Analysis
-
max time kernel
153s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 21:46
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe
-
Size
512KB
-
MD5
4d292518f430ad1925fd8b51ed0141b2
-
SHA1
dc0167973a194d9b65f02f4334f75cea87c13cc0
-
SHA256
e0d66954a042c5d00eda8d4033c043296cc2b4863916774e814b5dca862dc838
-
SHA512
bf216f564eff2a57df17da3270f2778be07e3d0c86cb032e128f9310947084b9bd28dc24b22107dfba5d34c460150a050a30f13e5fa325d7c32dc5a2c334223b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6a:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm51
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zlzdlwklcm.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zlzdlwklcm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zlzdlwklcm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zlzdlwklcm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zlzdlwklcm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zlzdlwklcm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zlzdlwklcm.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zlzdlwklcm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3340 zlzdlwklcm.exe 3452 vzzhgjfkrrcgolm.exe 5108 qopyrwzs.exe 3696 lgnmhhtqsanrk.exe 1592 qopyrwzs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zlzdlwklcm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zlzdlwklcm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zlzdlwklcm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zlzdlwklcm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zlzdlwklcm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zlzdlwklcm.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfetqhlo = "zlzdlwklcm.exe" vzzhgjfkrrcgolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tjvzmllr = "vzzhgjfkrrcgolm.exe" vzzhgjfkrrcgolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "lgnmhhtqsanrk.exe" vzzhgjfkrrcgolm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: qopyrwzs.exe File opened (read-only) \??\l: qopyrwzs.exe File opened (read-only) \??\s: qopyrwzs.exe File opened (read-only) \??\q: zlzdlwklcm.exe File opened (read-only) \??\i: qopyrwzs.exe File opened (read-only) \??\p: qopyrwzs.exe File opened (read-only) \??\m: qopyrwzs.exe File opened (read-only) \??\q: qopyrwzs.exe File opened (read-only) \??\v: qopyrwzs.exe File opened (read-only) \??\g: qopyrwzs.exe File opened (read-only) \??\b: qopyrwzs.exe File opened (read-only) \??\u: qopyrwzs.exe File opened (read-only) \??\i: qopyrwzs.exe File opened (read-only) \??\u: qopyrwzs.exe File opened (read-only) \??\w: qopyrwzs.exe File opened (read-only) \??\v: zlzdlwklcm.exe File opened (read-only) \??\x: zlzdlwklcm.exe File opened (read-only) \??\y: zlzdlwklcm.exe File opened (read-only) \??\z: qopyrwzs.exe File opened (read-only) \??\b: zlzdlwklcm.exe File opened (read-only) \??\g: zlzdlwklcm.exe File opened (read-only) \??\i: zlzdlwklcm.exe File opened (read-only) \??\q: qopyrwzs.exe File opened (read-only) \??\k: qopyrwzs.exe File opened (read-only) \??\k: zlzdlwklcm.exe File opened (read-only) \??\w: zlzdlwklcm.exe File opened (read-only) \??\b: qopyrwzs.exe File opened (read-only) \??\e: qopyrwzs.exe File opened (read-only) \??\r: qopyrwzs.exe File opened (read-only) \??\z: zlzdlwklcm.exe File opened (read-only) \??\l: qopyrwzs.exe File opened (read-only) \??\n: qopyrwzs.exe File opened (read-only) \??\x: qopyrwzs.exe File opened (read-only) \??\a: zlzdlwklcm.exe File opened (read-only) \??\n: zlzdlwklcm.exe File opened (read-only) \??\o: zlzdlwklcm.exe File opened (read-only) \??\u: zlzdlwklcm.exe File opened (read-only) \??\y: qopyrwzs.exe File opened (read-only) \??\a: qopyrwzs.exe File opened (read-only) \??\y: qopyrwzs.exe File opened (read-only) \??\j: zlzdlwklcm.exe File opened (read-only) \??\p: zlzdlwklcm.exe File opened (read-only) \??\r: zlzdlwklcm.exe File opened (read-only) \??\k: qopyrwzs.exe File opened (read-only) \??\t: qopyrwzs.exe File opened (read-only) \??\x: qopyrwzs.exe File opened (read-only) \??\r: qopyrwzs.exe File opened (read-only) \??\z: qopyrwzs.exe File opened (read-only) \??\h: zlzdlwklcm.exe File opened (read-only) \??\a: qopyrwzs.exe File opened (read-only) \??\h: qopyrwzs.exe File opened (read-only) \??\o: qopyrwzs.exe File opened (read-only) \??\s: qopyrwzs.exe File opened (read-only) \??\s: zlzdlwklcm.exe File opened (read-only) \??\v: qopyrwzs.exe File opened (read-only) \??\e: qopyrwzs.exe File opened (read-only) \??\t: qopyrwzs.exe File opened (read-only) \??\e: zlzdlwklcm.exe File opened (read-only) \??\l: zlzdlwklcm.exe File opened (read-only) \??\p: qopyrwzs.exe File opened (read-only) \??\g: qopyrwzs.exe File opened (read-only) \??\h: qopyrwzs.exe File opened (read-only) \??\j: qopyrwzs.exe File opened (read-only) \??\w: qopyrwzs.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zlzdlwklcm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zlzdlwklcm.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/772-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000002324c-6.dat autoit_exe behavioral2/files/0x000800000002324b-18.dat autoit_exe behavioral2/files/0x000800000002324e-26.dat autoit_exe behavioral2/files/0x000800000002324f-31.dat autoit_exe behavioral2/files/0x0007000000023255-44.dat autoit_exe behavioral2/files/0x0007000000023256-50.dat autoit_exe behavioral2/files/0x000700000002325f-63.dat autoit_exe behavioral2/files/0x000300000000070f-95.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\zlzdlwklcm.exe 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qopyrwzs.exe File opened for modification C:\Windows\SysWOW64\vzzhgjfkrrcgolm.exe 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lgnmhhtqsanrk.exe 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zlzdlwklcm.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qopyrwzs.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qopyrwzs.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qopyrwzs.exe File opened for modification C:\Windows\SysWOW64\zlzdlwklcm.exe 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qopyrwzs.exe 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe File created C:\Windows\SysWOW64\lgnmhhtqsanrk.exe 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe File created C:\Windows\SysWOW64\vzzhgjfkrrcgolm.exe 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe File created C:\Windows\SysWOW64\qopyrwzs.exe 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qopyrwzs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qopyrwzs.exe File created \??\c:\Program Files\WaitTest.doc.exe qopyrwzs.exe File opened for modification C:\Program Files\WaitTest.doc.exe qopyrwzs.exe File opened for modification C:\Program Files\WaitTest.doc.exe qopyrwzs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qopyrwzs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qopyrwzs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qopyrwzs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qopyrwzs.exe File opened for modification C:\Program Files\WaitTest.nal qopyrwzs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qopyrwzs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qopyrwzs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qopyrwzs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qopyrwzs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qopyrwzs.exe File opened for modification \??\c:\Program Files\WaitTest.doc.exe qopyrwzs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qopyrwzs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qopyrwzs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qopyrwzs.exe File opened for modification C:\Program Files\WaitTest.nal qopyrwzs.exe File opened for modification \??\c:\Program Files\WaitTest.doc.exe qopyrwzs.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zlzdlwklcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302C0F9D2383206A3077D770562CAB7DF664AF" 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAF9BEFE67F191830C3B4B869D39E1B38D038F4312033EE1B842EC08A7" 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zlzdlwklcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zlzdlwklcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zlzdlwklcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zlzdlwklcm.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zlzdlwklcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zlzdlwklcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zlzdlwklcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zlzdlwklcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zlzdlwklcm.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB15A44EE38EB52CCB9D5339FD4C5" 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFFFB482E851C9130D72F7E91BC97E631594667326245D79F" 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F66BB3FE1822DCD108D0A68A759165" 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C67B14E4DBB1B8C97CE8ED9237CB" 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zlzdlwklcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zlzdlwklcm.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3196 WINWORD.EXE 3196 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 3340 zlzdlwklcm.exe 3340 zlzdlwklcm.exe 3340 zlzdlwklcm.exe 3340 zlzdlwklcm.exe 3340 zlzdlwklcm.exe 3340 zlzdlwklcm.exe 3340 zlzdlwklcm.exe 3340 zlzdlwklcm.exe 3340 zlzdlwklcm.exe 3340 zlzdlwklcm.exe 3452 vzzhgjfkrrcgolm.exe 3452 vzzhgjfkrrcgolm.exe 3452 vzzhgjfkrrcgolm.exe 3452 vzzhgjfkrrcgolm.exe 3452 vzzhgjfkrrcgolm.exe 3452 vzzhgjfkrrcgolm.exe 3452 vzzhgjfkrrcgolm.exe 3452 vzzhgjfkrrcgolm.exe 3452 vzzhgjfkrrcgolm.exe 3452 vzzhgjfkrrcgolm.exe 5108 qopyrwzs.exe 5108 qopyrwzs.exe 5108 qopyrwzs.exe 5108 qopyrwzs.exe 5108 qopyrwzs.exe 5108 qopyrwzs.exe 5108 qopyrwzs.exe 5108 qopyrwzs.exe 3696 lgnmhhtqsanrk.exe 3696 lgnmhhtqsanrk.exe 3696 lgnmhhtqsanrk.exe 3696 lgnmhhtqsanrk.exe 3696 lgnmhhtqsanrk.exe 3696 lgnmhhtqsanrk.exe 3696 lgnmhhtqsanrk.exe 3696 lgnmhhtqsanrk.exe 3696 lgnmhhtqsanrk.exe 3696 lgnmhhtqsanrk.exe 3696 lgnmhhtqsanrk.exe 3696 lgnmhhtqsanrk.exe 3452 vzzhgjfkrrcgolm.exe 3452 vzzhgjfkrrcgolm.exe 3696 lgnmhhtqsanrk.exe 3696 lgnmhhtqsanrk.exe 3696 lgnmhhtqsanrk.exe 3696 lgnmhhtqsanrk.exe 3452 vzzhgjfkrrcgolm.exe 3452 vzzhgjfkrrcgolm.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 3340 zlzdlwklcm.exe 3340 zlzdlwklcm.exe 3340 zlzdlwklcm.exe 3452 vzzhgjfkrrcgolm.exe 3452 vzzhgjfkrrcgolm.exe 3452 vzzhgjfkrrcgolm.exe 5108 qopyrwzs.exe 3696 lgnmhhtqsanrk.exe 5108 qopyrwzs.exe 3696 lgnmhhtqsanrk.exe 5108 qopyrwzs.exe 3696 lgnmhhtqsanrk.exe 1592 qopyrwzs.exe 1592 qopyrwzs.exe 1592 qopyrwzs.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 3340 zlzdlwklcm.exe 3340 zlzdlwklcm.exe 3340 zlzdlwklcm.exe 3452 vzzhgjfkrrcgolm.exe 3452 vzzhgjfkrrcgolm.exe 3452 vzzhgjfkrrcgolm.exe 5108 qopyrwzs.exe 3696 lgnmhhtqsanrk.exe 5108 qopyrwzs.exe 3696 lgnmhhtqsanrk.exe 5108 qopyrwzs.exe 3696 lgnmhhtqsanrk.exe 1592 qopyrwzs.exe 1592 qopyrwzs.exe 1592 qopyrwzs.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3196 WINWORD.EXE 3196 WINWORD.EXE 3196 WINWORD.EXE 3196 WINWORD.EXE 3196 WINWORD.EXE 3196 WINWORD.EXE 3196 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 772 wrote to memory of 3340 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 91 PID 772 wrote to memory of 3340 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 91 PID 772 wrote to memory of 3340 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 91 PID 772 wrote to memory of 3452 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 92 PID 772 wrote to memory of 3452 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 92 PID 772 wrote to memory of 3452 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 92 PID 772 wrote to memory of 5108 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 93 PID 772 wrote to memory of 5108 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 93 PID 772 wrote to memory of 5108 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 93 PID 772 wrote to memory of 3696 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 94 PID 772 wrote to memory of 3696 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 94 PID 772 wrote to memory of 3696 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 94 PID 3340 wrote to memory of 1592 3340 zlzdlwklcm.exe 95 PID 3340 wrote to memory of 1592 3340 zlzdlwklcm.exe 95 PID 3340 wrote to memory of 1592 3340 zlzdlwklcm.exe 95 PID 772 wrote to memory of 3196 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 96 PID 772 wrote to memory of 3196 772 4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4d292518f430ad1925fd8b51ed0141b2_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\zlzdlwklcm.exezlzdlwklcm.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\qopyrwzs.exeC:\Windows\system32\qopyrwzs.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1592
-
-
-
C:\Windows\SysWOW64\vzzhgjfkrrcgolm.exevzzhgjfkrrcgolm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3452
-
-
C:\Windows\SysWOW64\qopyrwzs.exeqopyrwzs.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5108
-
-
C:\Windows\SysWOW64\lgnmhhtqsanrk.exelgnmhhtqsanrk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3696
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3684 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:2576
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5ab41ee8806b2954d372bf77676005022
SHA18cac70a66636f991937e1ba27ea36931e2d15b67
SHA2564855e160cc6afa9eff9796026f73e3f536f200c178c67dcd9186bdfcb3595d14
SHA512fbe3e2f923deccc16197ee6b5d756271e5700f32a84d34b75172da2f247263697e5cca403ff5e81f0460b330c7eb31eba1fb3ad8f6e62a87dc5ed8e84568d55c
-
Filesize
512KB
MD5a868b46df40c5d46da42d9d0e1af982e
SHA1e1e1313515a3dba158d9eae986237440150cc91a
SHA2560881cbcd47199ccbcd7be88b280dfaaab11b82252f4deabd3f945570c3744de4
SHA51223c60be0dc2e97d96f470533d92cd866e14d80065676905df1897968b649e96b5f262ed382ae4aebd5f7505e505260df6da9cbe3da4ecbbc73fd5d6b0bbbf8dc
-
Filesize
512KB
MD5be6aeddbe9cc93636d84c38ceb199da6
SHA114452713adfb40e622b3c57e7768093f3df538f6
SHA256cd0b58fb67687dd34baa91f3b9af82c7c41ec0c826c051972640e29792cee202
SHA512c48d995e2d81c21a41710b0bf0f7bb97a0564e67e4951fb3297dc5b9ebd9f8404b392cb46ba6d88e1a62b1d1e1127233f952173f1613d56ba258e6603707fb56
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD59da633e10cf4137702026ffdc742dbec
SHA18fb1387358268e6a3e3ca02bc747e094f3cfdf31
SHA2565e72418ff72959e3fafb060c0bc13b65a747159f0374c27f1c04bf992379b3b3
SHA5122a294e8537e0cc7672e8d86ae7808eefd444b61b435f6245fc5657403a579c7aaca6feb3c1415ac81377d469812653a66a53dbe56e596634b03a952aa6953caf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD546240daca298bc098af4c6f1d0183f9d
SHA105309dd50757fcadf4f9fa2f6eb65ab20a3dc766
SHA2569df28f85d07ce292ae0c901cac43c14aa989809a54996b2dc22d64c99764454d
SHA512de133a5d80441bb8dd3e42440bdce3e5a2e11c99931d7d3029e4efec14a660269c334279b31c8e72a7b37e953e790505f1dbd091595b6db3e35d4f07b88b530b
-
Filesize
512KB
MD5650796c246941fbb1b315a7bb3fc83ab
SHA1ecab4a7ce4d8ba86824162f0e644be9fac618f8f
SHA256ff3843468e0a900371d9e09b8db8803a8dbc38b1d0c53e09e576d5947bbab3a0
SHA512028a30dcd85f787a2caec46196928ef877ee6b889deca276b7b6ff5eafcf1b89a2536defd7b500e102c85b05c5df16f108d6cbb1e80445eab16ad78031e1a05c
-
Filesize
512KB
MD5b34b1834bb6b1cfa326824f2cc7a943b
SHA1012ed5e020aa7ffbb41f6a2dbf6fa50025ca863a
SHA256e02f4ddc4841a3a8202915308222927ee00aa62d6d2535419794270680f966fb
SHA512b0009aad29723932527edba364fdd98d17755fa9791fd57774595f03a3a240dc2edbf4cc7ec515c4ee67bf0655db89bc2fe1177e7dfa74c589ca9fa07f3a70ed
-
Filesize
512KB
MD59283a108bdab27dc90700da8848ae4a3
SHA1c785b1a5761beac0be6cd5a53fd35e8de58a0beb
SHA2565e0a820854f6a551b94193c3136cc06a82549520ec55cf6b77ebf0fa7d029699
SHA512a98cfd8af02f3da808b1969d9c7ca9f7722ba1c7859a77339375ae627e24940217d7733a07118e5b9d9f5f451bf24abb1d3ea6e50fb88dce3b74451af6694812
-
Filesize
512KB
MD5fdbe7b6bf6622fb3c90ce74745a43ebd
SHA132d8d380df5747f1b02a1854e78e30e089dd5e48
SHA256f7b2f462e57cd0d72ecc5d3fdb85b305a08ecdb294c46cadf624636a03d6704a
SHA512f83fd98491eaf9d54e53611c8d185b4a63dce50b6c708b4dfa5eee18030d5ea7ea275b0202043ec520b443bbcb81c92486a6d505ee30acfa7699e5a1efe69be3
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5139b27401cf20bb6de0cbd933888b0c2
SHA1d33eaf971ed8c4742dcc77ccf4fe6db80c04b0f1
SHA2567ae9befa3f26f1ab4abfe2abee959674ca03a5f2b60d9a3c88f574d93d64dfdd
SHA51236300d0505cd96b2a415342930fd240660c4e5bf77d2669089fb942ad2bfe1a38109a73399be17da8b7fedf6a08b140e9ad44fa80f2773971e79164a5884966e