Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 14:55
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe
-
Size
512KB
-
MD5
4ba4a174978b23b5f8c48a7aa6dac921
-
SHA1
f290f59e26c0a08fd2d4605c51dce835e970437c
-
SHA256
983920a0b3aa2874517974e56d6cb07817a3134c36e2d68bf812855beaa87818
-
SHA512
338b8936bd1599771e43c5387d31e1cb6513803c7e37ea826283acce1870710d853b327d933971fae00a38827b166fc71283689e6f7db8771bef9a511e46e9ef
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5f
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ccdomvbouj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ccdomvbouj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ccdomvbouj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ccdomvbouj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ccdomvbouj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ccdomvbouj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ccdomvbouj.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ccdomvbouj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3500 ccdomvbouj.exe 1804 jwihkoonwzicnjo.exe 1268 lzxxgplb.exe 1968 ngvddhzoahgpt.exe 3656 lzxxgplb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ccdomvbouj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ccdomvbouj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ccdomvbouj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ccdomvbouj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ccdomvbouj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ccdomvbouj.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ncpyopdb = "ccdomvbouj.exe" jwihkoonwzicnjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kljqerao = "jwihkoonwzicnjo.exe" jwihkoonwzicnjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ngvddhzoahgpt.exe" jwihkoonwzicnjo.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: ccdomvbouj.exe File opened (read-only) \??\o: ccdomvbouj.exe File opened (read-only) \??\v: ccdomvbouj.exe File opened (read-only) \??\h: lzxxgplb.exe File opened (read-only) \??\r: lzxxgplb.exe File opened (read-only) \??\t: lzxxgplb.exe File opened (read-only) \??\h: ccdomvbouj.exe File opened (read-only) \??\p: lzxxgplb.exe File opened (read-only) \??\g: lzxxgplb.exe File opened (read-only) \??\z: ccdomvbouj.exe File opened (read-only) \??\r: lzxxgplb.exe File opened (read-only) \??\n: lzxxgplb.exe File opened (read-only) \??\u: lzxxgplb.exe File opened (read-only) \??\w: lzxxgplb.exe File opened (read-only) \??\j: ccdomvbouj.exe File opened (read-only) \??\e: lzxxgplb.exe File opened (read-only) \??\j: lzxxgplb.exe File opened (read-only) \??\k: lzxxgplb.exe File opened (read-only) \??\v: lzxxgplb.exe File opened (read-only) \??\v: lzxxgplb.exe File opened (read-only) \??\n: ccdomvbouj.exe File opened (read-only) \??\s: ccdomvbouj.exe File opened (read-only) \??\y: ccdomvbouj.exe File opened (read-only) \??\l: lzxxgplb.exe File opened (read-only) \??\b: lzxxgplb.exe File opened (read-only) \??\p: ccdomvbouj.exe File opened (read-only) \??\w: ccdomvbouj.exe File opened (read-only) \??\g: lzxxgplb.exe File opened (read-only) \??\i: lzxxgplb.exe File opened (read-only) \??\u: lzxxgplb.exe File opened (read-only) \??\h: lzxxgplb.exe File opened (read-only) \??\m: lzxxgplb.exe File opened (read-only) \??\s: lzxxgplb.exe File opened (read-only) \??\e: lzxxgplb.exe File opened (read-only) \??\s: lzxxgplb.exe File opened (read-only) \??\u: ccdomvbouj.exe File opened (read-only) \??\a: lzxxgplb.exe File opened (read-only) \??\w: lzxxgplb.exe File opened (read-only) \??\o: lzxxgplb.exe File opened (read-only) \??\z: lzxxgplb.exe File opened (read-only) \??\e: ccdomvbouj.exe File opened (read-only) \??\t: ccdomvbouj.exe File opened (read-only) \??\p: lzxxgplb.exe File opened (read-only) \??\q: lzxxgplb.exe File opened (read-only) \??\t: lzxxgplb.exe File opened (read-only) \??\a: lzxxgplb.exe File opened (read-only) \??\i: ccdomvbouj.exe File opened (read-only) \??\i: lzxxgplb.exe File opened (read-only) \??\n: lzxxgplb.exe File opened (read-only) \??\y: lzxxgplb.exe File opened (read-only) \??\z: lzxxgplb.exe File opened (read-only) \??\m: lzxxgplb.exe File opened (read-only) \??\q: lzxxgplb.exe File opened (read-only) \??\m: ccdomvbouj.exe File opened (read-only) \??\q: ccdomvbouj.exe File opened (read-only) \??\b: lzxxgplb.exe File opened (read-only) \??\x: lzxxgplb.exe File opened (read-only) \??\k: lzxxgplb.exe File opened (read-only) \??\l: lzxxgplb.exe File opened (read-only) \??\x: lzxxgplb.exe File opened (read-only) \??\y: lzxxgplb.exe File opened (read-only) \??\b: ccdomvbouj.exe File opened (read-only) \??\g: ccdomvbouj.exe File opened (read-only) \??\k: ccdomvbouj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ccdomvbouj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ccdomvbouj.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4916-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000233f5-5.dat autoit_exe behavioral2/files/0x00090000000233ee-20.dat autoit_exe behavioral2/files/0x00070000000233f6-25.dat autoit_exe behavioral2/files/0x00070000000233f7-29.dat autoit_exe behavioral2/files/0x0007000000023405-73.dat autoit_exe behavioral2/files/0x00080000000233e1-69.dat autoit_exe behavioral2/files/0x0007000000023426-91.dat autoit_exe behavioral2/files/0x0007000000023426-402.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\ngvddhzoahgpt.exe 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ccdomvbouj.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lzxxgplb.exe File created C:\Windows\SysWOW64\lzxxgplb.exe 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lzxxgplb.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lzxxgplb.exe File opened for modification C:\Windows\SysWOW64\ngvddhzoahgpt.exe 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lzxxgplb.exe File created C:\Windows\SysWOW64\ccdomvbouj.exe 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jwihkoonwzicnjo.exe 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lzxxgplb.exe 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ccdomvbouj.exe 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe File created C:\Windows\SysWOW64\jwihkoonwzicnjo.exe 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lzxxgplb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lzxxgplb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lzxxgplb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lzxxgplb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lzxxgplb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lzxxgplb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lzxxgplb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lzxxgplb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lzxxgplb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lzxxgplb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lzxxgplb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lzxxgplb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lzxxgplb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lzxxgplb.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lzxxgplb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lzxxgplb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lzxxgplb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lzxxgplb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lzxxgplb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lzxxgplb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lzxxgplb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lzxxgplb.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lzxxgplb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lzxxgplb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lzxxgplb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lzxxgplb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lzxxgplb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lzxxgplb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lzxxgplb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lzxxgplb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ccdomvbouj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ccdomvbouj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ccdomvbouj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC67D1591DBC5B8C17FE6ED9F34C6" 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ccdomvbouj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ccdomvbouj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B02044E638EA53C9B9D23299D7C4" 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ccdomvbouj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ccdomvbouj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ccdomvbouj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFF9CAF964F191837B3B3786ED39E6B38803FE4361033AE1BF42EA08A5" 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ccdomvbouj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ccdomvbouj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ccdomvbouj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ccdomvbouj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402C7B9C2D83506A3177D670242CAA7CF464AA" 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFFFB4F26856E913CD72F7EE6BDE2E13359306740623ED690" 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BB6FF1F22D1D27FD1D58A7D9113" 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1920 WINWORD.EXE 1920 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 3500 ccdomvbouj.exe 3500 ccdomvbouj.exe 3500 ccdomvbouj.exe 3500 ccdomvbouj.exe 3500 ccdomvbouj.exe 3500 ccdomvbouj.exe 3500 ccdomvbouj.exe 3500 ccdomvbouj.exe 3500 ccdomvbouj.exe 3500 ccdomvbouj.exe 1804 jwihkoonwzicnjo.exe 1804 jwihkoonwzicnjo.exe 1968 ngvddhzoahgpt.exe 1968 ngvddhzoahgpt.exe 1804 jwihkoonwzicnjo.exe 1968 ngvddhzoahgpt.exe 1968 ngvddhzoahgpt.exe 1968 ngvddhzoahgpt.exe 1968 ngvddhzoahgpt.exe 1968 ngvddhzoahgpt.exe 1968 ngvddhzoahgpt.exe 1968 ngvddhzoahgpt.exe 1968 ngvddhzoahgpt.exe 1968 ngvddhzoahgpt.exe 1968 ngvddhzoahgpt.exe 1804 jwihkoonwzicnjo.exe 1804 jwihkoonwzicnjo.exe 1804 jwihkoonwzicnjo.exe 1804 jwihkoonwzicnjo.exe 1804 jwihkoonwzicnjo.exe 1804 jwihkoonwzicnjo.exe 1804 jwihkoonwzicnjo.exe 1268 lzxxgplb.exe 1268 lzxxgplb.exe 1268 lzxxgplb.exe 1268 lzxxgplb.exe 1268 lzxxgplb.exe 1268 lzxxgplb.exe 1268 lzxxgplb.exe 1268 lzxxgplb.exe 1804 jwihkoonwzicnjo.exe 1804 jwihkoonwzicnjo.exe 3656 lzxxgplb.exe 3656 lzxxgplb.exe 3656 lzxxgplb.exe 3656 lzxxgplb.exe 3656 lzxxgplb.exe 3656 lzxxgplb.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 3500 ccdomvbouj.exe 3500 ccdomvbouj.exe 3500 ccdomvbouj.exe 1804 jwihkoonwzicnjo.exe 1804 jwihkoonwzicnjo.exe 1804 jwihkoonwzicnjo.exe 1968 ngvddhzoahgpt.exe 1968 ngvddhzoahgpt.exe 1968 ngvddhzoahgpt.exe 1268 lzxxgplb.exe 1268 lzxxgplb.exe 1268 lzxxgplb.exe 3656 lzxxgplb.exe 3656 lzxxgplb.exe 3656 lzxxgplb.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 3500 ccdomvbouj.exe 3500 ccdomvbouj.exe 3500 ccdomvbouj.exe 1804 jwihkoonwzicnjo.exe 1804 jwihkoonwzicnjo.exe 1804 jwihkoonwzicnjo.exe 1968 ngvddhzoahgpt.exe 1968 ngvddhzoahgpt.exe 1968 ngvddhzoahgpt.exe 1268 lzxxgplb.exe 1268 lzxxgplb.exe 1268 lzxxgplb.exe 3656 lzxxgplb.exe 3656 lzxxgplb.exe 3656 lzxxgplb.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1920 WINWORD.EXE 1920 WINWORD.EXE 1920 WINWORD.EXE 1920 WINWORD.EXE 1920 WINWORD.EXE 1920 WINWORD.EXE 1920 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4916 wrote to memory of 3500 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 82 PID 4916 wrote to memory of 3500 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 82 PID 4916 wrote to memory of 3500 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 82 PID 4916 wrote to memory of 1804 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 83 PID 4916 wrote to memory of 1804 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 83 PID 4916 wrote to memory of 1804 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 83 PID 4916 wrote to memory of 1268 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 84 PID 4916 wrote to memory of 1268 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 84 PID 4916 wrote to memory of 1268 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 84 PID 4916 wrote to memory of 1968 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 85 PID 4916 wrote to memory of 1968 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 85 PID 4916 wrote to memory of 1968 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 85 PID 4916 wrote to memory of 1920 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 86 PID 4916 wrote to memory of 1920 4916 4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe 86 PID 3500 wrote to memory of 3656 3500 ccdomvbouj.exe 89 PID 3500 wrote to memory of 3656 3500 ccdomvbouj.exe 89 PID 3500 wrote to memory of 3656 3500 ccdomvbouj.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4ba4a174978b23b5f8c48a7aa6dac921_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\ccdomvbouj.execcdomvbouj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\lzxxgplb.exeC:\Windows\system32\lzxxgplb.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3656
-
-
-
C:\Windows\SysWOW64\jwihkoonwzicnjo.exejwihkoonwzicnjo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1804
-
-
C:\Windows\SysWOW64\lzxxgplb.exelzxxgplb.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1268
-
-
C:\Windows\SysWOW64\ngvddhzoahgpt.exengvddhzoahgpt.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1968
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1920
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD55e7518ec51ad7e74536f9998d9c5d3f4
SHA1bd5aa6c26f7c2c178723648211f6dbd18bcda426
SHA25668b59f85d2d37506bd7b5012a76f37f2157b2adf8722c1a6d8f2e4c98d1a1114
SHA512056b8af6b2f26dc53b33e981345827982f620909b7ff31a95eeeb5d97549e8def84b1c5a5461dbf0c403a6f58284d7f1fa1e7755262ef40d0c2d4e81be533c3b
-
Filesize
512KB
MD5af095ed71342e0f98cb40f9400655edf
SHA19893ff5854b9392fe438d18cb0b4396c484a58a6
SHA256c4e951618a61ea3f16d22b2af034a3776d9c712794d2af45fb372cd4546bbe4e
SHA512d04814d64075365273ce68a7a3e70c46d1cd7e21f942a386a1da57f34c5b4b16cfc37489107b95b9a0f90870ee2572d8d9244480f1bbda77b8087bb64d481379
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
247B
MD51b529425a37b1334b8b33ebd890269a4
SHA184768e6475b45e3431d5dd62968dde9b92bcb799
SHA256774609fb895e024729e533b8420e732453a0f7ad9cc4599a871157b4f2ca0440
SHA5128d82cb100fb6e979061a2a86aedf2f77de9bb5abf4431ed7add5c75d04988a3cd747119ade26856e8c2fdf7fe75e6aedf0025f2015e525b6835c80cfa2eff295
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5460892a708d40f59633ace52dcd45581
SHA194510d4d5caeb43ae5f3879e8078f6e04b675ddf
SHA256436f0d48bee684eb737a36c1e1d1e0153ae337096073887083f9fe3f208758ff
SHA512b9dba63c3aefc44095d4a561556706e72656218f7b0fd5545a79f26680321455afe23e4a00c90373fc74dfa3568cfa77424641968a66f92e78648c1fb28d3f42
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5b9332ef1b22d380315aa1cc729c9d185
SHA167562076be6fd061559c3f35ec07fe668db3029a
SHA2569e98d8b3f99b2413225da4edf80cddbc6aed151909200cde21cce4d642235240
SHA512f3eb6f34f78d6811fc9a3437f142efd26f7ed2e69c8051fa678f896c45ed7f3d7eb0bafb6e77d534de4a038f38a33b51887a6ab88e360a866d4eef6db516bf56
-
Filesize
512KB
MD5c6c6d9cd9647f70440c199f2fbe6157d
SHA15a687f60325eff7cd6835266e90e65f06d59a772
SHA25623e093421142559e81280fd0df7172cd0424ddf16a5a72367ae0f125742ccef8
SHA51244c7a30941072cd71774e75e1f465d8196c7d5edb0e0624a1af2b019f5dffe320e6d42db45e6ccb7cc286ce31888ce918a910aab6b5ec17da2824df89587a543
-
Filesize
512KB
MD5ee468e895095a43b593e244e005715ee
SHA17b7e63dae96686e3f1a87e388c06877dcdd23c8b
SHA2562cf79ccb005c9784b74c552190cab62c67d979c945331f6107fab04d290af8c4
SHA512a94e55bfb256cf8486aa9c707a6613d478d3eaf4a705e98ab815deca58aea1d3e1106abcd4391c161c7bc328c42de604e2d7b1bcb1d80ad8b993373790300337
-
Filesize
512KB
MD5e830ea385c636da09f5e1eda294df3cc
SHA16e66907e9236e1127e8eb48adb7af673ed19569b
SHA256de67d46a6b7efb7243f54311b31207c632926f08eda58adc065792233930fcb4
SHA51226569a4dd25ac6343831de4db0c5a326efb5f6ef649b6b57fa8e72bddf84c14f0b0a91b47ad66cf3a16d3a53d618cd2d604676bf38620c059512f754736f9d0a
-
Filesize
512KB
MD5f39a3b90a8bdf95db1f54714d8c66ee4
SHA125052a9e940072ac8c45d68c91f3fba1770aa79f
SHA256bf4899d50b18a3940bb6d053177f4b633bd5ee3125cf5cc8efb8f7be72de085b
SHA512c23089503ba269a012da95e78c49a6a0baee4bf8815841e26fac1af13ce4f32f002ca9ea2fdb3b54c303771f28fdf03513ab56195653f77f012e36019863bc01
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5d502ad3fb88d352ec96d6396ed8143ef
SHA17ce4bce00fae3f1c88ade37cc530e9523bcf29f1
SHA256044000b64180f9a644bff77d4968ff9d5eb8cffd37ae77ed595164140eb2bb75
SHA512762e4294f8367bc65185b087e0a0f07e60cb9c28414a5ab2d64dff6ad919ddf0ef8aa58beed1d00ef9fd2a0e1836ddc8928b5a8efed54fbf2f657cf4daa8dfe9
-
Filesize
512KB
MD5ca1b76db347124d615e7bb2ed8f79f6d
SHA1a1dae7f279d40bb69118218d460a430b075955f3
SHA2564648d017188338064dcd5a337d9dfe15c97c01730a2fddb2935acfa026443172
SHA5128ce8394858124f777afff8dff3962e7b74054b387893600b769a87f7150f1aeb187205a060c8ba65faa396475ff8d131900b2fc2dcbe02acc7b0ecf11435bbce