Analysis
-
max time kernel
150s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 04:03
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe
-
Size
512KB
-
MD5
4477999a03ba105e71476401b7cd3b71
-
SHA1
d5b0153c777a1bdf577d4740a2584ba810ea34c8
-
SHA256
e89894fbcb5fab3944987ad1d1eef88f05233e0950145c3bd88933f9c0ed789b
-
SHA512
bf22c5bde8a528ef285ada1cd983a8c070c41da28915226e39bee6958d7cc5b974ede2481f348207d2b4babb05616ed4e570ae5f6e180a0f0f1a00a54adbeba2
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6e:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Z
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vqjazzeaum.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vqjazzeaum.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vqjazzeaum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vqjazzeaum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vqjazzeaum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vqjazzeaum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vqjazzeaum.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vqjazzeaum.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4660 vqjazzeaum.exe 4812 vamhhspgtvwkgpz.exe 4308 ogqncgnr.exe 1968 efbxffxpifvkv.exe 4208 ogqncgnr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vqjazzeaum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vqjazzeaum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vqjazzeaum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vqjazzeaum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vqjazzeaum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vqjazzeaum.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\duhjqkgs = "vqjazzeaum.exe" vamhhspgtvwkgpz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mknesjlo = "vamhhspgtvwkgpz.exe" vamhhspgtvwkgpz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "efbxffxpifvkv.exe" vamhhspgtvwkgpz.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: ogqncgnr.exe File opened (read-only) \??\o: ogqncgnr.exe File opened (read-only) \??\e: ogqncgnr.exe File opened (read-only) \??\i: ogqncgnr.exe File opened (read-only) \??\o: ogqncgnr.exe File opened (read-only) \??\o: vqjazzeaum.exe File opened (read-only) \??\t: vqjazzeaum.exe File opened (read-only) \??\a: ogqncgnr.exe File opened (read-only) \??\p: ogqncgnr.exe File opened (read-only) \??\m: ogqncgnr.exe File opened (read-only) \??\r: ogqncgnr.exe File opened (read-only) \??\z: vqjazzeaum.exe File opened (read-only) \??\m: vqjazzeaum.exe File opened (read-only) \??\z: ogqncgnr.exe File opened (read-only) \??\i: vqjazzeaum.exe File opened (read-only) \??\r: vqjazzeaum.exe File opened (read-only) \??\y: vqjazzeaum.exe File opened (read-only) \??\h: ogqncgnr.exe File opened (read-only) \??\n: ogqncgnr.exe File opened (read-only) \??\t: ogqncgnr.exe File opened (read-only) \??\p: ogqncgnr.exe File opened (read-only) \??\u: ogqncgnr.exe File opened (read-only) \??\w: ogqncgnr.exe File opened (read-only) \??\x: ogqncgnr.exe File opened (read-only) \??\s: vqjazzeaum.exe File opened (read-only) \??\b: ogqncgnr.exe File opened (read-only) \??\x: ogqncgnr.exe File opened (read-only) \??\y: ogqncgnr.exe File opened (read-only) \??\b: vqjazzeaum.exe File opened (read-only) \??\g: vqjazzeaum.exe File opened (read-only) \??\h: ogqncgnr.exe File opened (read-only) \??\r: ogqncgnr.exe File opened (read-only) \??\b: ogqncgnr.exe File opened (read-only) \??\j: vqjazzeaum.exe File opened (read-only) \??\w: vqjazzeaum.exe File opened (read-only) \??\k: vqjazzeaum.exe File opened (read-only) \??\w: ogqncgnr.exe File opened (read-only) \??\z: ogqncgnr.exe File opened (read-only) \??\l: ogqncgnr.exe File opened (read-only) \??\a: vqjazzeaum.exe File opened (read-only) \??\h: vqjazzeaum.exe File opened (read-only) \??\u: vqjazzeaum.exe File opened (read-only) \??\j: ogqncgnr.exe File opened (read-only) \??\l: ogqncgnr.exe File opened (read-only) \??\q: ogqncgnr.exe File opened (read-only) \??\i: ogqncgnr.exe File opened (read-only) \??\k: ogqncgnr.exe File opened (read-only) \??\n: vqjazzeaum.exe File opened (read-only) \??\g: ogqncgnr.exe File opened (read-only) \??\e: ogqncgnr.exe File opened (read-only) \??\s: ogqncgnr.exe File opened (read-only) \??\p: vqjazzeaum.exe File opened (read-only) \??\q: ogqncgnr.exe File opened (read-only) \??\x: vqjazzeaum.exe File opened (read-only) \??\q: vqjazzeaum.exe File opened (read-only) \??\v: vqjazzeaum.exe File opened (read-only) \??\s: ogqncgnr.exe File opened (read-only) \??\u: ogqncgnr.exe File opened (read-only) \??\v: ogqncgnr.exe File opened (read-only) \??\j: ogqncgnr.exe File opened (read-only) \??\v: ogqncgnr.exe File opened (read-only) \??\e: vqjazzeaum.exe File opened (read-only) \??\g: ogqncgnr.exe File opened (read-only) \??\k: ogqncgnr.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vqjazzeaum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vqjazzeaum.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1648-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000233f9-7.dat autoit_exe behavioral2/files/0x000700000002328e-18.dat autoit_exe behavioral2/files/0x00070000000233fb-32.dat autoit_exe behavioral2/files/0x00070000000233fa-27.dat autoit_exe behavioral2/files/0x000400000002296e-63.dat autoit_exe behavioral2/files/0x0002000000022975-69.dat autoit_exe behavioral2/files/0x000800000002337f-81.dat autoit_exe behavioral2/files/0x000800000002337e-75.dat autoit_exe behavioral2/files/0x000f000000023353-101.dat autoit_exe behavioral2/files/0x000f000000023353-328.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\vqjazzeaum.exe 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vqjazzeaum.exe 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ogqncgnr.exe 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vqjazzeaum.exe File created C:\Windows\SysWOW64\ogqncgnr.exe 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ogqncgnr.exe File opened for modification C:\Windows\SysWOW64\efbxffxpifvkv.exe 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ogqncgnr.exe File created C:\Windows\SysWOW64\vamhhspgtvwkgpz.exe 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vamhhspgtvwkgpz.exe 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe File created C:\Windows\SysWOW64\efbxffxpifvkv.exe 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ogqncgnr.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ogqncgnr.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ogqncgnr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ogqncgnr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ogqncgnr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ogqncgnr.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ogqncgnr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ogqncgnr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ogqncgnr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ogqncgnr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ogqncgnr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ogqncgnr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ogqncgnr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ogqncgnr.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ogqncgnr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ogqncgnr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ogqncgnr.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ogqncgnr.exe File opened for modification C:\Windows\mydoc.rtf 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ogqncgnr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ogqncgnr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ogqncgnr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ogqncgnr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ogqncgnr.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ogqncgnr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ogqncgnr.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ogqncgnr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ogqncgnr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ogqncgnr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ogqncgnr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ogqncgnr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ogqncgnr.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ogqncgnr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ogqncgnr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vqjazzeaum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vqjazzeaum.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vqjazzeaum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vqjazzeaum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vqjazzeaum.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B12D44EF39EC53CDBAD5329BD4C4" 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vqjazzeaum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452D799C2383276D3677A170232CDF7CF464AF" 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vqjazzeaum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vqjazzeaum.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vqjazzeaum.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vqjazzeaum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC67A15ECDABEB9BE7C97ED9234C6" 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vqjazzeaum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F568B0FE6C21A9D108D0A58A7E9010" 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vqjazzeaum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFACCF960F19183783A42819B3996B38B038B42160332E1C9459909A0" 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FFF8485D82199145D7217E9DBC94E140594166416335D6E9" 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2104 WINWORD.EXE 2104 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 4812 vamhhspgtvwkgpz.exe 4308 ogqncgnr.exe 4812 vamhhspgtvwkgpz.exe 4308 ogqncgnr.exe 4812 vamhhspgtvwkgpz.exe 4308 ogqncgnr.exe 4812 vamhhspgtvwkgpz.exe 4308 ogqncgnr.exe 4812 vamhhspgtvwkgpz.exe 4812 vamhhspgtvwkgpz.exe 4308 ogqncgnr.exe 4308 ogqncgnr.exe 4812 vamhhspgtvwkgpz.exe 4812 vamhhspgtvwkgpz.exe 4308 ogqncgnr.exe 4308 ogqncgnr.exe 4660 vqjazzeaum.exe 4660 vqjazzeaum.exe 4660 vqjazzeaum.exe 4660 vqjazzeaum.exe 4660 vqjazzeaum.exe 4660 vqjazzeaum.exe 4660 vqjazzeaum.exe 4660 vqjazzeaum.exe 4660 vqjazzeaum.exe 4660 vqjazzeaum.exe 4812 vamhhspgtvwkgpz.exe 4812 vamhhspgtvwkgpz.exe 1968 efbxffxpifvkv.exe 1968 efbxffxpifvkv.exe 1968 efbxffxpifvkv.exe 1968 efbxffxpifvkv.exe 1968 efbxffxpifvkv.exe 1968 efbxffxpifvkv.exe 1968 efbxffxpifvkv.exe 1968 efbxffxpifvkv.exe 1968 efbxffxpifvkv.exe 1968 efbxffxpifvkv.exe 1968 efbxffxpifvkv.exe 1968 efbxffxpifvkv.exe 4812 vamhhspgtvwkgpz.exe 4812 vamhhspgtvwkgpz.exe 4208 ogqncgnr.exe 4208 ogqncgnr.exe 4208 ogqncgnr.exe 4208 ogqncgnr.exe 4208 ogqncgnr.exe 4208 ogqncgnr.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 4660 vqjazzeaum.exe 4660 vqjazzeaum.exe 4660 vqjazzeaum.exe 4812 vamhhspgtvwkgpz.exe 4812 vamhhspgtvwkgpz.exe 4812 vamhhspgtvwkgpz.exe 4308 ogqncgnr.exe 4308 ogqncgnr.exe 4308 ogqncgnr.exe 1968 efbxffxpifvkv.exe 1968 efbxffxpifvkv.exe 1968 efbxffxpifvkv.exe 4208 ogqncgnr.exe 4208 ogqncgnr.exe 4208 ogqncgnr.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 4660 vqjazzeaum.exe 4660 vqjazzeaum.exe 4660 vqjazzeaum.exe 4812 vamhhspgtvwkgpz.exe 4812 vamhhspgtvwkgpz.exe 4812 vamhhspgtvwkgpz.exe 4308 ogqncgnr.exe 4308 ogqncgnr.exe 4308 ogqncgnr.exe 1968 efbxffxpifvkv.exe 1968 efbxffxpifvkv.exe 1968 efbxffxpifvkv.exe 4208 ogqncgnr.exe 4208 ogqncgnr.exe 4208 ogqncgnr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2104 WINWORD.EXE 2104 WINWORD.EXE 2104 WINWORD.EXE 2104 WINWORD.EXE 2104 WINWORD.EXE 2104 WINWORD.EXE 2104 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1648 wrote to memory of 4660 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 83 PID 1648 wrote to memory of 4660 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 83 PID 1648 wrote to memory of 4660 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 83 PID 1648 wrote to memory of 4812 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 84 PID 1648 wrote to memory of 4812 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 84 PID 1648 wrote to memory of 4812 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 84 PID 1648 wrote to memory of 4308 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 85 PID 1648 wrote to memory of 4308 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 85 PID 1648 wrote to memory of 4308 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 85 PID 1648 wrote to memory of 1968 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 86 PID 1648 wrote to memory of 1968 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 86 PID 1648 wrote to memory of 1968 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 86 PID 1648 wrote to memory of 2104 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 88 PID 1648 wrote to memory of 2104 1648 4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe 88 PID 4660 wrote to memory of 4208 4660 vqjazzeaum.exe 90 PID 4660 wrote to memory of 4208 4660 vqjazzeaum.exe 90 PID 4660 wrote to memory of 4208 4660 vqjazzeaum.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4477999a03ba105e71476401b7cd3b71_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\vqjazzeaum.exevqjazzeaum.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\ogqncgnr.exeC:\Windows\system32\ogqncgnr.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4208
-
-
-
C:\Windows\SysWOW64\vamhhspgtvwkgpz.exevamhhspgtvwkgpz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4812
-
-
C:\Windows\SysWOW64\ogqncgnr.exeogqncgnr.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4308
-
-
C:\Windows\SysWOW64\efbxffxpifvkv.exeefbxffxpifvkv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1968
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2104
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5c79a08ffbab8b5afbe8101864de75322
SHA1c5cbaf2894bca431e0603ecf88f5b8217917ce0f
SHA256bc483c75c97958e16ce379c81ce9ed31a444fb10801a8505cb11d75d8de2b6eb
SHA512a3667673eb0b7178d278add6eafe80ba9d975281ee6418d4c731120cc37f992cd732e4619b4f8f706f7182282e3099cb19dce2e4d5a0c0395d597776991b9c3c
-
Filesize
512KB
MD5e61652eb91501591db62be2e823f662c
SHA1255270f2da86a3626ff7937363e761ddc9d2c1af
SHA2560838e1f4660ceb3c8c55510dcb8c6731a0bb97f1b72098fed44c9aed5b58834f
SHA5126f79e43d1338cdcaa03960eda98ea589c374ee57fdf90029a3933d6bc3aa13742718cfc4cc43e03e633cdda1e3d85f1ebbede65184c6ead432ff7bbe2faa9c66
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD52fae0fe44fb67ed515b21a2b6fba40e3
SHA1d39c4cb134c596851c157406149129a69844613b
SHA256bd528b67c4e7b5924426cb6edc6bd85896db3a43e596bc76d32632d33eccc2b1
SHA5129902e514810847d11b83ceb64209c7a363f3b482f5444474673988fa0729295d8612ae6aa0d81a09d9adeb958f7e0251b414ef808f82f279df504bc04a347087
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD57adf84f18301a921a8771bce55d32f84
SHA130de48ccf1ee977cd170c9a432e123a1a80eb70c
SHA256ea15fedfb975f216e7c5e1f192ee1cbc91fe5e51041fa55290430877f3aa1c63
SHA512905c0a552e26cbbdd1fda84512c318eeb74aeb08af9318d4aaab809f8adcfada59d8fd6445640ee9b6c3a0bea81687fa3d96c195a4a59316a63811a75a09f1a0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5cf34fbf5a1bf22321e1b7848a4ea14e5
SHA13eddc31cc02f3becee0f16d709c59a9c035ef5d3
SHA256316047a1fbf8370fe53e30a3d8e4e8df0e66ac49d23d61156bdfd93e4b47e977
SHA512956538dac41a2a7e15727ea69cb23b343d84851f284f10299d1bad1dc7c03badce269950f66e959da4533cf4e428c2e8a79080d99fb14603ec96e39c1f8f9809
-
Filesize
512KB
MD5c29b2f055aa26f6c0ff5fe89b8176401
SHA191418a64c9c7ccbfc796436cc68f00b39a4b23cd
SHA256c57bfb66f3ba37e02f4269985f643dbf1419db957cb08c93afa9b450c10aeb48
SHA512343c284bfd94b9007eeca8bba14be8903b73d91ade1b90c0b842a1e2ec07bc0fb1adb34f4b5c67fae3effbd1573af4ef54aafa75528ec931ced01076ac734ffe
-
Filesize
512KB
MD51db54cb6b355944192139058f9cbe79b
SHA1384b06c2babecb97012773b9834a10931a442678
SHA25630a8beca3f061c97a69cec759d08ece31133db2cc635c42dd411f83b80e1d9cc
SHA5129a7aadfac3ce4d4cb0f5636c823966d3653ae33a52a168c11041b739ca3f31812985596a96436192dfa7c65be280fef328828c7ddca91e09009efc3472b25fea
-
Filesize
512KB
MD5d08b9bf346f699552d403003f045181d
SHA1ab69cb0b0b83ce6833fafbe4ed7468d522032c66
SHA256078b554df3c420d8965cc7da6b6422c973d93d8d179fb5760dc28ef20a4acc22
SHA512a4bde0d89ad465f07fd6563ef62b550016cfcd7602dbdb415e396b9ac1e280eb849b3736c36703adf3751152ded01cb4458fc3c595f4492fd427b50cd5ebf48c
-
Filesize
512KB
MD57f60cddeb233f9fd510920429c584d60
SHA1764a3e60e24a77230732b947020b3c2f9e76cf18
SHA256958892651b457a63229ad08fc03f5f82a2ce0f1d2f6a7d1246aa22289335f4c1
SHA5128eb471be83c9db301f301b88babeb4c03ba2abcd168b4e31c61bba800bb9b45982402fbf56d3652d0984b1d81b1be5a8667115c9750d9df1804a07be0716aeec
-
Filesize
512KB
MD523482bb2b94e9eb6abffc49b1cd4d92b
SHA139cc6377c74f71993585c5033a860fd1651395ec
SHA256022ed02b6546d81311f8c9adc80648d60c0978c7bfd9b511c5c506ae7123a538
SHA5126a03564cbf5b32732eba6978702f41f42bf2f4a7864bec03407d6a0a585fa7af2364d5f7d9a562f956645293f368290ee6a0203ddb38c661eb5e79e94b8aaad9
-
Filesize
512KB
MD556b1728298b9276b215210e24f095a57
SHA1ff40eb6e8dcadb9b4da8b97d63e1ca55ac28163f
SHA256efd1963c6d72e2f026c2abaac7ad62ce868c3058900974a0b7e058c135b65145
SHA512acc762394aab0cf287b9ec11ba313aed5cdc7aa026dadc39c46331af73ed5f2f45fa7720f1778dedba7d3e6633af4bc4f792d89d25a1d0c1fed062abd4842cc4
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5ceeaddd41a5fa87f724d5239e3ce9058
SHA1de9003f31f821099f9a15b64df6e515050f3c668
SHA2567668fbd78bc6e54702c09c0bd451faa5d297bdc1717360ffdd7c963190fb0ad3
SHA51228260ce3acba400593cdee93d98e73979489267846b8b17964d0bbbb7a9b04a8e2ab96663e6d21d4c7342ef27de2143e9bd0df214de6c8c839e3644863f74e07
-
Filesize
512KB
MD5adf3c78b32a97b82bbef0d1259e0790c
SHA14bf1c2794687bf9d56ce5fd17fee8b3aedbb7b00
SHA25637aceaf9210b6aec794a4ebb561562ceaf7f77721dfee6f5c29af0e79931d117
SHA512930ba49761d3ca2c9f07f2cbbc467fcd79f51272df8490d3b6bf400ad3cffa5387d0f1d5fe95dfb6977626e788a11eb844e80bbb11e819598fe747ae808f521f