Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 11:10
Static task
static1
Behavioral task
behavioral1
Sample
45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe
-
Size
512KB
-
MD5
45e4eee014788a7efcf398d896a0af64
-
SHA1
fc05b1f3a989308e498450c12f9b49fb71bb8354
-
SHA256
e52ffa52b7f8d71bfd0250e4b0ae56fbbdeb81b1747e9ed2061478bab51719b9
-
SHA512
6cec19d0469c3f18575d3efedc24640b63785d3c42e8219d0bc471e4d13f8ef4d50898f83d35b583e945fc2ff9940509d7e4d6bcba1ca7a2b309ae821e992d0c
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6m:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bbyadyhaeq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bbyadyhaeq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bbyadyhaeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bbyadyhaeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bbyadyhaeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bbyadyhaeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bbyadyhaeq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbyadyhaeq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1148 bbyadyhaeq.exe 1964 xrjqxxycnhnihgw.exe 1628 ufkkztec.exe 1836 outejfrvabuow.exe 740 ufkkztec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bbyadyhaeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bbyadyhaeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bbyadyhaeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bbyadyhaeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bbyadyhaeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bbyadyhaeq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smcqmsry = "xrjqxxycnhnihgw.exe" xrjqxxycnhnihgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "outejfrvabuow.exe" xrjqxxycnhnihgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ohldomod = "bbyadyhaeq.exe" xrjqxxycnhnihgw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: bbyadyhaeq.exe File opened (read-only) \??\u: bbyadyhaeq.exe File opened (read-only) \??\y: ufkkztec.exe File opened (read-only) \??\i: bbyadyhaeq.exe File opened (read-only) \??\q: bbyadyhaeq.exe File opened (read-only) \??\z: bbyadyhaeq.exe File opened (read-only) \??\b: ufkkztec.exe File opened (read-only) \??\v: ufkkztec.exe File opened (read-only) \??\y: ufkkztec.exe File opened (read-only) \??\n: ufkkztec.exe File opened (read-only) \??\p: bbyadyhaeq.exe File opened (read-only) \??\x: ufkkztec.exe File opened (read-only) \??\a: bbyadyhaeq.exe File opened (read-only) \??\m: bbyadyhaeq.exe File opened (read-only) \??\m: ufkkztec.exe File opened (read-only) \??\t: ufkkztec.exe File opened (read-only) \??\a: ufkkztec.exe File opened (read-only) \??\w: ufkkztec.exe File opened (read-only) \??\v: bbyadyhaeq.exe File opened (read-only) \??\p: ufkkztec.exe File opened (read-only) \??\k: ufkkztec.exe File opened (read-only) \??\b: bbyadyhaeq.exe File opened (read-only) \??\x: bbyadyhaeq.exe File opened (read-only) \??\a: ufkkztec.exe File opened (read-only) \??\h: ufkkztec.exe File opened (read-only) \??\m: ufkkztec.exe File opened (read-only) \??\w: bbyadyhaeq.exe File opened (read-only) \??\y: bbyadyhaeq.exe File opened (read-only) \??\q: ufkkztec.exe File opened (read-only) \??\j: ufkkztec.exe File opened (read-only) \??\e: ufkkztec.exe File opened (read-only) \??\i: ufkkztec.exe File opened (read-only) \??\g: ufkkztec.exe File opened (read-only) \??\r: ufkkztec.exe File opened (read-only) \??\s: ufkkztec.exe File opened (read-only) \??\x: ufkkztec.exe File opened (read-only) \??\e: ufkkztec.exe File opened (read-only) \??\j: ufkkztec.exe File opened (read-only) \??\s: ufkkztec.exe File opened (read-only) \??\v: ufkkztec.exe File opened (read-only) \??\g: bbyadyhaeq.exe File opened (read-only) \??\k: bbyadyhaeq.exe File opened (read-only) \??\o: bbyadyhaeq.exe File opened (read-only) \??\b: ufkkztec.exe File opened (read-only) \??\r: ufkkztec.exe File opened (read-only) \??\q: ufkkztec.exe File opened (read-only) \??\t: ufkkztec.exe File opened (read-only) \??\t: bbyadyhaeq.exe File opened (read-only) \??\z: ufkkztec.exe File opened (read-only) \??\g: ufkkztec.exe File opened (read-only) \??\l: ufkkztec.exe File opened (read-only) \??\s: bbyadyhaeq.exe File opened (read-only) \??\k: ufkkztec.exe File opened (read-only) \??\o: ufkkztec.exe File opened (read-only) \??\e: bbyadyhaeq.exe File opened (read-only) \??\l: bbyadyhaeq.exe File opened (read-only) \??\h: bbyadyhaeq.exe File opened (read-only) \??\n: bbyadyhaeq.exe File opened (read-only) \??\n: ufkkztec.exe File opened (read-only) \??\i: ufkkztec.exe File opened (read-only) \??\o: ufkkztec.exe File opened (read-only) \??\u: ufkkztec.exe File opened (read-only) \??\u: ufkkztec.exe File opened (read-only) \??\h: ufkkztec.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bbyadyhaeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bbyadyhaeq.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4996-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000233f4-6.dat autoit_exe behavioral2/files/0x000a0000000233d8-18.dat autoit_exe behavioral2/files/0x00070000000233f8-29.dat autoit_exe behavioral2/files/0x00070000000233f9-32.dat autoit_exe behavioral2/files/0x00020000000229b7-61.dat autoit_exe behavioral2/files/0x00020000000229c8-68.dat autoit_exe behavioral2/files/0x00080000000233d4-77.dat autoit_exe behavioral2/files/0x0007000000023408-82.dat autoit_exe behavioral2/files/0x0009000000023333-100.dat autoit_exe behavioral2/files/0x0009000000023333-141.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bbyadyhaeq.exe 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ufkkztec.exe 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\outejfrvabuow.exe 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ufkkztec.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ufkkztec.exe File created C:\Windows\SysWOW64\bbyadyhaeq.exe 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe File created C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe File created C:\Windows\SysWOW64\ufkkztec.exe 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe File created C:\Windows\SysWOW64\outejfrvabuow.exe 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bbyadyhaeq.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ufkkztec.exe -
Drops file in Program Files directory 28 IoCs
description ioc Process File opened for modification C:\Program Files\MountUnpublish.doc.exe ufkkztec.exe File opened for modification C:\Program Files\MountUnpublish.nal ufkkztec.exe File opened for modification C:\Program Files\TestDebug.doc.exe ufkkztec.exe File opened for modification C:\Program Files\TestDebug.doc.exe ufkkztec.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ufkkztec.exe File created \??\c:\Program Files\MountUnpublish.doc.exe ufkkztec.exe File opened for modification \??\c:\Program Files\TestDebug.doc.exe ufkkztec.exe File opened for modification C:\Program Files\TestDebug.nal ufkkztec.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ufkkztec.exe File opened for modification C:\Program Files\MountUnpublish.doc.exe ufkkztec.exe File opened for modification \??\c:\Program Files\MountUnpublish.doc.exe ufkkztec.exe File opened for modification C:\Program Files\MountUnpublish.nal ufkkztec.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ufkkztec.exe File created \??\c:\Program Files\TestDebug.doc.exe ufkkztec.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ufkkztec.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ufkkztec.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ufkkztec.exe File opened for modification \??\c:\Program Files\MountUnpublish.doc.exe ufkkztec.exe File opened for modification C:\Program Files\TestDebug.nal ufkkztec.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ufkkztec.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ufkkztec.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ufkkztec.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ufkkztec.exe File opened for modification \??\c:\Program Files\TestDebug.doc.exe ufkkztec.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ufkkztec.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ufkkztec.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ufkkztec.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ufkkztec.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ufkkztec.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ufkkztec.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ufkkztec.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ufkkztec.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ufkkztec.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ufkkztec.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ufkkztec.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ufkkztec.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ufkkztec.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ufkkztec.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ufkkztec.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ufkkztec.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ufkkztec.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ufkkztec.exe File opened for modification C:\Windows\mydoc.rtf 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ufkkztec.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ufkkztec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bbyadyhaeq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC67C15E1DBC5B8C97FE7ECE737B9" 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bbyadyhaeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bbyadyhaeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bbyadyhaeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bbyadyhaeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDF9CDF967F29884783A3281EB3992B08102FC4366034BE1BD42E709D4" 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bbyadyhaeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bbyadyhaeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bbyadyhaeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C7A9D2083276A4177A0702E2CDF7DF465D8" 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFC824F5F856D9132D7217E97BC92E133594566426331D6EA" 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bbyadyhaeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bbyadyhaeq.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B12C47E539E952C4B9D632E9D7C5" 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7876BC4FE6821DCD27FD0A38A0F9111" 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bbyadyhaeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bbyadyhaeq.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2020 WINWORD.EXE 2020 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 1628 ufkkztec.exe 1628 ufkkztec.exe 1628 ufkkztec.exe 1628 ufkkztec.exe 1628 ufkkztec.exe 1628 ufkkztec.exe 1628 ufkkztec.exe 1628 ufkkztec.exe 1148 bbyadyhaeq.exe 1148 bbyadyhaeq.exe 1148 bbyadyhaeq.exe 1148 bbyadyhaeq.exe 1148 bbyadyhaeq.exe 1148 bbyadyhaeq.exe 1148 bbyadyhaeq.exe 1148 bbyadyhaeq.exe 1148 bbyadyhaeq.exe 1148 bbyadyhaeq.exe 1964 xrjqxxycnhnihgw.exe 1964 xrjqxxycnhnihgw.exe 1964 xrjqxxycnhnihgw.exe 1964 xrjqxxycnhnihgw.exe 1964 xrjqxxycnhnihgw.exe 1964 xrjqxxycnhnihgw.exe 1964 xrjqxxycnhnihgw.exe 1964 xrjqxxycnhnihgw.exe 1836 outejfrvabuow.exe 1836 outejfrvabuow.exe 1836 outejfrvabuow.exe 1836 outejfrvabuow.exe 1836 outejfrvabuow.exe 1836 outejfrvabuow.exe 1836 outejfrvabuow.exe 1836 outejfrvabuow.exe 1836 outejfrvabuow.exe 1836 outejfrvabuow.exe 1836 outejfrvabuow.exe 1836 outejfrvabuow.exe 1964 xrjqxxycnhnihgw.exe 1964 xrjqxxycnhnihgw.exe 740 ufkkztec.exe 740 ufkkztec.exe 740 ufkkztec.exe 740 ufkkztec.exe 740 ufkkztec.exe 740 ufkkztec.exe 740 ufkkztec.exe 740 ufkkztec.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 1148 bbyadyhaeq.exe 1964 xrjqxxycnhnihgw.exe 1628 ufkkztec.exe 1148 bbyadyhaeq.exe 1964 xrjqxxycnhnihgw.exe 1628 ufkkztec.exe 1148 bbyadyhaeq.exe 1628 ufkkztec.exe 1964 xrjqxxycnhnihgw.exe 1836 outejfrvabuow.exe 1836 outejfrvabuow.exe 1836 outejfrvabuow.exe 740 ufkkztec.exe 740 ufkkztec.exe 740 ufkkztec.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 1148 bbyadyhaeq.exe 1964 xrjqxxycnhnihgw.exe 1628 ufkkztec.exe 1148 bbyadyhaeq.exe 1964 xrjqxxycnhnihgw.exe 1628 ufkkztec.exe 1148 bbyadyhaeq.exe 1628 ufkkztec.exe 1964 xrjqxxycnhnihgw.exe 1836 outejfrvabuow.exe 1836 outejfrvabuow.exe 1836 outejfrvabuow.exe 740 ufkkztec.exe 740 ufkkztec.exe 740 ufkkztec.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2020 WINWORD.EXE 2020 WINWORD.EXE 2020 WINWORD.EXE 2020 WINWORD.EXE 2020 WINWORD.EXE 2020 WINWORD.EXE 2020 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4996 wrote to memory of 1148 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 83 PID 4996 wrote to memory of 1148 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 83 PID 4996 wrote to memory of 1148 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 83 PID 4996 wrote to memory of 1964 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 84 PID 4996 wrote to memory of 1964 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 84 PID 4996 wrote to memory of 1964 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 84 PID 4996 wrote to memory of 1628 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 85 PID 4996 wrote to memory of 1628 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 85 PID 4996 wrote to memory of 1628 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 85 PID 4996 wrote to memory of 1836 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 86 PID 4996 wrote to memory of 1836 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 86 PID 4996 wrote to memory of 1836 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 86 PID 1148 wrote to memory of 740 1148 bbyadyhaeq.exe 87 PID 1148 wrote to memory of 740 1148 bbyadyhaeq.exe 87 PID 1148 wrote to memory of 740 1148 bbyadyhaeq.exe 87 PID 4996 wrote to memory of 2020 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 88 PID 4996 wrote to memory of 2020 4996 45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\bbyadyhaeq.exebbyadyhaeq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\ufkkztec.exeC:\Windows\system32\ufkkztec.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:740
-
-
-
C:\Windows\SysWOW64\xrjqxxycnhnihgw.exexrjqxxycnhnihgw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1964
-
-
C:\Windows\SysWOW64\ufkkztec.exeufkkztec.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1628
-
-
C:\Windows\SysWOW64\outejfrvabuow.exeoutejfrvabuow.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1836
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2020
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5786e8eef5ae896fb874e5815ad705aaa
SHA1daf0d475fdc8b4d5f123844a4e60d5d3ed69c5af
SHA256a2b82047368966157a25f3f9abfdfae35c20726c36ceb5481e002fe615ba915d
SHA512e1c090ac9b942cae99fc234106ea0e4c3da535f2c32253e8577961056824d3f243759e2f93fa7bbcc484341e5a6d8a8ec21572ab73844dfcf8aca1943541575f
-
Filesize
512KB
MD5ea633d1de8fc1f16482f77813867dae7
SHA11d845aeaae65a7d08d6337f9e388c68c08d8416d
SHA256a21ecca2d0d8293faf28fb0cecd0d65db74f1f3b40bb87256352b7b10a876e4e
SHA512eb6f772c9af3db34407ac1f34e1a37a84c4e3be10d87756eeb9425e0c83d3fdda12d05c14fd75a999bc300c776edc6c9b33898e3b9b17eaf02861e0de4d5add2
-
Filesize
512KB
MD5fe42592edf7231dcedad3d5c8630721c
SHA1a94410f7247190cfbb86c641ac5a08216d12feca
SHA2565f987a7999c7090187712ea5213672f3fe0b1cf0a7757dfe682db623d4389ba1
SHA5129ca205169bf4c6afc148e87f0422f427a84e4795392fe29736eba5f7e6e59937d5aeb3c95f77074d7aa03819275d2fffbc4f0ca102ee7583ba1431dc8c0ff543
-
Filesize
512KB
MD53c128a06f4b67b844d2c3642e8b2d32b
SHA1d9ac8c4b342057b87f5dadcd513d3d1b77bcab28
SHA2561fec05fac01d28d0a5d04bb488f0bea448e1a59924c75c178d442d62ce29bd20
SHA5120a3d02e87945bb7d7cf934f577c2e05e36d37159e27bc069123b5cc6ae7d008a846ad58e4f3c293462eacb1986c19b29a1dd4a65ccf6499f303791fb1a1936cb
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD560832a6f47f16e2cf1771d847cf0fe54
SHA1ca1aef2c3b246c100b1b8a7a2ea2cd250ce0acbd
SHA256cf7cf19a1b5805ec4b0686199f41817b059a618b09331d440fa2f9606867cbbb
SHA512f5112f00ce40d5441ba294bbb28566407991f59ab06ce77443cb0a9aef3f89ee97133e3ccbdc397fb0bc74a92338058f431b46d2e696e38a6a6604c7bcf1ef73
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52afaa0755abf506991c0d908adaea083
SHA14551563b85795c6c86e48e6c3f1e3daa8a8146c2
SHA256090bb2bdd916ad2e9964667b47ecac321a4d73009e82b5dd1ff5910c3668ee59
SHA5123e3dc7683cf8bf05b5266af818bd4d8ced89c72e4f446876cf333f6b53bd65587913bc85caa950064ea38e19e0bf9b881f137cb68019b21b5169eb717ab039a8
-
Filesize
512KB
MD58b3b630e06ba7998c7e273ad93023c95
SHA1d474c437429278b8e010096a32da244ba75f4700
SHA2568b496bae970ca6d3995d56dc17b7caaae49f4ab15b2e41ba38e524f0a838aafd
SHA51277869c91cbb1acc34d11016a177fdc3a1b92a7f15733d58b4a8e373d7d8e99467c078ac00b2307c98327f66ddaf7baa1985200765b474094c040aef1bbbb97ce
-
Filesize
512KB
MD5e8ed41959c85da8344ff3f3621ad2c9b
SHA1070a523628a85aaba6244da4dd84e531b4f1dee7
SHA25622d61946a4530106170e49b190d7231872b570fd527d0061f392e3cd518108fd
SHA512b9cb389b0bfe13f7aa7eae199f831acb15fdda2497237a015443d31c4ae6469a42d896174bfea75f8b252a6c9ce3cc2e4b0429ce2358600fef20f263a683241b
-
Filesize
512KB
MD5a560edbaf9b346600834457d07bc5347
SHA1ae33e11a86e360de9cf690334f63a3abb9e62dca
SHA256231e2bf1132fbc597e86476bcf5ac1c8f11dd53aa6f5d3cae96a5a919640b727
SHA5123b06399edd0f4b8116cbb233dd4cd958b306d7a73e0a5996f04e7d25749670b4d042ea955043dbeabdd1a66e1dd8eda20d7abae5c76c365ad5b971b027feb8b3
-
Filesize
512KB
MD5acae3016c17163b16355ea68758d18ab
SHA14d7b0db06c11df2b7127921aecaf8117d4571a2c
SHA2569eb95e237a789f3de32a44222d1c598bf0d664c5b12f916708f1376964b62238
SHA512ece435f7d124c7c01a0183caa2191b70cf16f73c224a4eb6da6207a3d03660b7abea1b317e531b5bcf36fbd2fd3338fe591e9ee1dfbe4da80f270297d96aeb3f
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5996b9ce90b9ad79535bc82220e2d2948
SHA1a8f529505ca2bdf85b1fcc541e0322f9709b0549
SHA2568d665e77f4ebd7d0c6edd376b774d5a38f92e6f2fa59a6265f5468d2ae793c01
SHA512e620d559643194f5ec1cbe68942487c463378b61e551cb06db76af4b86943de8fa02e1d1428814fba85036602312e34b25b586b6d091717fb42bb1d3965293e0
-
Filesize
512KB
MD59bd4e83dcf3edba5221ca066402ec0c5
SHA11ad425e275cdd2fedee0a7a582960623f8432b22
SHA256f84b02e315e61455f40a9aa5fe3b9ed4172fa3128697edc393ef2698a1a1bf1d
SHA512732a128d15ef7bf92a4f0c3bf229067b9617e3f7827e528d23c82c0a0a99efd1c16cac8a8109826e79e55431da054774319ff2b9bb220be71e5edca8606d9668