SHA512c86932b1c5518991dc2b89a184163de8a0d1f1393b50198d8550b9d3bed0abcf78d2a82f0e227a3e4f9593d77501f46c6789da44602319316635dd6254790bae
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52725a9cdceaad47d2f2e8f94c40f4433
SHA1fd4b2d8cd9ca7b769d4cd45ed34dcf92fe8cbafc
SHA256a475efc8dfee0a4db1c2bb59e89646fb9321ae05ce59eeaeab6ae207bd0372f9
SHA512044391aedee3a49c4f7edd06595ce059f6ff11d6c71e50caf8521ae763e2b17740abd19a336fe6ec02e51d2080c0b563c59ed8bccdc7f7c6773960ac038a86c1
-
Filesize
512KB
MD5f1a695650d411966bde0575d78d6b9ae
SHA1b10bb903a393d7903729399c6d37f1af10e7b6bf
SHA256c3c47ec45285878842dd25f1928556fbd7062791b97abfb46cb3d06304a17580
SHA512427fb85be841f9accbe643f5610d0352ca8d9f447e7eafa67444657f1de5009bf5156621460d1f81edaee6db8da3d483fe054552d7d74935670a974702bdcb63
-
Filesize
512KB
MD5e28238101c17b9bc14b600f3204d612d
SHA1e3232c6773f4f13ad60c87c3259648ebb0488338
SHA256bad4880705509001d4d6547ae04067374cd65207459eb48eaf5327bc01385555
SHA5121647ed6458cdbf18704a6475ccc9e7b0eac774964cfc8720133cf450b72dc04bcee8e74cbcf393bd01407dd0205d407eba8209bf5ffb7543ff6789b6d611ae52
-
Filesize
512KB
MD5fbee832ceaa0aa1f6242386ce3b565f5
SHA16d49344b8954ca96d76fbe40c3a67789dc02eb10
SHA256ae5970fe320cade17e554c9dd3e4c11c53d6bca93df4a8c530d5d94da696b792
SHA512767026106d6dab386991658773f79f4e313852bf80a67d8be7e377071b458a518bd9e0bb624e77ecca428773179755b1c24b81e10855d38c243d2ad91786dc44
-
Filesize
512KB
MD585c2bcc7b214764e6695b2c9dcd1bd11
SHA145a92ddd7e5acc0d1930e47f72460ded4fe3210f
SHA256459227e1446cf9b2ce129e4446386c48eb26df2925d16894f076aeb4a58b868a
SHA512ae0adffeeb579b2f5fd4fb728b1c4192df89266e9a57daac23c812897aa6caef5cdc937f4c764757da9bb91669749cc3cafbd73ae05f51597e51b95f14287acd
-
Filesize
512KB
MD52f64e06de60dba9f777ab4cea90c6683
SHA152aa10b9602eb65344f050775334590751408617
SHA256132627b14f82d83dc74bca98adde8afbcf7ca5f25461e25d164c4a97eeca29fc
SHA512a8800079112ba05772804d02a2b424b97e3559a592af64fa2e5d2554845eeaa619a8570e410d1ff1e10da3225a4223fe5cf7e1bd2823b0258349f2cc7b836b07
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5924185096f590aa2da1fa33327062fdb
SHA11fc486f3a1c9631ba5e03bca1317c70b01b0b97a
SHA256fda6c54acfd818ae704225f8fb78021ff3774baf3abb361ab9844e64703f7d98
SHA512f4718f14564c96a24a8a28e1c14cba738cf3e5afff3da8f4337fe7d0a8497c078114d66e0b4a51f100026e77a15d0e72c60adae08785243e29f233865b894781
-
Filesize
512KB
MD59df97c9082cd3ff7b202a142bf838964
SHA12d26f5b8ccdebbfb9818818f996afa4d67d9bd33
SHA25649d283a9e79d12076ecb48a2ea2b7c22de7f4b035da19fe24e1c365846914496
SHA5125561eab84bf714d690f58996c1e169587b374deb6fbb32abf1509d0b08b9491ddb6a4c140ce68eb600147566a2b4e4517856fb4a24646004d9a05791c012f2a1