Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 10:44
Static task
static1
Behavioral task
behavioral1
Sample
45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe
-
Size
512KB
-
MD5
45cb60ae113dec6e981c4de731eeec82
-
SHA1
9379357a85748e623c7ba9c6c7b293e947dc5ed8
-
SHA256
3b9a638cd3fe3315d7aa86d50f41647c0d33f05893d8d3f67ed360cefb670e86
-
SHA512
593b4fbffc5a4870ce9dbfebbdafdd17c674796cf32bf6e35a274f1c909b12153c7790c4e25b43f25731cd298ed047d06f0f3e32c2a2fea83055e63725ce4d90
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6e:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5z
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rawzmsvtwq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rawzmsvtwq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rawzmsvtwq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rawzmsvtwq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rawzmsvtwq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rawzmsvtwq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rawzmsvtwq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rawzmsvtwq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1148 rawzmsvtwq.exe 208 omupujwxtivgfok.exe 4820 sznufzsr.exe 5064 jlttdjmydcbbv.exe 4216 sznufzsr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rawzmsvtwq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rawzmsvtwq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rawzmsvtwq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rawzmsvtwq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rawzmsvtwq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rawzmsvtwq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbqgyfke = "rawzmsvtwq.exe" omupujwxtivgfok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfmzukdg = "omupujwxtivgfok.exe" omupujwxtivgfok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jlttdjmydcbbv.exe" omupujwxtivgfok.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: sznufzsr.exe File opened (read-only) \??\h: sznufzsr.exe File opened (read-only) \??\w: sznufzsr.exe File opened (read-only) \??\l: sznufzsr.exe File opened (read-only) \??\p: sznufzsr.exe File opened (read-only) \??\j: rawzmsvtwq.exe File opened (read-only) \??\a: sznufzsr.exe File opened (read-only) \??\b: sznufzsr.exe File opened (read-only) \??\v: rawzmsvtwq.exe File opened (read-only) \??\u: sznufzsr.exe File opened (read-only) \??\w: sznufzsr.exe File opened (read-only) \??\y: sznufzsr.exe File opened (read-only) \??\e: sznufzsr.exe File opened (read-only) \??\m: sznufzsr.exe File opened (read-only) \??\x: sznufzsr.exe File opened (read-only) \??\a: rawzmsvtwq.exe File opened (read-only) \??\o: rawzmsvtwq.exe File opened (read-only) \??\p: sznufzsr.exe File opened (read-only) \??\x: sznufzsr.exe File opened (read-only) \??\z: sznufzsr.exe File opened (read-only) \??\u: rawzmsvtwq.exe File opened (read-only) \??\n: sznufzsr.exe File opened (read-only) \??\s: sznufzsr.exe File opened (read-only) \??\y: sznufzsr.exe File opened (read-only) \??\g: rawzmsvtwq.exe File opened (read-only) \??\p: rawzmsvtwq.exe File opened (read-only) \??\g: sznufzsr.exe File opened (read-only) \??\z: sznufzsr.exe File opened (read-only) \??\n: rawzmsvtwq.exe File opened (read-only) \??\s: rawzmsvtwq.exe File opened (read-only) \??\k: sznufzsr.exe File opened (read-only) \??\j: sznufzsr.exe File opened (read-only) \??\l: sznufzsr.exe File opened (read-only) \??\i: sznufzsr.exe File opened (read-only) \??\h: rawzmsvtwq.exe File opened (read-only) \??\m: rawzmsvtwq.exe File opened (read-only) \??\y: rawzmsvtwq.exe File opened (read-only) \??\v: sznufzsr.exe File opened (read-only) \??\v: sznufzsr.exe File opened (read-only) \??\w: rawzmsvtwq.exe File opened (read-only) \??\z: rawzmsvtwq.exe File opened (read-only) \??\a: sznufzsr.exe File opened (read-only) \??\q: sznufzsr.exe File opened (read-only) \??\j: sznufzsr.exe File opened (read-only) \??\k: sznufzsr.exe File opened (read-only) \??\n: sznufzsr.exe File opened (read-only) \??\r: sznufzsr.exe File opened (read-only) \??\i: rawzmsvtwq.exe File opened (read-only) \??\t: rawzmsvtwq.exe File opened (read-only) \??\b: sznufzsr.exe File opened (read-only) \??\s: sznufzsr.exe File opened (read-only) \??\u: sznufzsr.exe File opened (read-only) \??\k: rawzmsvtwq.exe File opened (read-only) \??\o: sznufzsr.exe File opened (read-only) \??\t: sznufzsr.exe File opened (read-only) \??\o: sznufzsr.exe File opened (read-only) \??\b: rawzmsvtwq.exe File opened (read-only) \??\e: rawzmsvtwq.exe File opened (read-only) \??\q: rawzmsvtwq.exe File opened (read-only) \??\x: rawzmsvtwq.exe File opened (read-only) \??\g: sznufzsr.exe File opened (read-only) \??\r: sznufzsr.exe File opened (read-only) \??\r: rawzmsvtwq.exe File opened (read-only) \??\t: sznufzsr.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rawzmsvtwq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rawzmsvtwq.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3008-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000235b5-5.dat autoit_exe behavioral2/files/0x00090000000235af-18.dat autoit_exe behavioral2/files/0x00070000000235b6-27.dat autoit_exe behavioral2/files/0x00070000000235b7-31.dat autoit_exe behavioral2/files/0x00050000000228e2-66.dat autoit_exe behavioral2/files/0x00090000000233c6-72.dat autoit_exe behavioral2/files/0x0009000000023300-78.dat autoit_exe behavioral2/files/0x000900000002296f-96.dat autoit_exe behavioral2/files/0x000900000002296f-400.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\sznufzsr.exe 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sznufzsr.exe File created C:\Windows\SysWOW64\omupujwxtivgfok.exe 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\omupujwxtivgfok.exe 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe File created C:\Windows\SysWOW64\sznufzsr.exe 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jlttdjmydcbbv.exe 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rawzmsvtwq.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sznufzsr.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sznufzsr.exe File created C:\Windows\SysWOW64\rawzmsvtwq.exe 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rawzmsvtwq.exe 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe File created C:\Windows\SysWOW64\jlttdjmydcbbv.exe 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sznufzsr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sznufzsr.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sznufzsr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sznufzsr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sznufzsr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sznufzsr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal sznufzsr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal sznufzsr.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sznufzsr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sznufzsr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sznufzsr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal sznufzsr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal sznufzsr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sznufzsr.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sznufzsr.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sznufzsr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sznufzsr.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sznufzsr.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sznufzsr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sznufzsr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sznufzsr.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sznufzsr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sznufzsr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sznufzsr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sznufzsr.exe File opened for modification C:\Windows\mydoc.rtf 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sznufzsr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sznufzsr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sznufzsr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sznufzsr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sznufzsr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rawzmsvtwq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rawzmsvtwq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rawzmsvtwq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B02047E0389853C8B9A733EFD4C4" 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rawzmsvtwq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rawzmsvtwq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rawzmsvtwq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412C799D5582556A3177D377202DDA7CF265D8" 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFF8B4F5F826E913CD72D7DE7BCE4E136594467456345D6E9" 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rawzmsvtwq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rawzmsvtwq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rawzmsvtwq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rawzmsvtwq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFAB9FE13F29984753B4B819C3E99B38B02FD4215033EE1C842EF08A1" 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F66BB7FF1C21DFD179D0A88A0B9116" 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC60C1594DBB1B9C17C94EDE534CE" 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rawzmsvtwq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rawzmsvtwq.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2340 WINWORD.EXE 2340 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 208 omupujwxtivgfok.exe 208 omupujwxtivgfok.exe 208 omupujwxtivgfok.exe 208 omupujwxtivgfok.exe 208 omupujwxtivgfok.exe 208 omupujwxtivgfok.exe 208 omupujwxtivgfok.exe 208 omupujwxtivgfok.exe 1148 rawzmsvtwq.exe 1148 rawzmsvtwq.exe 1148 rawzmsvtwq.exe 1148 rawzmsvtwq.exe 1148 rawzmsvtwq.exe 1148 rawzmsvtwq.exe 1148 rawzmsvtwq.exe 1148 rawzmsvtwq.exe 1148 rawzmsvtwq.exe 1148 rawzmsvtwq.exe 208 omupujwxtivgfok.exe 208 omupujwxtivgfok.exe 4820 sznufzsr.exe 4820 sznufzsr.exe 4820 sznufzsr.exe 4820 sznufzsr.exe 4820 sznufzsr.exe 4820 sznufzsr.exe 4820 sznufzsr.exe 4820 sznufzsr.exe 5064 jlttdjmydcbbv.exe 5064 jlttdjmydcbbv.exe 5064 jlttdjmydcbbv.exe 5064 jlttdjmydcbbv.exe 5064 jlttdjmydcbbv.exe 5064 jlttdjmydcbbv.exe 5064 jlttdjmydcbbv.exe 5064 jlttdjmydcbbv.exe 5064 jlttdjmydcbbv.exe 5064 jlttdjmydcbbv.exe 5064 jlttdjmydcbbv.exe 5064 jlttdjmydcbbv.exe 208 omupujwxtivgfok.exe 208 omupujwxtivgfok.exe 4216 sznufzsr.exe 4216 sznufzsr.exe 4216 sznufzsr.exe 4216 sznufzsr.exe 4216 sznufzsr.exe 4216 sznufzsr.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 1148 rawzmsvtwq.exe 1148 rawzmsvtwq.exe 1148 rawzmsvtwq.exe 208 omupujwxtivgfok.exe 208 omupujwxtivgfok.exe 208 omupujwxtivgfok.exe 4820 sznufzsr.exe 4820 sznufzsr.exe 4820 sznufzsr.exe 5064 jlttdjmydcbbv.exe 5064 jlttdjmydcbbv.exe 5064 jlttdjmydcbbv.exe 4216 sznufzsr.exe 4216 sznufzsr.exe 4216 sznufzsr.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 1148 rawzmsvtwq.exe 1148 rawzmsvtwq.exe 1148 rawzmsvtwq.exe 208 omupujwxtivgfok.exe 208 omupujwxtivgfok.exe 208 omupujwxtivgfok.exe 4820 sznufzsr.exe 4820 sznufzsr.exe 4820 sznufzsr.exe 5064 jlttdjmydcbbv.exe 5064 jlttdjmydcbbv.exe 5064 jlttdjmydcbbv.exe 4216 sznufzsr.exe 4216 sznufzsr.exe 4216 sznufzsr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2340 WINWORD.EXE 2340 WINWORD.EXE 2340 WINWORD.EXE 2340 WINWORD.EXE 2340 WINWORD.EXE 2340 WINWORD.EXE 2340 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3008 wrote to memory of 1148 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 89 PID 3008 wrote to memory of 1148 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 89 PID 3008 wrote to memory of 1148 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 89 PID 3008 wrote to memory of 208 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 90 PID 3008 wrote to memory of 208 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 90 PID 3008 wrote to memory of 208 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 90 PID 3008 wrote to memory of 4820 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 91 PID 3008 wrote to memory of 4820 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 91 PID 3008 wrote to memory of 4820 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 91 PID 3008 wrote to memory of 5064 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 92 PID 3008 wrote to memory of 5064 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 92 PID 3008 wrote to memory of 5064 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 92 PID 3008 wrote to memory of 2340 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 94 PID 3008 wrote to memory of 2340 3008 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe 94 PID 1148 wrote to memory of 4216 1148 rawzmsvtwq.exe 96 PID 1148 wrote to memory of 4216 1148 rawzmsvtwq.exe 96 PID 1148 wrote to memory of 4216 1148 rawzmsvtwq.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\rawzmsvtwq.exerawzmsvtwq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\sznufzsr.exeC:\Windows\system32\sznufzsr.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4216
-
-
-
C:\Windows\SysWOW64\omupujwxtivgfok.exeomupujwxtivgfok.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:208
-
-
C:\Windows\SysWOW64\sznufzsr.exesznufzsr.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4820
-
-
C:\Windows\SysWOW64\jlttdjmydcbbv.exejlttdjmydcbbv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5064
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4528,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:81⤵PID:1708
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5a2953ca79a48241ea51c91d2203f9285
SHA1eaa174c618c7d9f2e51920bbbe35c90b8fb97479
SHA256b391180687fc329affb430879f3fa9f99c90ee66ab355bcee33b95faface9182
SHA512dcfe0b5d67cba0a8a61b966ed8426675acbde7dab60fb46935475cbb60ce64af126d5bf061217bde2cbe0faf29ef0e4475fce2734225585f37a462ceeb45a8b4
-
Filesize
512KB
MD5a2ad8554c5bed28da35ec6a7b482e264
SHA12b6bee2933e7042fdb3342188ff0fc6e14b3ea03
SHA256b8d4dc2846ecf45a958040c990e755c5389c100cdfefb5497e2ea80971f0d735
SHA5123cb6499a145f0f1e253d4adaa5e9a98617a13a2e69fd16cb0f093f50cd68643000d17edf8f89491ca222bf68132cba266d1d5df6fded9b72e8cb6ae29e7ebb1d
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
512KB
MD5b694f3af6cc1ec274f52fb2f2afaedc5
SHA15938bbece4fa2371ccca34cf6dd96e6e4762ff26
SHA256b11afd8a4001d418bed5194c3b11b46a54a50bcc5fd5f2dc113dbec8586f4e1f
SHA5126bec954ce0ad90337d78987973db277895e08c963615b54b9345a69c2879571f78a63554c72cdf023395c0cde8292a1ec0c95a73a375e9fe37eb96a30b9b6111
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5807fe1ad3034b097665c7762ee3fc990
SHA103ac4f5113d08aa937c1812a5f175a775be06082
SHA2560926440ac5936237c3dfb694ffac6df3721139cb0dbd7ef975de9f74c163649d
SHA51259ef5489e7b4312a4a5edf588d28f7892df53ebaa37e882d8c6d22bf0553071525440ec69aedf870c9d97e04bbd51abc2621a4d6caf311829072564cb2306184
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e2c92e1d1c0723a2b12182fc767ad83a
SHA1cc64ba8d0ce928c30fca8f26b3a53cc58be2b74a
SHA256cba20859eaa511e42e5a608b8ea549b0cff95421e3b8b3d02e8e82a8b8a22bdd
SHA5121f47aac5a4ba9b7dd1a1ef2da1661c7db751f2cda76f71151c87a8ac0365687d7080be01d1dd4be56c57834b83aaba5a9a2646194500094e8035f4a174e610df
-
Filesize
512KB
MD5937ad5132ab0abd15fb6d4625331d087
SHA1dae1834a9072ee11d3e3e5e6bdd14f7df9d0af2c
SHA256e8632c44302e15efac3ae8a0a681e55e03cb5299e027dbb75b613fbd94e5d8dc
SHA51270785a576985708fd75f7accbf99e1b9cd3480ed31c57daacc4dd80f51619210767c2c3130d511540cb602432e1cf993b7565c7742fa5462f772c3816480b13a
-
Filesize
512KB
MD5c615864d1de1cd331e47a140e48caccb
SHA1c5ac28ee2da82b160038e1ef30a920582e68093b
SHA25670a0cd112c643ad769d2040d2dd02b12d7c75662884e8a0a19d10c701c8cc382
SHA5124be4fe93f3f9b947f3da9ffedb208f09a0dbc7b1a8c81bd3a2f007dbd352df761fd83679cbf83bd3f831d4cdd8c300b7ff0694d0e2bbbc8ee67fcb017c6aee4d
-
Filesize
512KB
MD544e31b5dbc33164b2da85965dd92d5c5
SHA1ae0c61d30132eabc2ba76fe8d914b2deeb9ecd04
SHA25677da1c7c77bc3d927deb8bd33a78e13342b481d1a31d140b3bfdad17567fc252
SHA512a87aa65d56a7dee728ae5dfd0f38b129151287f4ab10c5dddb6fddfaa17d7d7880c880499593d6bb1bf3e385ae36b0851a8f217c54b4de1221cf55e2d99b95e5
-
Filesize
512KB
MD5ed0b8a39e3006469e96c6d6d97559456
SHA150ae67f9b459e1a307f100ec3ea833939d70e323
SHA256ed8b3672479f9087e0140e87060bed7c96f613c5e1361d6b96cbf4b4ead312bf
SHA5128de4deb367be443f90fb28e90655d2e57c21fe240158ab11579bd7f9486a11586a2053ca5079168683684ee22f5af360a39d41a44045e10fc94dd531627a8bc1
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD573f696968c7a219c1dcbcaa8062d0636
SHA1d682742b6db50f9a870848a8dc8a1d69735b5fb7
SHA25600b9d736edfe8a25da454d34aa272c63b03b8e2ee68e71c5451596e6194a534f
SHA5124626b28a4189efd6326ff69be67d39c101f8b3b4c4563d29b726c4cbea5a7d3bfc25ae47710a13a83e1f0a7ce0c50132fc0e7a124f098418d827666c45f51d84
-
Filesize
512KB
MD5fa293e5dc1c1508e237aa85f01d3aff4
SHA1967c4e7152e1049874de207b79908b44f73d96d3
SHA25690b2ae0ddf61895119504ee009151bc8a061b004fa56a92d2ee00bf6c3d4c057
SHA512697acb8479bd32b72b3972dae6127802fe6e3ddaab7a26c54f4228f5f11e7a7f65f642c5bc041fea12a6cbebadf1457a9084e4718bd54857c49ee22edb361d1a