Analysis
-
max time kernel
153s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 12:06
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe
-
Size
512KB
-
MD5
4afbd40195806c1e2d3b8f659b37743e
-
SHA1
2677c0786dd8b6f2cd5befa921ed90a5ba29ee60
-
SHA256
ddbffab598f2ec7be186fabd0ab124cfdc5a47bd8d993ba4d6528277d57137c0
-
SHA512
2a379bf664f844b8af52e1bb9574605fce1b46abfb6323447d60e1324f19aaac85868f85aad7d4425f503b54ce320e6d3238ef9c8e182235ecd3821cc77c75e7
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6N:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5E
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" uzhcyzpbnj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" uzhcyzpbnj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uzhcyzpbnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uzhcyzpbnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uzhcyzpbnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uzhcyzpbnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uzhcyzpbnj.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uzhcyzpbnj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1208 uzhcyzpbnj.exe 2152 ighpdmvnylhgjtp.exe 2744 dstqbdos.exe 544 kpywulfyjfkea.exe 2124 dstqbdos.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uzhcyzpbnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" uzhcyzpbnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uzhcyzpbnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uzhcyzpbnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uzhcyzpbnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uzhcyzpbnj.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vrtfpdmq = "uzhcyzpbnj.exe" ighpdmvnylhgjtp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bzxtymjp = "ighpdmvnylhgjtp.exe" ighpdmvnylhgjtp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kpywulfyjfkea.exe" ighpdmvnylhgjtp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: uzhcyzpbnj.exe File opened (read-only) \??\l: dstqbdos.exe File opened (read-only) \??\z: dstqbdos.exe File opened (read-only) \??\s: uzhcyzpbnj.exe File opened (read-only) \??\t: uzhcyzpbnj.exe File opened (read-only) \??\b: dstqbdos.exe File opened (read-only) \??\g: dstqbdos.exe File opened (read-only) \??\k: dstqbdos.exe File opened (read-only) \??\h: uzhcyzpbnj.exe File opened (read-only) \??\v: uzhcyzpbnj.exe File opened (read-only) \??\x: uzhcyzpbnj.exe File opened (read-only) \??\r: dstqbdos.exe File opened (read-only) \??\a: dstqbdos.exe File opened (read-only) \??\a: dstqbdos.exe File opened (read-only) \??\n: dstqbdos.exe File opened (read-only) \??\i: uzhcyzpbnj.exe File opened (read-only) \??\q: uzhcyzpbnj.exe File opened (read-only) \??\r: uzhcyzpbnj.exe File opened (read-only) \??\p: dstqbdos.exe File opened (read-only) \??\q: dstqbdos.exe File opened (read-only) \??\y: uzhcyzpbnj.exe File opened (read-only) \??\o: dstqbdos.exe File opened (read-only) \??\p: dstqbdos.exe File opened (read-only) \??\v: dstqbdos.exe File opened (read-only) \??\a: uzhcyzpbnj.exe File opened (read-only) \??\j: uzhcyzpbnj.exe File opened (read-only) \??\n: uzhcyzpbnj.exe File opened (read-only) \??\o: uzhcyzpbnj.exe File opened (read-only) \??\y: dstqbdos.exe File opened (read-only) \??\b: dstqbdos.exe File opened (read-only) \??\q: dstqbdos.exe File opened (read-only) \??\b: uzhcyzpbnj.exe File opened (read-only) \??\t: dstqbdos.exe File opened (read-only) \??\e: dstqbdos.exe File opened (read-only) \??\h: dstqbdos.exe File opened (read-only) \??\y: dstqbdos.exe File opened (read-only) \??\h: dstqbdos.exe File opened (read-only) \??\w: dstqbdos.exe File opened (read-only) \??\x: dstqbdos.exe File opened (read-only) \??\i: dstqbdos.exe File opened (read-only) \??\j: dstqbdos.exe File opened (read-only) \??\n: dstqbdos.exe File opened (read-only) \??\e: uzhcyzpbnj.exe File opened (read-only) \??\k: uzhcyzpbnj.exe File opened (read-only) \??\m: dstqbdos.exe File opened (read-only) \??\o: dstqbdos.exe File opened (read-only) \??\x: dstqbdos.exe File opened (read-only) \??\l: uzhcyzpbnj.exe File opened (read-only) \??\j: dstqbdos.exe File opened (read-only) \??\k: dstqbdos.exe File opened (read-only) \??\u: dstqbdos.exe File opened (read-only) \??\r: dstqbdos.exe File opened (read-only) \??\u: dstqbdos.exe File opened (read-only) \??\m: uzhcyzpbnj.exe File opened (read-only) \??\z: dstqbdos.exe File opened (read-only) \??\t: dstqbdos.exe File opened (read-only) \??\p: uzhcyzpbnj.exe File opened (read-only) \??\z: uzhcyzpbnj.exe File opened (read-only) \??\g: dstqbdos.exe File opened (read-only) \??\i: dstqbdos.exe File opened (read-only) \??\s: dstqbdos.exe File opened (read-only) \??\v: dstqbdos.exe File opened (read-only) \??\s: dstqbdos.exe File opened (read-only) \??\w: dstqbdos.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" uzhcyzpbnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" uzhcyzpbnj.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4776-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023265-5.dat autoit_exe behavioral2/files/0x0008000000023264-18.dat autoit_exe behavioral2/files/0x0008000000023267-29.dat autoit_exe behavioral2/files/0x0008000000023268-30.dat autoit_exe behavioral2/files/0x00020000000227e5-52.dat autoit_exe behavioral2/files/0x00080000000224f9-49.dat autoit_exe behavioral2/files/0x000900000001eb28-92.dat autoit_exe behavioral2/files/0x000200000001eb42-98.dat autoit_exe behavioral2/files/0x000200000001eb42-103.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ighpdmvnylhgjtp.exe 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe File created C:\Windows\SysWOW64\dstqbdos.exe 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe File created C:\Windows\SysWOW64\kpywulfyjfkea.exe 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kpywulfyjfkea.exe 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll uzhcyzpbnj.exe File opened for modification C:\Windows\SysWOW64\uzhcyzpbnj.exe 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe File created C:\Windows\SysWOW64\ighpdmvnylhgjtp.exe 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dstqbdos.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dstqbdos.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dstqbdos.exe File created C:\Windows\SysWOW64\uzhcyzpbnj.exe 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dstqbdos.exe 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dstqbdos.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dstqbdos.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dstqbdos.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dstqbdos.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dstqbdos.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dstqbdos.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dstqbdos.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dstqbdos.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dstqbdos.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dstqbdos.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dstqbdos.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dstqbdos.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dstqbdos.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dstqbdos.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCFACAF965F29983743B35819D39E6B3FD02F84360033EE1C4459D09D1" 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C77B1493DBBFB9CD7CE9ED9437C9" 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh uzhcyzpbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" uzhcyzpbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" uzhcyzpbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B029449538E353CCBAD6329AD4C5" 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768B7FF1B21DED10BD0D18A74906B" 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs uzhcyzpbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462D0D9C2183256D3577A177262CDC7D8064AA" 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFCFE4F29826F903DD72B7D93BCE4E141594167356344D7EC" 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" uzhcyzpbnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf uzhcyzpbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" uzhcyzpbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" uzhcyzpbnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat uzhcyzpbnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc uzhcyzpbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" uzhcyzpbnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg uzhcyzpbnj.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3176 WINWORD.EXE 3176 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 1208 uzhcyzpbnj.exe 1208 uzhcyzpbnj.exe 1208 uzhcyzpbnj.exe 1208 uzhcyzpbnj.exe 1208 uzhcyzpbnj.exe 1208 uzhcyzpbnj.exe 1208 uzhcyzpbnj.exe 1208 uzhcyzpbnj.exe 1208 uzhcyzpbnj.exe 1208 uzhcyzpbnj.exe 2152 ighpdmvnylhgjtp.exe 2152 ighpdmvnylhgjtp.exe 2152 ighpdmvnylhgjtp.exe 2152 ighpdmvnylhgjtp.exe 2152 ighpdmvnylhgjtp.exe 2152 ighpdmvnylhgjtp.exe 2152 ighpdmvnylhgjtp.exe 2152 ighpdmvnylhgjtp.exe 2152 ighpdmvnylhgjtp.exe 2152 ighpdmvnylhgjtp.exe 2744 dstqbdos.exe 2744 dstqbdos.exe 2744 dstqbdos.exe 2744 dstqbdos.exe 2744 dstqbdos.exe 2744 dstqbdos.exe 2744 dstqbdos.exe 2744 dstqbdos.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 2152 ighpdmvnylhgjtp.exe 2152 ighpdmvnylhgjtp.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 2152 ighpdmvnylhgjtp.exe 2152 ighpdmvnylhgjtp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 1208 uzhcyzpbnj.exe 1208 uzhcyzpbnj.exe 1208 uzhcyzpbnj.exe 2152 ighpdmvnylhgjtp.exe 2152 ighpdmvnylhgjtp.exe 2152 ighpdmvnylhgjtp.exe 2744 dstqbdos.exe 2744 dstqbdos.exe 2744 dstqbdos.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 2124 dstqbdos.exe 2124 dstqbdos.exe 2124 dstqbdos.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 1208 uzhcyzpbnj.exe 1208 uzhcyzpbnj.exe 1208 uzhcyzpbnj.exe 2152 ighpdmvnylhgjtp.exe 2152 ighpdmvnylhgjtp.exe 2152 ighpdmvnylhgjtp.exe 2744 dstqbdos.exe 2744 dstqbdos.exe 2744 dstqbdos.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 544 kpywulfyjfkea.exe 2124 dstqbdos.exe 2124 dstqbdos.exe 2124 dstqbdos.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3176 WINWORD.EXE 3176 WINWORD.EXE 3176 WINWORD.EXE 3176 WINWORD.EXE 3176 WINWORD.EXE 3176 WINWORD.EXE 3176 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4776 wrote to memory of 1208 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 91 PID 4776 wrote to memory of 1208 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 91 PID 4776 wrote to memory of 1208 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 91 PID 4776 wrote to memory of 2152 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 92 PID 4776 wrote to memory of 2152 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 92 PID 4776 wrote to memory of 2152 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 92 PID 4776 wrote to memory of 2744 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 93 PID 4776 wrote to memory of 2744 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 93 PID 4776 wrote to memory of 2744 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 93 PID 4776 wrote to memory of 544 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 94 PID 4776 wrote to memory of 544 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 94 PID 4776 wrote to memory of 544 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 94 PID 1208 wrote to memory of 2124 1208 uzhcyzpbnj.exe 95 PID 1208 wrote to memory of 2124 1208 uzhcyzpbnj.exe 95 PID 1208 wrote to memory of 2124 1208 uzhcyzpbnj.exe 95 PID 4776 wrote to memory of 3176 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 96 PID 4776 wrote to memory of 3176 4776 4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4afbd40195806c1e2d3b8f659b37743e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\uzhcyzpbnj.exeuzhcyzpbnj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\dstqbdos.exeC:\Windows\system32\dstqbdos.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2124
-
-
-
C:\Windows\SysWOW64\ighpdmvnylhgjtp.exeighpdmvnylhgjtp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2152
-
-
C:\Windows\SysWOW64\dstqbdos.exedstqbdos.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2744
-
-
C:\Windows\SysWOW64\kpywulfyjfkea.exekpywulfyjfkea.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:544
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3376 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:2044
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5bdde62be2069c517ac37e5b3ac679202
SHA14b496772d9ea3a3513a9506dd0bd0e88fc94b3ec
SHA256d1da0e52614144f7b3dc46d3548a557f1e362cdf981ed342ea19793ea3ebb212
SHA512aae9193442efb8caa5ceb346928eb12879b9697c4b5d7243f9cf1f64b138ce3d2d7c11345c44511b7b4c3c4e451e0196a5331508d9bec10c8dfd3ae0af4c5a5e
-
Filesize
512KB
MD561ac4b9d94a1f4f6f6847e9beaea4f82
SHA19bed2a75a20965c93d7ba3ddf855a977a8a3c75a
SHA25613c55725580742bc3517b008871d89bd989b63b7115136a6b0fb90a1857eb67f
SHA5126905954ff979665fb0a33686decdaa4d0f5e237b3cb7e57e0761415f181b3ac3ff7793232c2ab01ec861c9dd492dc525bcd8f075c7806ff7a9c3d7dbdbd7319c
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5bdb9679fae8d68b183a004d4ea022267
SHA12279e23ed4e8d809603353a06cc791a3273c6bae
SHA256c3e562137b7c1ea7d93a12514ff1e8498f9c292d718e73eb724197094eab3065
SHA5123d528d704ed57715293cb28959d678101619834c9877e941b8ccc7ac953219d14b018f784a9ffe3dfb49840892dc227fbd779619b2c01a40e7383d1e6e13e8ce
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e802e172894611a7638d143a1a433aba
SHA111ec701eddb7749cfba75dbac2902c2d1882ef49
SHA25615555c2ffec24680dc6ac4b09cf1f69e9399ac7778e35e421afc27eebe820bcb
SHA512232b453d3a95a6ddda7fc19a326ac757a4258ebff877a47ca8af6daf8482812e7dea393f135e2613ae6cffe230a9033813610f7e60423b86ffe34029eb9f49a2
-
Filesize
512KB
MD51c35658d813f0a72ee416021131c2af5
SHA1648d05b85eaf601c8a18aedbf65008d84e14bf4c
SHA256e041cd36ac13d4425f4874ba64f47b7092fbf1bb52926c3f7dd9fe41e5bee8fc
SHA512339a8fb2c1d03748fd8a2e52ac5806c285ba23096bba2d1d2ae19ca5d3bff1c26832fa0588401acfb38fa29bced17324f111b4970e1ab631c4b894f22e030712
-
Filesize
512KB
MD5088111323d4211f4ebe4e3f2f41168bb
SHA17a96a007af89eb55dad50985646bb36887a5d47c
SHA2561554549c2b10efcb9b570790715a7a16dd3235a05fe4573e7f6db557d5c05825
SHA5122d47de2820fcc0b0c86be046fa348fddf0e8454b84a108511bfa61a800cf83eb36bab8a7d4eb2cccbff84c7b8179b7b7aac1461c5e5637c728cd0befacf74cc6
-
Filesize
512KB
MD5bd3aa645885aff026592ba0edb908b59
SHA1d7baf65768f6c709e2961d90b0fac6939514f6ad
SHA25637d224d81c2ee77ec9431f76c607aceee434948c3a2f374e63ee192d17cfbe3e
SHA512e5b61c01a2a9f4425ce23a00589ee6ee060d75a9664a663470601dd4b26a1351c140ddaa94372ff90fb2a561bdf3f64c257b930aef1c6471acdf492781a428e4
-
Filesize
512KB
MD57dd5f4c059fe95478ae5cd8f71c3ca23
SHA18bc1b5aeed1324a46b567b617f2a8bb6d2cdfaac
SHA2567e2208199745d0f069541ca26444fb0ee4354502a5a9fb66dd0de047c85180a2
SHA5128b699294cb4c506198ca1ff872bff1936ea67ca078b1a6d55121d820a155ddbab6ec8cf7f507dc2a8710166d56cacd4944e06e72e0e18a82ff4bda0a9e55d395
-
Filesize
512KB
MD5b1055c7e7e71207c73515e74a4f89427
SHA11a7d8a59c9ee9bb21f1674fb3de10141e5f54427
SHA2563e205272b709b9b4090cf717708576bcf293b1cb23e558b3ab735d8409e861ad
SHA5128d671854b2f1c1e16d64ebe658f167486f4d34a75e29fbafb81caaff23c2a663671934ea68c3f950b1d4ec6d9d83ec7fb1765a24787f1d692e34c971bda29e1e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5b6d9a75973ad1222c7d756bb0e10fd16
SHA19994508a24d6ed54a067b0f5b463f28d3068cd59
SHA2561afe8334647461c22ef2d8c9ed3d9bc659678d855b15def81a52cbfbadd8b553
SHA5120d131017d052bc4ea4ad60e1c63ae4e4c2ba320a39c56d038d4c5b4a5a209d410dec1f0018e72c8fab189c8ac11875e5cf6065c64d1628beab54e5d3dfcfef47
-
Filesize
512KB
MD5f6297dfe8342d3ed079faaee923d2ede
SHA1f2ebea586afbc6562f6d0f766b0ae216447ddf6d
SHA2565e16074cde18ac03e18a4d65040b3671e62c97b468ea6e3764d90915e7fe199b
SHA5124b24bd1af149700be3de34da7679f613dc5e749232f894d04993e297bc51e71dddac29ac9314b682754f70a997fb8a2e0eb90e1ea9242c418951f2a827d77a29