Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 11:44
Static task
static1
Behavioral task
behavioral1
Sample
4606ac894da9657c311fe457556622e9_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4606ac894da9657c311fe457556622e9_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
4606ac894da9657c311fe457556622e9_JaffaCakes118.exe
-
Size
512KB
-
MD5
4606ac894da9657c311fe457556622e9
-
SHA1
2bea8b70cf15ef00d4615481fd231658b5726a4c
-
SHA256
1d28a74a7ebf34d131a32f0f3b6d6158019b51c3c0d5943ea629102473517611
-
SHA512
48c2e95f62f948f00c353c08c197b791457edfc66be152d91b48a64716e9aee3899607569bd745523a94541b88b6230f2189ba5e528fbcb280dc678aafa30b94
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6p:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5W
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wmoqqqraza.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wmoqqqraza.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wmoqqqraza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wmoqqqraza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wmoqqqraza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wmoqqqraza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wmoqqqraza.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wmoqqqraza.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 560 wmoqqqraza.exe 2192 bcigaigdwutbxju.exe 4728 smitplyk.exe 2704 iedasumrajdhd.exe 764 smitplyk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wmoqqqraza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wmoqqqraza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wmoqqqraza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wmoqqqraza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wmoqqqraza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wmoqqqraza.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xvjxflfg = "wmoqqqraza.exe" bcigaigdwutbxju.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fddntiql = "bcigaigdwutbxju.exe" bcigaigdwutbxju.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "iedasumrajdhd.exe" bcigaigdwutbxju.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: wmoqqqraza.exe File opened (read-only) \??\r: smitplyk.exe File opened (read-only) \??\t: wmoqqqraza.exe File opened (read-only) \??\p: smitplyk.exe File opened (read-only) \??\k: smitplyk.exe File opened (read-only) \??\x: smitplyk.exe File opened (read-only) \??\h: wmoqqqraza.exe File opened (read-only) \??\l: wmoqqqraza.exe File opened (read-only) \??\i: smitplyk.exe File opened (read-only) \??\x: smitplyk.exe File opened (read-only) \??\e: smitplyk.exe File opened (read-only) \??\h: smitplyk.exe File opened (read-only) \??\s: smitplyk.exe File opened (read-only) \??\w: smitplyk.exe File opened (read-only) \??\e: wmoqqqraza.exe File opened (read-only) \??\r: wmoqqqraza.exe File opened (read-only) \??\y: wmoqqqraza.exe File opened (read-only) \??\k: wmoqqqraza.exe File opened (read-only) \??\v: wmoqqqraza.exe File opened (read-only) \??\y: smitplyk.exe File opened (read-only) \??\m: wmoqqqraza.exe File opened (read-only) \??\n: smitplyk.exe File opened (read-only) \??\o: smitplyk.exe File opened (read-only) \??\v: smitplyk.exe File opened (read-only) \??\w: smitplyk.exe File opened (read-only) \??\y: smitplyk.exe File opened (read-only) \??\t: smitplyk.exe File opened (read-only) \??\g: smitplyk.exe File opened (read-only) \??\t: smitplyk.exe File opened (read-only) \??\a: wmoqqqraza.exe File opened (read-only) \??\k: smitplyk.exe File opened (read-only) \??\s: smitplyk.exe File opened (read-only) \??\a: smitplyk.exe File opened (read-only) \??\o: smitplyk.exe File opened (read-only) \??\v: smitplyk.exe File opened (read-only) \??\j: wmoqqqraza.exe File opened (read-only) \??\l: smitplyk.exe File opened (read-only) \??\b: smitplyk.exe File opened (read-only) \??\j: smitplyk.exe File opened (read-only) \??\q: smitplyk.exe File opened (read-only) \??\z: smitplyk.exe File opened (read-only) \??\p: wmoqqqraza.exe File opened (read-only) \??\x: wmoqqqraza.exe File opened (read-only) \??\j: smitplyk.exe File opened (read-only) \??\l: smitplyk.exe File opened (read-only) \??\u: smitplyk.exe File opened (read-only) \??\a: smitplyk.exe File opened (read-only) \??\e: smitplyk.exe File opened (read-only) \??\i: smitplyk.exe File opened (read-only) \??\p: smitplyk.exe File opened (read-only) \??\r: smitplyk.exe File opened (read-only) \??\b: smitplyk.exe File opened (read-only) \??\g: smitplyk.exe File opened (read-only) \??\m: smitplyk.exe File opened (read-only) \??\s: wmoqqqraza.exe File opened (read-only) \??\z: wmoqqqraza.exe File opened (read-only) \??\h: smitplyk.exe File opened (read-only) \??\z: smitplyk.exe File opened (read-only) \??\n: smitplyk.exe File opened (read-only) \??\i: wmoqqqraza.exe File opened (read-only) \??\n: wmoqqqraza.exe File opened (read-only) \??\u: wmoqqqraza.exe File opened (read-only) \??\b: wmoqqqraza.exe File opened (read-only) \??\q: wmoqqqraza.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wmoqqqraza.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wmoqqqraza.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2168-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023521-5.dat autoit_exe behavioral2/files/0x000900000002351b-18.dat autoit_exe behavioral2/files/0x0007000000023522-25.dat autoit_exe behavioral2/files/0x0007000000023523-32.dat autoit_exe behavioral2/files/0x000200000002294c-64.dat autoit_exe behavioral2/files/0x00080000000233dd-67.dat autoit_exe behavioral2/files/0x00080000000233de-74.dat autoit_exe behavioral2/files/0x0007000000023538-452.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\iedasumrajdhd.exe 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\iedasumrajdhd.exe 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wmoqqqraza.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe smitplyk.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe smitplyk.exe File created C:\Windows\SysWOW64\wmoqqqraza.exe 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmoqqqraza.exe 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe File created C:\Windows\SysWOW64\smitplyk.exe 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe smitplyk.exe File created C:\Windows\SysWOW64\bcigaigdwutbxju.exe 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bcigaigdwutbxju.exe 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\smitplyk.exe 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe smitplyk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal smitplyk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal smitplyk.exe File opened for modification \??\c:\Program Files\LockRequest.doc.exe smitplyk.exe File opened for modification C:\Program Files\LockRequest.nal smitplyk.exe File opened for modification C:\Program Files\LockRequest.doc.exe smitplyk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe smitplyk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe smitplyk.exe File created \??\c:\Program Files\LockRequest.doc.exe smitplyk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe smitplyk.exe File created \??\c:\Program Files\LockRequest.doc.exe smitplyk.exe File opened for modification C:\Program Files\LockRequest.nal smitplyk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe smitplyk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe smitplyk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe smitplyk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe smitplyk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal smitplyk.exe File opened for modification \??\c:\Program Files\LockRequest.doc.exe smitplyk.exe File opened for modification C:\Program Files\LockRequest.doc.exe smitplyk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal smitplyk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe smitplyk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe smitplyk.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe smitplyk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe smitplyk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe smitplyk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe smitplyk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe smitplyk.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe smitplyk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe smitplyk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe smitplyk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe smitplyk.exe File opened for modification C:\Windows\mydoc.rtf 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe smitplyk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe smitplyk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe smitplyk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe smitplyk.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe smitplyk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe smitplyk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe smitplyk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wmoqqqraza.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wmoqqqraza.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wmoqqqraza.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" wmoqqqraza.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh wmoqqqraza.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wmoqqqraza.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" wmoqqqraza.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442C0C9C2682276D4677D177242CDF7C8464D8" 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" wmoqqqraza.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wmoqqqraza.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668B3FE6E22D0D209D0A28A7F9114" 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC67515E6DAB5B9C07C92EC9F34BE" 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B15C47E7389F52CEBAA5339CD7CD" 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FF82485F85699042D65B7DE7BCEFE133593667436336D790" 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" wmoqqqraza.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wmoqqqraza.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf wmoqqqraza.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFACEF964F1E7830E3B31869C3995B38803F14213033BE2BD42EA09D6" 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5080 WINWORD.EXE 5080 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 560 wmoqqqraza.exe 4728 smitplyk.exe 560 wmoqqqraza.exe 4728 smitplyk.exe 560 wmoqqqraza.exe 4728 smitplyk.exe 560 wmoqqqraza.exe 4728 smitplyk.exe 4728 smitplyk.exe 4728 smitplyk.exe 560 wmoqqqraza.exe 560 wmoqqqraza.exe 560 wmoqqqraza.exe 560 wmoqqqraza.exe 4728 smitplyk.exe 4728 smitplyk.exe 560 wmoqqqraza.exe 560 wmoqqqraza.exe 2192 bcigaigdwutbxju.exe 2192 bcigaigdwutbxju.exe 2192 bcigaigdwutbxju.exe 2192 bcigaigdwutbxju.exe 2192 bcigaigdwutbxju.exe 2192 bcigaigdwutbxju.exe 2192 bcigaigdwutbxju.exe 2192 bcigaigdwutbxju.exe 2704 iedasumrajdhd.exe 2704 iedasumrajdhd.exe 2704 iedasumrajdhd.exe 2704 iedasumrajdhd.exe 2704 iedasumrajdhd.exe 2704 iedasumrajdhd.exe 2192 bcigaigdwutbxju.exe 2192 bcigaigdwutbxju.exe 2704 iedasumrajdhd.exe 2704 iedasumrajdhd.exe 2704 iedasumrajdhd.exe 2704 iedasumrajdhd.exe 2704 iedasumrajdhd.exe 2704 iedasumrajdhd.exe 2192 bcigaigdwutbxju.exe 2192 bcigaigdwutbxju.exe 764 smitplyk.exe 764 smitplyk.exe 764 smitplyk.exe 764 smitplyk.exe 764 smitplyk.exe 764 smitplyk.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 560 wmoqqqraza.exe 560 wmoqqqraza.exe 560 wmoqqqraza.exe 4728 smitplyk.exe 4728 smitplyk.exe 4728 smitplyk.exe 2192 bcigaigdwutbxju.exe 2192 bcigaigdwutbxju.exe 2192 bcigaigdwutbxju.exe 2704 iedasumrajdhd.exe 2704 iedasumrajdhd.exe 2704 iedasumrajdhd.exe 764 smitplyk.exe 764 smitplyk.exe 764 smitplyk.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 560 wmoqqqraza.exe 560 wmoqqqraza.exe 560 wmoqqqraza.exe 4728 smitplyk.exe 4728 smitplyk.exe 4728 smitplyk.exe 2192 bcigaigdwutbxju.exe 2192 bcigaigdwutbxju.exe 2192 bcigaigdwutbxju.exe 2704 iedasumrajdhd.exe 2704 iedasumrajdhd.exe 2704 iedasumrajdhd.exe 764 smitplyk.exe 764 smitplyk.exe 764 smitplyk.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5080 WINWORD.EXE 5080 WINWORD.EXE 5080 WINWORD.EXE 5080 WINWORD.EXE 5080 WINWORD.EXE 5080 WINWORD.EXE 5080 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2168 wrote to memory of 560 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 89 PID 2168 wrote to memory of 560 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 89 PID 2168 wrote to memory of 560 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 89 PID 2168 wrote to memory of 2192 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 90 PID 2168 wrote to memory of 2192 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 90 PID 2168 wrote to memory of 2192 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 90 PID 2168 wrote to memory of 4728 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 91 PID 2168 wrote to memory of 4728 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 91 PID 2168 wrote to memory of 4728 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 91 PID 2168 wrote to memory of 2704 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 92 PID 2168 wrote to memory of 2704 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 92 PID 2168 wrote to memory of 2704 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 92 PID 2168 wrote to memory of 5080 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 93 PID 2168 wrote to memory of 5080 2168 4606ac894da9657c311fe457556622e9_JaffaCakes118.exe 93 PID 560 wrote to memory of 764 560 wmoqqqraza.exe 96 PID 560 wrote to memory of 764 560 wmoqqqraza.exe 96 PID 560 wrote to memory of 764 560 wmoqqqraza.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4606ac894da9657c311fe457556622e9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\wmoqqqraza.exewmoqqqraza.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\smitplyk.exeC:\Windows\system32\smitplyk.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:764
-
-
-
C:\Windows\SysWOW64\bcigaigdwutbxju.exebcigaigdwutbxju.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2192
-
-
C:\Windows\SysWOW64\smitplyk.exesmitplyk.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4728
-
-
C:\Windows\SysWOW64\iedasumrajdhd.exeiedasumrajdhd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4056,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:81⤵PID:2944
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD509724375a2b6edad98356e56239492ce
SHA193d2abcd00dba309883c8d27f11779c967aa8f40
SHA256817f6d7bc839389799d3680ff18ead35f52a4083d21357121894d6838762d6a4
SHA5127653cb8f2ba6109f458a6286275f257a39b5b7705e9df2bc55193a314ce5554e4b9d51af00294676125eed63c64e17fb5a24134beff5021751fb32d68df30e86
-
Filesize
512KB
MD54af55b563cbd98ef625c1babd4894cf0
SHA176346c0794f4b455fb276077e74209ce49eafd31
SHA256cc60e1e0a50c4359405a86e36e78ec0bfb81ab3b8511f3808502425c01305b85
SHA512a7e0ae440c8f24d9064e21263bbb80d00204928af89c8325b55cc365c37076af08ba457a029ceaf6226b5094eb95ecefc3a0924d1bed66c044eeebf7c20f26ff
-
Filesize
512KB
MD57356002b450de3757ab1778c148e65c7
SHA165017fc9be41983207b98d0c91ff714a57d9d534
SHA256d709d7da5bd1355bf3afb65fb15a2d10e252ae3ef67c260604a5ec2ab7361271
SHA512b18a9c45e4014ea73a15afd224e9b7501c197a13aa494817dc3e0376c6aa1c00bf566bef93896022678019b0fb7f07936ae800979c2850ab04693277e2e36dd6
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD5602dad6ee0e60cde6698692534ef100b
SHA1c3e20be4cf62746964ff865964f4f354d412bfac
SHA256596069f7c5d4c9cea8266af60fcc730fbaec42eb5dd0c6f4203e463b742fb598
SHA512bc1fdcc479d9d46977847557985ca1744f1d4f135da27d82dd2f131419c16fbc70968eb27458a1769e59a9a166847be39aa81b82936e39e753d578ee13df8669
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f045a1d869187ea90c9de155ab37a649
SHA18e246c0c52320ad9c8e66302e91686b1e6062e5b
SHA2569dc705b1b8534c87356b10005b873a02496ba47b5930b3849fcdb08a27dd51fc
SHA512686d94b4d4046864886cef0667db2839bb3b72a4648e1e38d28a51828442930db9da12cea4c942aadcddb714dcce4eccae82f16c82dd2e205e43235449b7832a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5987bf79e70bdac320a6b0e429485c4ff
SHA10470157f25036abdc90c1c753f56a2f68f680a4b
SHA256a547318c432f60d534c24d44583776495b01d5677d6311218c88a0e51df57f69
SHA5123fdf695e5ab5d28e5994cbe8c91861e1979b5ab70117131a40e9c42c614aeabe4ffbb9c139398d50f612ec6f31806cf2f93b8a2a9f2bc9029b1d917b209acc94
-
Filesize
512KB
MD52f30cd1d218847a0c0943de945838d73
SHA1f508334deecba7769714ae8972e67c374fd06532
SHA2567146cae97d178173ce1929d7d11b304bb727ffc0e93f810df2e1db2c60238195
SHA512109574539329ea56d3f3b3714566523f5373464dc8046558e87f5dd56aa309045aba6d3a47779afb74a5e9a7544c2907178bf5cd7647eb6c28feba16ba41ff80
-
Filesize
512KB
MD5337234b7600cd3f028cd435c5d5624f9
SHA12b7aa8221d83bf5d32c8e966eaa0a5b032f18087
SHA2561383aba901d09420cd61790a11c7ce56f1bf9b533b99b65734d6e923e5d58bab
SHA512e414604a71eb19402527c4c50072c33feef666b99060c70c91528a671567d5fa588a99b13b47fb7ded4cfcf7d91e4cd4f1e9a8b079189708ac892eaa87aa43c0
-
Filesize
512KB
MD5f1b62cb251734aad7d67babfe36f2b5e
SHA1ae504b8b55bb51397bae839bed75442a69316caf
SHA256ac56ddc45402015d8b7ebe3629cb9d7e94d4a741ed7a9578bc20e3e69dd25f40
SHA512e84b4ce151620cd73ce8a0e91d7f6d8ade74b0cec78d14beddcd3f4f649e54182175b31f66c3604a2d77f0d834c4508b49c0f1a05a13a3853f758370cfd987b2
-
Filesize
512KB
MD518062813339e9555ff5d1c7d3debfd7c
SHA1489b98354148600c208bf5c3bb03485116887c6b
SHA25603707fd7666c36629cdd4ded1d26032f053a8c15dcb1d66b0f75fd8d5614e990
SHA512862e17548cc22e985e755fd39351963676b54344b3b4a1b99ec6a8738e6d6d9da9015ec3b4f7c0da353a40a83003c31178ac874ec9dea87ea30cc45cc8a9fdb4
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD52091f384cdbfa2a655796d4e6d41a88f
SHA12e17084bc6e429aa048d85da56ba138a590fe491
SHA256d00e1561a8179082f626eac856f489a0c71fd108d57c7f3f25882b5021a638bd
SHA512fcd46ee83a7ce75c8507e968403afe64d4e88ae1c20deaaf20aff90d42d0c7b9977e82765da59ac2ff051cf271d2e790bbe574746daf2128b271a3c57d092d57