Analysis
-
max time kernel
154s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 06:03
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe
-
Size
512KB
-
MD5
4eb7984ea3d87d5079e56676f15ff025
-
SHA1
2d0cb8ce54718c78d0bc2fb6a35a19b49fa6a80c
-
SHA256
24ef993d84f25870daa35e8eedc2c475ed8460487acb23b9bb1311be6286eabb
-
SHA512
b3a7c4967b9b557560a207a6d2f609804400ec0dd075ef304bd08ead13e98cd17437aaef67c389bb36f215d57a7ce0e12ce56718ab4fa45228de90e0ad89d46d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dfyirozptl.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dfyirozptl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dfyirozptl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dfyirozptl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dfyirozptl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dfyirozptl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dfyirozptl.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfyirozptl.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1288 dfyirozptl.exe 4084 btdzqocpvvoajky.exe 2840 xuxwtgzn.exe 1948 btlmwjubprvmi.exe 4612 xuxwtgzn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dfyirozptl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dfyirozptl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dfyirozptl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dfyirozptl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dfyirozptl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dfyirozptl.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gtqezkqj = "btdzqocpvvoajky.exe" btdzqocpvvoajky.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "btlmwjubprvmi.exe" btdzqocpvvoajky.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\giududsf = "dfyirozptl.exe" btdzqocpvvoajky.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: xuxwtgzn.exe File opened (read-only) \??\y: xuxwtgzn.exe File opened (read-only) \??\z: xuxwtgzn.exe File opened (read-only) \??\i: dfyirozptl.exe File opened (read-only) \??\t: xuxwtgzn.exe File opened (read-only) \??\a: xuxwtgzn.exe File opened (read-only) \??\k: xuxwtgzn.exe File opened (read-only) \??\v: xuxwtgzn.exe File opened (read-only) \??\j: dfyirozptl.exe File opened (read-only) \??\q: dfyirozptl.exe File opened (read-only) \??\o: dfyirozptl.exe File opened (read-only) \??\x: dfyirozptl.exe File opened (read-only) \??\t: xuxwtgzn.exe File opened (read-only) \??\h: dfyirozptl.exe File opened (read-only) \??\w: dfyirozptl.exe File opened (read-only) \??\r: dfyirozptl.exe File opened (read-only) \??\l: dfyirozptl.exe File opened (read-only) \??\v: dfyirozptl.exe File opened (read-only) \??\i: xuxwtgzn.exe File opened (read-only) \??\l: xuxwtgzn.exe File opened (read-only) \??\y: xuxwtgzn.exe File opened (read-only) \??\b: xuxwtgzn.exe File opened (read-only) \??\s: xuxwtgzn.exe File opened (read-only) \??\u: xuxwtgzn.exe File opened (read-only) \??\b: dfyirozptl.exe File opened (read-only) \??\k: xuxwtgzn.exe File opened (read-only) \??\q: xuxwtgzn.exe File opened (read-only) \??\l: xuxwtgzn.exe File opened (read-only) \??\n: xuxwtgzn.exe File opened (read-only) \??\m: dfyirozptl.exe File opened (read-only) \??\y: dfyirozptl.exe File opened (read-only) \??\h: xuxwtgzn.exe File opened (read-only) \??\v: xuxwtgzn.exe File opened (read-only) \??\p: dfyirozptl.exe File opened (read-only) \??\i: xuxwtgzn.exe File opened (read-only) \??\q: xuxwtgzn.exe File opened (read-only) \??\s: dfyirozptl.exe File opened (read-only) \??\m: xuxwtgzn.exe File opened (read-only) \??\n: xuxwtgzn.exe File opened (read-only) \??\p: xuxwtgzn.exe File opened (read-only) \??\r: xuxwtgzn.exe File opened (read-only) \??\u: xuxwtgzn.exe File opened (read-only) \??\j: xuxwtgzn.exe File opened (read-only) \??\p: xuxwtgzn.exe File opened (read-only) \??\r: xuxwtgzn.exe File opened (read-only) \??\u: dfyirozptl.exe File opened (read-only) \??\g: xuxwtgzn.exe File opened (read-only) \??\s: xuxwtgzn.exe File opened (read-only) \??\w: xuxwtgzn.exe File opened (read-only) \??\e: xuxwtgzn.exe File opened (read-only) \??\x: xuxwtgzn.exe File opened (read-only) \??\g: dfyirozptl.exe File opened (read-only) \??\k: dfyirozptl.exe File opened (read-only) \??\z: dfyirozptl.exe File opened (read-only) \??\o: xuxwtgzn.exe File opened (read-only) \??\x: xuxwtgzn.exe File opened (read-only) \??\m: xuxwtgzn.exe File opened (read-only) \??\e: dfyirozptl.exe File opened (read-only) \??\n: dfyirozptl.exe File opened (read-only) \??\e: xuxwtgzn.exe File opened (read-only) \??\j: xuxwtgzn.exe File opened (read-only) \??\g: xuxwtgzn.exe File opened (read-only) \??\a: dfyirozptl.exe File opened (read-only) \??\t: dfyirozptl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dfyirozptl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dfyirozptl.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1964-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000002328b-5.dat autoit_exe behavioral2/files/0x0008000000023289-18.dat autoit_exe behavioral2/files/0x000700000002328d-28.dat autoit_exe behavioral2/files/0x000700000002328c-32.dat autoit_exe behavioral2/files/0x000200000001e32b-51.dat autoit_exe behavioral2/files/0x0004000000022773-57.dat autoit_exe behavioral2/files/0x000300000001e6f6-86.dat autoit_exe behavioral2/files/0x000300000000070d-96.dat autoit_exe behavioral2/files/0x000300000000070d-101.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xuxwtgzn.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xuxwtgzn.exe File opened for modification C:\Windows\SysWOW64\dfyirozptl.exe 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\btdzqocpvvoajky.exe 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\btlmwjubprvmi.exe 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xuxwtgzn.exe File opened for modification C:\Windows\SysWOW64\xuxwtgzn.exe 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe File created C:\Windows\SysWOW64\btlmwjubprvmi.exe 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe File created C:\Windows\SysWOW64\xuxwtgzn.exe 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dfyirozptl.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xuxwtgzn.exe File created C:\Windows\SysWOW64\dfyirozptl.exe 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe File created C:\Windows\SysWOW64\btdzqocpvvoajky.exe 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xuxwtgzn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xuxwtgzn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xuxwtgzn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xuxwtgzn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xuxwtgzn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xuxwtgzn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xuxwtgzn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xuxwtgzn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xuxwtgzn.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xuxwtgzn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xuxwtgzn.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xuxwtgzn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xuxwtgzn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xuxwtgzn.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dfyirozptl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dfyirozptl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472C7E9D2083566D3E76A677552DDE7CF364AC" 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dfyirozptl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs dfyirozptl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dfyirozptl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B02F44E6389E52CABAD5339FD7C8" 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dfyirozptl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F66BC3FF1821DCD10CD0D18B7A9117" 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dfyirozptl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dfyirozptl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" dfyirozptl.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEF9B0F910F293840E3B3786983E91B389038B43670338E1C442EB09A3" 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FC83482C851C9046D72D7E90BDEFE632584566416333D79D" 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" dfyirozptl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf dfyirozptl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dfyirozptl.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC77514E3DABEB9CE7C94EC9F34BC" 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4948 WINWORD.EXE 4948 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1288 dfyirozptl.exe 1288 dfyirozptl.exe 1288 dfyirozptl.exe 1288 dfyirozptl.exe 1288 dfyirozptl.exe 1288 dfyirozptl.exe 1288 dfyirozptl.exe 1288 dfyirozptl.exe 1288 dfyirozptl.exe 1288 dfyirozptl.exe 4084 btdzqocpvvoajky.exe 4084 btdzqocpvvoajky.exe 4084 btdzqocpvvoajky.exe 4084 btdzqocpvvoajky.exe 4084 btdzqocpvvoajky.exe 4084 btdzqocpvvoajky.exe 4084 btdzqocpvvoajky.exe 4084 btdzqocpvvoajky.exe 4084 btdzqocpvvoajky.exe 4084 btdzqocpvvoajky.exe 2840 xuxwtgzn.exe 2840 xuxwtgzn.exe 2840 xuxwtgzn.exe 2840 xuxwtgzn.exe 2840 xuxwtgzn.exe 2840 xuxwtgzn.exe 2840 xuxwtgzn.exe 2840 xuxwtgzn.exe 1948 btlmwjubprvmi.exe 1948 btlmwjubprvmi.exe 1948 btlmwjubprvmi.exe 1948 btlmwjubprvmi.exe 1948 btlmwjubprvmi.exe 1948 btlmwjubprvmi.exe 1948 btlmwjubprvmi.exe 1948 btlmwjubprvmi.exe 1948 btlmwjubprvmi.exe 1948 btlmwjubprvmi.exe 1948 btlmwjubprvmi.exe 1948 btlmwjubprvmi.exe 4084 btdzqocpvvoajky.exe 4084 btdzqocpvvoajky.exe 1948 btlmwjubprvmi.exe 1948 btlmwjubprvmi.exe 1948 btlmwjubprvmi.exe 1948 btlmwjubprvmi.exe 4612 xuxwtgzn.exe 4612 xuxwtgzn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1288 dfyirozptl.exe 1288 dfyirozptl.exe 1288 dfyirozptl.exe 4084 btdzqocpvvoajky.exe 4084 btdzqocpvvoajky.exe 4084 btdzqocpvvoajky.exe 2840 xuxwtgzn.exe 1948 btlmwjubprvmi.exe 2840 xuxwtgzn.exe 1948 btlmwjubprvmi.exe 2840 xuxwtgzn.exe 1948 btlmwjubprvmi.exe 4612 xuxwtgzn.exe 4612 xuxwtgzn.exe 4612 xuxwtgzn.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 1288 dfyirozptl.exe 1288 dfyirozptl.exe 1288 dfyirozptl.exe 4084 btdzqocpvvoajky.exe 4084 btdzqocpvvoajky.exe 4084 btdzqocpvvoajky.exe 2840 xuxwtgzn.exe 1948 btlmwjubprvmi.exe 2840 xuxwtgzn.exe 1948 btlmwjubprvmi.exe 2840 xuxwtgzn.exe 1948 btlmwjubprvmi.exe 4612 xuxwtgzn.exe 4612 xuxwtgzn.exe 4612 xuxwtgzn.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4948 WINWORD.EXE 4948 WINWORD.EXE 4948 WINWORD.EXE 4948 WINWORD.EXE 4948 WINWORD.EXE 4948 WINWORD.EXE 4948 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1964 wrote to memory of 1288 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 91 PID 1964 wrote to memory of 1288 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 91 PID 1964 wrote to memory of 1288 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 91 PID 1964 wrote to memory of 4084 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 92 PID 1964 wrote to memory of 4084 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 92 PID 1964 wrote to memory of 4084 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 92 PID 1964 wrote to memory of 2840 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 93 PID 1964 wrote to memory of 2840 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 93 PID 1964 wrote to memory of 2840 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 93 PID 1964 wrote to memory of 1948 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 94 PID 1964 wrote to memory of 1948 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 94 PID 1964 wrote to memory of 1948 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 94 PID 1288 wrote to memory of 4612 1288 dfyirozptl.exe 95 PID 1288 wrote to memory of 4612 1288 dfyirozptl.exe 95 PID 1288 wrote to memory of 4612 1288 dfyirozptl.exe 95 PID 1964 wrote to memory of 4948 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 96 PID 1964 wrote to memory of 4948 1964 4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4eb7984ea3d87d5079e56676f15ff025_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\dfyirozptl.exedfyirozptl.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\xuxwtgzn.exeC:\Windows\system32\xuxwtgzn.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4612
-
-
-
C:\Windows\SysWOW64\btdzqocpvvoajky.exebtdzqocpvvoajky.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4084
-
-
C:\Windows\SysWOW64\xuxwtgzn.exexuxwtgzn.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2840
-
-
C:\Windows\SysWOW64\btlmwjubprvmi.exebtlmwjubprvmi.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1948
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:5108
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD51c7a693dee8a6140140a736ce0e72302
SHA1658d5275627d992e06c861313dfc781f914acee1
SHA2566817b5fa57f8a786f85853e41b9dea14363802c83d45d374094c346ee258cabe
SHA5123762afb75d5b77e5bedde57081f4b91e1e726fcc62e3d52fdebc89412ca3d9f2ea240853a7ecc39264747601a973a3fba53f042e80acac5b415548cb6b7afa36
-
Filesize
512KB
MD52286060ff7f28eb6815ff6a0c5abfc96
SHA10a8f0c938ba19bd5166fd52271deec48cbb84b1e
SHA256e470780a661e581aa251d4fb84b150fc1910d7f39fb072e5e9dbacd6d3e0b532
SHA512855c0107066786d9e769980b63d4d7dcda6ef2ddac4e4c5200d4cfef88d6a281b0ed5f9eb99564c55b99d5c4e99f40c20cd8755f8243ab1e34a9db2207316d49
-
Filesize
512KB
MD575f62a08da960ee33acd6bf0b0740e99
SHA11176009bb785b9a29ba492dda96c9b6f8dde2853
SHA256502a998ec2c041827cce36eedea18e0d76e51dfc3b8ba683ab07aad6f240192d
SHA51260cd0becba6fcd352d28e54ea6bf4505e043cc7f0ca8613de4423cd0fd1e69bc66592802a1d84f5064a67c39ce4639c0f58ba1ef4fd4a2d0481a21bd4d10f6f2
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD550e84af7862abe3a5dcc95107ad71e4d
SHA12dee2c6763eb14e880b86d4625e14e7060276ab9
SHA256884dfaf287e05b69a5836e31447b13723631c3da14e4781f19622ad89a8fca42
SHA51232e4c4d7582b298a215d827a3e385f7ea6111e1ad96f2e5baca606be4778143e2ab7b1a74901f1ad965d2207900508f9a28c5e83e54299780a0436b963aa6be5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c11896620f4797021fead0821fcc3d25
SHA175d66e8fa949ac372daf17c6de1eb11af12e3e77
SHA2562af009d6ae8fc1cd6855660fe40eee68217c5dc43fa26f22067f43034644acdc
SHA512c8f8243589d5e97aceaf4e9f615b4f88c614bb9930e2fbae28a0ee46d8a2476c0b11ed87a59c8ae21a29f160ab7655df71fb8a774e05c461ac5be7afbe153172
-
Filesize
512KB
MD54e416f45c708e8c45fe31a2951499389
SHA1cb467ced3fb8f046bf9bca4c425cfde99ee27db6
SHA256a1f8ea0f6bf75fb0197db4f3224d9ddfceb74ca1bd861eddcfa70615ca321986
SHA5123eda2523ae963e3e2d8345a5a2126e8ee8922e359d82ad336a5ed069b213a2d8fbc736f7b951f29d2ef8a4e67e95c23f27029ccca111384db0c53546ce1a35b4
-
Filesize
512KB
MD5cdb96644e42c3875973e919dff445085
SHA1669d76431686b7831a1fe8afa441a1be705eb4d1
SHA2569bd0db5c4e807d30565d9d100d60e76aec5eb748825b41790b6fc86cb4c804fa
SHA5122079ff216cddfc87fc624a6eb78eaa8a4938059b50560c868002af93c0dc75b3dadbf59da3f9bd703ef1d2903b2f739caa2c9ee110df9f09c975fe6812448607
-
Filesize
512KB
MD59db5e83d6d726fd977ecf3431c3476d0
SHA1708bd58b8b86ce7cb94f35e778cd0a014bdbca89
SHA2566b282f04812bf443704650dd985de1d2c652011b91d7892e41b39b76f21b016d
SHA512d9f1a27a9c39d07033553fe9a184af2ecb7a13854c06840458a112fe5081110e75d9c1a9abce5879af64661e89d7ba9850f5af5c93ad71230b784be608cd49fb
-
Filesize
512KB
MD58df739f2ae6f7d1013fceafc8cd5455b
SHA1d5f82b33fd46fbb92cec0c45b2e62a7bde4da18b
SHA256e8660c33405bfeee839d51f34ec326206384ec89233560a2e7f53a0852016a22
SHA51215d29c63ae08e2b582b92ec0c43781907ca0f9814473bdb3213ae3e01cd2e4196ad4042560302452ea4313eed314561c25c998d922016f5ff4f589938336be09
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5d7829ff191368ae110ca6e3e6a2b834a
SHA14c08f8270f1f09907c44c2cd25b3a069b56a29f8
SHA2565617c6f587cf9fb8b64e2ca37cc43911ab5cbd0611ddd69d987b2fa8ca602202
SHA512c74479010c40124b8b03321125288dc71e270158839f23b352f5f73ef96793932fbe5247760b9003ad617c75261ce4897b76b8a6e72deafae0bf1c5b5855eee8
-
Filesize
512KB
MD5048a490808828cc6f7eb3a3ef7ff49c4
SHA1068a1edb85a8956b84513f6b403afdb27d9c6cbc
SHA25698f0b3aef56481190592041bdb7d4b6428419e286799bb3bc1a60cc35673ed15
SHA512715cf3b8ac2a61ca526850a30855e394dbf90bb27c9b1e8c672c5be6a01eb6526646728cfa9252f996e0e8de1f86ff9767051746b6a06cf92891b5e0a40ed452