Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 10:41
Static task
static1
Behavioral task
behavioral1
Sample
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe
-
Size
512KB
-
MD5
4aabb8cf3e1c596f9948b6da31989213
-
SHA1
5e9c5d7ecef0692af7789b4aab6a0af89c5322f9
-
SHA256
7214770870e8f3a372e48a8c3d89d35c685e65d9be4f0bc8a7adb7ff010ad246
-
SHA512
3b097e31fb59c4e52cb338b19e6c3acb7796c8745c74a8f55cd899fbfb0d544bbfecab7ccd90183a84e588f83474f027b6fee785c47a4318aa309e6712d4e05d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5h
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
fnjkeppndv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fnjkeppndv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
fnjkeppndv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fnjkeppndv.exe -
Processes:
fnjkeppndv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fnjkeppndv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fnjkeppndv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fnjkeppndv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fnjkeppndv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fnjkeppndv.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
fnjkeppndv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fnjkeppndv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
fnjkeppndv.exestqsybwaydndult.exeoubxbzit.exeggqmodztrijgl.exeoubxbzit.exepid process 2332 fnjkeppndv.exe 1940 stqsybwaydndult.exe 1452 oubxbzit.exe 2932 ggqmodztrijgl.exe 3820 oubxbzit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
fnjkeppndv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" fnjkeppndv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fnjkeppndv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fnjkeppndv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fnjkeppndv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fnjkeppndv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fnjkeppndv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
stqsybwaydndult.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kloqsmhd = "stqsybwaydndult.exe" stqsybwaydndult.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ggqmodztrijgl.exe" stqsybwaydndult.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rmgeifem = "fnjkeppndv.exe" stqsybwaydndult.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
fnjkeppndv.exeoubxbzit.exeoubxbzit.exedescription ioc process File opened (read-only) \??\l: fnjkeppndv.exe File opened (read-only) \??\p: fnjkeppndv.exe File opened (read-only) \??\q: fnjkeppndv.exe File opened (read-only) \??\t: fnjkeppndv.exe File opened (read-only) \??\p: oubxbzit.exe File opened (read-only) \??\e: oubxbzit.exe File opened (read-only) \??\j: oubxbzit.exe File opened (read-only) \??\r: oubxbzit.exe File opened (read-only) \??\h: oubxbzit.exe File opened (read-only) \??\h: oubxbzit.exe File opened (read-only) \??\x: fnjkeppndv.exe File opened (read-only) \??\q: oubxbzit.exe File opened (read-only) \??\v: fnjkeppndv.exe File opened (read-only) \??\m: oubxbzit.exe File opened (read-only) \??\w: oubxbzit.exe File opened (read-only) \??\w: fnjkeppndv.exe File opened (read-only) \??\b: oubxbzit.exe File opened (read-only) \??\g: oubxbzit.exe File opened (read-only) \??\j: oubxbzit.exe File opened (read-only) \??\r: oubxbzit.exe File opened (read-only) \??\s: oubxbzit.exe File opened (read-only) \??\u: oubxbzit.exe File opened (read-only) \??\v: oubxbzit.exe File opened (read-only) \??\h: fnjkeppndv.exe File opened (read-only) \??\i: oubxbzit.exe File opened (read-only) \??\q: oubxbzit.exe File opened (read-only) \??\e: fnjkeppndv.exe File opened (read-only) \??\i: fnjkeppndv.exe File opened (read-only) \??\o: fnjkeppndv.exe File opened (read-only) \??\r: fnjkeppndv.exe File opened (read-only) \??\s: fnjkeppndv.exe File opened (read-only) \??\u: oubxbzit.exe File opened (read-only) \??\x: oubxbzit.exe File opened (read-only) \??\j: fnjkeppndv.exe File opened (read-only) \??\k: fnjkeppndv.exe File opened (read-only) \??\u: fnjkeppndv.exe File opened (read-only) \??\a: oubxbzit.exe File opened (read-only) \??\g: fnjkeppndv.exe File opened (read-only) \??\m: fnjkeppndv.exe File opened (read-only) \??\t: oubxbzit.exe File opened (read-only) \??\k: oubxbzit.exe File opened (read-only) \??\l: oubxbzit.exe File opened (read-only) \??\m: oubxbzit.exe File opened (read-only) \??\s: oubxbzit.exe File opened (read-only) \??\y: oubxbzit.exe File opened (read-only) \??\n: oubxbzit.exe File opened (read-only) \??\y: oubxbzit.exe File opened (read-only) \??\b: oubxbzit.exe File opened (read-only) \??\y: fnjkeppndv.exe File opened (read-only) \??\z: oubxbzit.exe File opened (read-only) \??\z: oubxbzit.exe File opened (read-only) \??\o: oubxbzit.exe File opened (read-only) \??\k: oubxbzit.exe File opened (read-only) \??\l: oubxbzit.exe File opened (read-only) \??\o: oubxbzit.exe File opened (read-only) \??\t: oubxbzit.exe File opened (read-only) \??\n: oubxbzit.exe File opened (read-only) \??\g: oubxbzit.exe File opened (read-only) \??\a: fnjkeppndv.exe File opened (read-only) \??\b: fnjkeppndv.exe File opened (read-only) \??\n: fnjkeppndv.exe File opened (read-only) \??\z: fnjkeppndv.exe File opened (read-only) \??\e: oubxbzit.exe File opened (read-only) \??\w: oubxbzit.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
fnjkeppndv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" fnjkeppndv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" fnjkeppndv.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/624-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\stqsybwaydndult.exe autoit_exe C:\Windows\SysWOW64\fnjkeppndv.exe autoit_exe C:\Windows\SysWOW64\oubxbzit.exe autoit_exe C:\Windows\SysWOW64\ggqmodztrijgl.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Users\Admin\Documents\UnblockFormat.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
oubxbzit.exeoubxbzit.exe4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exefnjkeppndv.exedescription ioc process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe oubxbzit.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe oubxbzit.exe File opened for modification C:\Windows\SysWOW64\fnjkeppndv.exe 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe File created C:\Windows\SysWOW64\stqsybwaydndult.exe 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe File created C:\Windows\SysWOW64\oubxbzit.exe 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe File created C:\Windows\SysWOW64\ggqmodztrijgl.exe 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ggqmodztrijgl.exe 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll fnjkeppndv.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe oubxbzit.exe File created C:\Windows\SysWOW64\fnjkeppndv.exe 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\stqsybwaydndult.exe 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\oubxbzit.exe 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
oubxbzit.exeoubxbzit.exedescription ioc process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oubxbzit.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oubxbzit.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oubxbzit.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oubxbzit.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal oubxbzit.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oubxbzit.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oubxbzit.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal oubxbzit.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oubxbzit.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oubxbzit.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal oubxbzit.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oubxbzit.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oubxbzit.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal oubxbzit.exe -
Drops file in Windows directory 19 IoCs
Processes:
oubxbzit.exeoubxbzit.exe4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe oubxbzit.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe oubxbzit.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe oubxbzit.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe oubxbzit.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe oubxbzit.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe oubxbzit.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe oubxbzit.exe File opened for modification C:\Windows\mydoc.rtf 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe oubxbzit.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe oubxbzit.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe oubxbzit.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe oubxbzit.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe oubxbzit.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe oubxbzit.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe oubxbzit.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe oubxbzit.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe oubxbzit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
fnjkeppndv.exe4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" fnjkeppndv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh fnjkeppndv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" fnjkeppndv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" fnjkeppndv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" fnjkeppndv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg fnjkeppndv.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDF9B0FE17F2E384793B43819C3990B3FD02F04366033DE2CB42EC09D5" 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B02F479738EA53CCB9A7329CD4BB" 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat fnjkeppndv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf fnjkeppndv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452C769C2383546A4277D077262CA97DF365DF" 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFFFB4F58851C9137D7587EE6BC90E630593767366342D798" 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F36BB8FE1A21DDD279D0A88A7C9167" 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" fnjkeppndv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs fnjkeppndv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" fnjkeppndv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC67D15EDDBC5B9BE7CE9ED9634CD" 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc fnjkeppndv.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1500 WINWORD.EXE 1500 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exeoubxbzit.exestqsybwaydndult.exefnjkeppndv.exeggqmodztrijgl.exeoubxbzit.exepid process 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 1452 oubxbzit.exe 1452 oubxbzit.exe 1452 oubxbzit.exe 1452 oubxbzit.exe 1452 oubxbzit.exe 1452 oubxbzit.exe 1452 oubxbzit.exe 1452 oubxbzit.exe 1940 stqsybwaydndult.exe 1940 stqsybwaydndult.exe 1940 stqsybwaydndult.exe 1940 stqsybwaydndult.exe 1940 stqsybwaydndult.exe 1940 stqsybwaydndult.exe 1940 stqsybwaydndult.exe 1940 stqsybwaydndult.exe 1940 stqsybwaydndult.exe 1940 stqsybwaydndult.exe 2332 fnjkeppndv.exe 2332 fnjkeppndv.exe 2332 fnjkeppndv.exe 2332 fnjkeppndv.exe 2332 fnjkeppndv.exe 2332 fnjkeppndv.exe 2332 fnjkeppndv.exe 2332 fnjkeppndv.exe 2332 fnjkeppndv.exe 2332 fnjkeppndv.exe 2932 ggqmodztrijgl.exe 2932 ggqmodztrijgl.exe 2932 ggqmodztrijgl.exe 2932 ggqmodztrijgl.exe 2932 ggqmodztrijgl.exe 2932 ggqmodztrijgl.exe 2932 ggqmodztrijgl.exe 2932 ggqmodztrijgl.exe 2932 ggqmodztrijgl.exe 2932 ggqmodztrijgl.exe 2932 ggqmodztrijgl.exe 2932 ggqmodztrijgl.exe 1940 stqsybwaydndult.exe 1940 stqsybwaydndult.exe 3820 oubxbzit.exe 3820 oubxbzit.exe 3820 oubxbzit.exe 3820 oubxbzit.exe 3820 oubxbzit.exe 3820 oubxbzit.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exestqsybwaydndult.exeoubxbzit.exefnjkeppndv.exeggqmodztrijgl.exeoubxbzit.exepid process 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 1940 stqsybwaydndult.exe 1940 stqsybwaydndult.exe 1940 stqsybwaydndult.exe 1452 oubxbzit.exe 1452 oubxbzit.exe 1452 oubxbzit.exe 2332 fnjkeppndv.exe 2332 fnjkeppndv.exe 2332 fnjkeppndv.exe 2932 ggqmodztrijgl.exe 2932 ggqmodztrijgl.exe 2932 ggqmodztrijgl.exe 3820 oubxbzit.exe 3820 oubxbzit.exe 3820 oubxbzit.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exestqsybwaydndult.exeoubxbzit.exefnjkeppndv.exeggqmodztrijgl.exeoubxbzit.exepid process 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 1940 stqsybwaydndult.exe 1940 stqsybwaydndult.exe 1940 stqsybwaydndult.exe 1452 oubxbzit.exe 1452 oubxbzit.exe 1452 oubxbzit.exe 2332 fnjkeppndv.exe 2332 fnjkeppndv.exe 2332 fnjkeppndv.exe 2932 ggqmodztrijgl.exe 2932 ggqmodztrijgl.exe 2932 ggqmodztrijgl.exe 3820 oubxbzit.exe 3820 oubxbzit.exe 3820 oubxbzit.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1500 WINWORD.EXE 1500 WINWORD.EXE 1500 WINWORD.EXE 1500 WINWORD.EXE 1500 WINWORD.EXE 1500 WINWORD.EXE 1500 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exefnjkeppndv.exedescription pid process target process PID 624 wrote to memory of 2332 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe fnjkeppndv.exe PID 624 wrote to memory of 2332 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe fnjkeppndv.exe PID 624 wrote to memory of 2332 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe fnjkeppndv.exe PID 624 wrote to memory of 1940 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe stqsybwaydndult.exe PID 624 wrote to memory of 1940 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe stqsybwaydndult.exe PID 624 wrote to memory of 1940 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe stqsybwaydndult.exe PID 624 wrote to memory of 1452 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe oubxbzit.exe PID 624 wrote to memory of 1452 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe oubxbzit.exe PID 624 wrote to memory of 1452 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe oubxbzit.exe PID 624 wrote to memory of 2932 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe ggqmodztrijgl.exe PID 624 wrote to memory of 2932 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe ggqmodztrijgl.exe PID 624 wrote to memory of 2932 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe ggqmodztrijgl.exe PID 624 wrote to memory of 1500 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe WINWORD.EXE PID 624 wrote to memory of 1500 624 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe WINWORD.EXE PID 2332 wrote to memory of 3820 2332 fnjkeppndv.exe oubxbzit.exe PID 2332 wrote to memory of 3820 2332 fnjkeppndv.exe oubxbzit.exe PID 2332 wrote to memory of 3820 2332 fnjkeppndv.exe oubxbzit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\fnjkeppndv.exefnjkeppndv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\oubxbzit.exeC:\Windows\system32\oubxbzit.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3820 -
C:\Windows\SysWOW64\stqsybwaydndult.exestqsybwaydndult.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1940 -
C:\Windows\SysWOW64\oubxbzit.exeoubxbzit.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1452 -
C:\Windows\SysWOW64\ggqmodztrijgl.exeggqmodztrijgl.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2932 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1500
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD55a016d53e612627e29ce39b5213c813e
SHA10d9e1297449d511ad1a07de33aaa07049c130cff
SHA25654ea3e0c598933dee4ecef9ea178c20075c4738fdb695c46ee8a7695f92f2896
SHA51251632a43f53b97f35ee513565345a6a0f7b3d79daf547c730414549e6378f0b786854b7a72ef5c31271f8849d61107454cb104f1946113cb9b7664e64940362d
-
Filesize
512KB
MD5d59306ce4d844315bedfeb2b09c90908
SHA1733dda4a58ff140fc81e6047519f4e1c07ba9b62
SHA25625ba22fbf3aee3243659dca6c569fae9afbe104ab80ff11a228b58668b975048
SHA512a29584dfe4ea53736a0c592e8b729d8d2245fb589821597a623395165364ff54c201948e623c408767275ec2481e1ef8a7f1873d81de3b17f3803176313a57c3
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
247B
MD51b529425a37b1334b8b33ebd890269a4
SHA184768e6475b45e3431d5dd62968dde9b92bcb799
SHA256774609fb895e024729e533b8420e732453a0f7ad9cc4599a871157b4f2ca0440
SHA5128d82cb100fb6e979061a2a86aedf2f77de9bb5abf4431ed7add5c75d04988a3cd747119ade26856e8c2fdf7fe75e6aedf0025f2015e525b6835c80cfa2eff295
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a449100031228590fd0f009863ce34b3
SHA1890785a7a4ca869f1817d01d9ac03dfa2d5b10c7
SHA256d3f230d6697094d16bb8be12cf45a46ae91a7f4ff5095dc016b7d52ea11cd89b
SHA512bfc4594fac9a0dd89ead98522aea72ba0d86f870f4e98a690b1bcb388b5f920fd1368e3a2c2245d6a77c9763abae8b28da66a9b08d7d5b083a6f803e08f77b8d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5d36d87a9764c2b569825bc14e2bdebc6
SHA14ad09f6e3c743192d90f6feafd0a27fe4e060104
SHA2565928e3382d3839e203186880111ce742ecb20ff1b7054233c561fa9fa1c017f0
SHA512b47a0f3b3e7b1b0cdae30ed62b4fb95e2fc3985ff0b0e754bc4c403ae7b6c667d220d07e2b675fde5db01028487999adff5562a0f58f5b1e19a97eb92de0f3e1
-
Filesize
512KB
MD5c9745756e21f4f6bfd2541578c34046e
SHA1484e9fb0f066e1746a3b876060b4ab49d512b03c
SHA256683357a89f1bcad49eabed9e234466da95d2d0405914d5482d7209ac3e6ea6b2
SHA51202a613501a918f1209a0af0811b8b1f8a6921aad825df50f9e1648c828b9c721bc2a0f22765ce9b0e017f699b618fc9695e4154346753a203bdde081e22d434c
-
Filesize
512KB
MD5e52746384ae3e8e1a4c593d6b676cfd9
SHA153c1ae74d3f50a2179f12a7394448d73cf70d1ac
SHA256b496040c53a2fb98c22eae1cdb10328705fe21fd706b64ed9cc0aab41842b75b
SHA5128bcd049a244e18a3f3e4d150b692dc5cf5c0897428e78b84c2cbda44b31c0de356f65258f86a9e48ac641cf5272ee99e4c3d18d8bcaebcbb79d4c60ed128d763
-
Filesize
512KB
MD5229f01c8d0d3cc02f54f52ca68a22715
SHA104c615221bd7824fbaafb2f1494c83effcab65b6
SHA2564febc16d8c75d8a1be5a9d3e84f4e5a82f5d75269db7c5825ffae17495519425
SHA51280674d7181d888a9e4acece07199617831bdd39c477eacead63ef5f90ec93b6007f46c6a8fa1ef5949c8286961dcf07355560512755463d292d152ae641e4129
-
Filesize
512KB
MD5024614dc7b3c068c3e6cf3257bca032e
SHA1dd003c20f41c2cf6cc4ce9c13ef10d68c12fb7f2
SHA25683a5aa19e693fecb11972d77afd117f185e435240c059223c603e412691cadeb
SHA5121a15cd94062e0d6a42c1243599cf7777e20def4ae436f87b55d58658c337ad87a3b51ae614a3fe3b239bba92ead15fb0e4f679533debfa09a2ba9c58d2ef7b40
-
Filesize
512KB
MD517053c10a4ae2bb0f3eb2fd03032c36a
SHA1641611bbb6aca39a761a9899e2e5f3df803fe2a6
SHA2565a443ab7b8c60429fd0110f753b17bdc6bff8944dbaaacdf718cd04d8b04ff15
SHA512168d707ebd1abe108b1a1ac3265397c763b78373989b199af7ecb4ab9c515c79fefb6bfa7dcd1baf2fd77101bf3bf6aee0e8fbaa54ae4e4f8414aea5a3ba4164
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD59ce5a40afc65d8a81283dc851e2d3b61
SHA13d691c60bbc8ec33f2210ee4ac99df1ab70f12eb
SHA25617f04049e8b82d153fc1371bddd04a48557a04d56b11703f4eaac695d139e438
SHA5121daa9aec629ce74d414df521230ed53fd07bd83170eb6fa8d7e17fc343684d3195f3039fbacca60bd76345071b485915bc2beee3a364c38122a48d2132907265
-
Filesize
512KB
MD587cd61a29526ff8cd46f971ca463aff7
SHA1c0e43b4ea3b409bb6566b47e05a42370cbc43036
SHA2568bbed24bcb1c0fabe893a873f38afbf7a250b82ddaafc7e198c9052e7960c6b2
SHA5127158b38fe4f033d5faaf7b565ace07434d25914b25a4cb4cad3eda0166b254cdbf8e4464c4483cae3f8ca5907b493bba3a465692a89c0ac68b1d3a260f69ab08