Analysis
-
max time kernel
149s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21/05/2024, 01:17
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
61946460ec904339300b33a8de9119c8_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
61946460ec904339300b33a8de9119c8_JaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
61946460ec904339300b33a8de9119c8_JaffaCakes118.exe
-
Size
512KB
-
MD5
61946460ec904339300b33a8de9119c8
-
SHA1
94876e0ba48f519f4c9d0b4ba2510e98f82f34d8
-
SHA256
4df0565f6ab8c9290a568a0bd3a4dbe0b0cfe5b21c2ef442ee6aefee43f384b9
-
SHA512
e87df94730df77f7d38addae21ce137dbf412ec714b2fbf970ac39ec700633b47e6078d8bdc6871e498935be77f75b0a4ee9f96bb8488c23df252fea3bb72078
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm53
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ersmiifujt.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ersmiifujt.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ersmiifujt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ersmiifujt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ersmiifujt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ersmiifujt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ersmiifujt.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ersmiifujt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2372 ersmiifujt.exe 2952 cmsozvwuqhddkzr.exe 4820 xdrgbxaz.exe 2040 snmhwqboxiuoz.exe 4008 xdrgbxaz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ersmiifujt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ersmiifujt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ersmiifujt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ersmiifujt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ersmiifujt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ersmiifujt.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwzyqsa = "ersmiifujt.exe" cmsozvwuqhddkzr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ioxwszqh = "cmsozvwuqhddkzr.exe" cmsozvwuqhddkzr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "snmhwqboxiuoz.exe" cmsozvwuqhddkzr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: xdrgbxaz.exe File opened (read-only) \??\e: ersmiifujt.exe File opened (read-only) \??\i: ersmiifujt.exe File opened (read-only) \??\m: ersmiifujt.exe File opened (read-only) \??\y: ersmiifujt.exe File opened (read-only) \??\m: xdrgbxaz.exe File opened (read-only) \??\t: xdrgbxaz.exe File opened (read-only) \??\l: xdrgbxaz.exe File opened (read-only) \??\n: xdrgbxaz.exe File opened (read-only) \??\x: xdrgbxaz.exe File opened (read-only) \??\k: ersmiifujt.exe File opened (read-only) \??\v: ersmiifujt.exe File opened (read-only) \??\x: xdrgbxaz.exe File opened (read-only) \??\p: ersmiifujt.exe File opened (read-only) \??\x: ersmiifujt.exe File opened (read-only) \??\r: xdrgbxaz.exe File opened (read-only) \??\n: xdrgbxaz.exe File opened (read-only) \??\u: xdrgbxaz.exe File opened (read-only) \??\j: ersmiifujt.exe File opened (read-only) \??\l: ersmiifujt.exe File opened (read-only) \??\z: ersmiifujt.exe File opened (read-only) \??\b: xdrgbxaz.exe File opened (read-only) \??\j: xdrgbxaz.exe File opened (read-only) \??\o: xdrgbxaz.exe File opened (read-only) \??\l: xdrgbxaz.exe File opened (read-only) \??\s: xdrgbxaz.exe File opened (read-only) \??\o: ersmiifujt.exe File opened (read-only) \??\a: xdrgbxaz.exe File opened (read-only) \??\g: xdrgbxaz.exe File opened (read-only) \??\s: xdrgbxaz.exe File opened (read-only) \??\j: xdrgbxaz.exe File opened (read-only) \??\o: xdrgbxaz.exe File opened (read-only) \??\u: ersmiifujt.exe File opened (read-only) \??\e: xdrgbxaz.exe File opened (read-only) \??\q: xdrgbxaz.exe File opened (read-only) \??\b: xdrgbxaz.exe File opened (read-only) \??\r: xdrgbxaz.exe File opened (read-only) \??\a: ersmiifujt.exe File opened (read-only) \??\m: xdrgbxaz.exe File opened (read-only) \??\z: xdrgbxaz.exe File opened (read-only) \??\w: xdrgbxaz.exe File opened (read-only) \??\z: xdrgbxaz.exe File opened (read-only) \??\t: ersmiifujt.exe File opened (read-only) \??\w: ersmiifujt.exe File opened (read-only) \??\h: xdrgbxaz.exe File opened (read-only) \??\h: ersmiifujt.exe File opened (read-only) \??\n: ersmiifujt.exe File opened (read-only) \??\s: ersmiifujt.exe File opened (read-only) \??\h: xdrgbxaz.exe File opened (read-only) \??\a: xdrgbxaz.exe File opened (read-only) \??\v: xdrgbxaz.exe File opened (read-only) \??\i: xdrgbxaz.exe File opened (read-only) \??\w: xdrgbxaz.exe File opened (read-only) \??\r: ersmiifujt.exe File opened (read-only) \??\k: xdrgbxaz.exe File opened (read-only) \??\v: xdrgbxaz.exe File opened (read-only) \??\k: xdrgbxaz.exe File opened (read-only) \??\t: xdrgbxaz.exe File opened (read-only) \??\q: ersmiifujt.exe File opened (read-only) \??\u: xdrgbxaz.exe File opened (read-only) \??\y: xdrgbxaz.exe File opened (read-only) \??\g: xdrgbxaz.exe File opened (read-only) \??\b: ersmiifujt.exe File opened (read-only) \??\p: xdrgbxaz.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ersmiifujt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ersmiifujt.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2340-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000002341d-5.dat autoit_exe behavioral2/files/0x00090000000233e5-18.dat autoit_exe behavioral2/files/0x000700000002341e-26.dat autoit_exe behavioral2/files/0x000700000002341f-31.dat autoit_exe behavioral2/files/0x000700000002342b-72.dat autoit_exe behavioral2/files/0x0008000000023415-68.dat autoit_exe behavioral2/files/0x000400000001e41b-84.dat autoit_exe behavioral2/files/0x0009000000023436-102.dat autoit_exe behavioral2/files/0x0009000000023436-110.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xdrgbxaz.exe File created C:\Windows\SysWOW64\ersmiifujt.exe 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ersmiifujt.exe 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xdrgbxaz.exe 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\snmhwqboxiuoz.exe 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ersmiifujt.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xdrgbxaz.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xdrgbxaz.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xdrgbxaz.exe File created C:\Windows\SysWOW64\cmsozvwuqhddkzr.exe 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cmsozvwuqhddkzr.exe 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe File created C:\Windows\SysWOW64\xdrgbxaz.exe 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe File created C:\Windows\SysWOW64\snmhwqboxiuoz.exe 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xdrgbxaz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xdrgbxaz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xdrgbxaz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xdrgbxaz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xdrgbxaz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xdrgbxaz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xdrgbxaz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xdrgbxaz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xdrgbxaz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xdrgbxaz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xdrgbxaz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xdrgbxaz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xdrgbxaz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xdrgbxaz.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xdrgbxaz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xdrgbxaz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xdrgbxaz.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xdrgbxaz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xdrgbxaz.exe File opened for modification C:\Windows\mydoc.rtf 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xdrgbxaz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xdrgbxaz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xdrgbxaz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xdrgbxaz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xdrgbxaz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xdrgbxaz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xdrgbxaz.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xdrgbxaz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xdrgbxaz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xdrgbxaz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xdrgbxaz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ersmiifujt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ersmiifujt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ersmiifujt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ersmiifujt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ersmiifujt.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462D7A9D5183526A3576A070202DDB7D8465DD" 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FC68B4FF1A22A9D179D1D68B7A916B" 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ersmiifujt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ersmiifujt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ersmiifujt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFAB9FE11F196847A3A47819C3E94B38E02FC4313033DE1C545EA09A8" 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B12E4497399E53CCB9A132EDD4CC" 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFF89482D85199046D65F7D97BDE2E643593766426331D69E" 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ersmiifujt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ersmiifujt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C67E1493DBC7B9BE7F97EC9F34BA" 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ersmiifujt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ersmiifujt.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1028 WINWORD.EXE 1028 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2372 ersmiifujt.exe 2372 ersmiifujt.exe 2372 ersmiifujt.exe 2372 ersmiifujt.exe 2372 ersmiifujt.exe 2372 ersmiifujt.exe 2372 ersmiifujt.exe 2372 ersmiifujt.exe 2372 ersmiifujt.exe 2372 ersmiifujt.exe 4820 xdrgbxaz.exe 4820 xdrgbxaz.exe 4820 xdrgbxaz.exe 4820 xdrgbxaz.exe 4820 xdrgbxaz.exe 4820 xdrgbxaz.exe 4820 xdrgbxaz.exe 4820 xdrgbxaz.exe 2952 cmsozvwuqhddkzr.exe 2952 cmsozvwuqhddkzr.exe 2952 cmsozvwuqhddkzr.exe 2952 cmsozvwuqhddkzr.exe 2952 cmsozvwuqhddkzr.exe 2952 cmsozvwuqhddkzr.exe 2952 cmsozvwuqhddkzr.exe 2952 cmsozvwuqhddkzr.exe 2952 cmsozvwuqhddkzr.exe 2952 cmsozvwuqhddkzr.exe 2040 snmhwqboxiuoz.exe 2040 snmhwqboxiuoz.exe 2040 snmhwqboxiuoz.exe 2040 snmhwqboxiuoz.exe 2040 snmhwqboxiuoz.exe 2040 snmhwqboxiuoz.exe 2040 snmhwqboxiuoz.exe 2040 snmhwqboxiuoz.exe 2040 snmhwqboxiuoz.exe 2040 snmhwqboxiuoz.exe 2040 snmhwqboxiuoz.exe 2040 snmhwqboxiuoz.exe 4008 xdrgbxaz.exe 4008 xdrgbxaz.exe 4008 xdrgbxaz.exe 4008 xdrgbxaz.exe 4008 xdrgbxaz.exe 4008 xdrgbxaz.exe 4008 xdrgbxaz.exe 4008 xdrgbxaz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2372 ersmiifujt.exe 4820 xdrgbxaz.exe 2372 ersmiifujt.exe 2372 ersmiifujt.exe 2952 cmsozvwuqhddkzr.exe 4820 xdrgbxaz.exe 2952 cmsozvwuqhddkzr.exe 4820 xdrgbxaz.exe 2952 cmsozvwuqhddkzr.exe 2040 snmhwqboxiuoz.exe 2040 snmhwqboxiuoz.exe 2040 snmhwqboxiuoz.exe 4008 xdrgbxaz.exe 4008 xdrgbxaz.exe 4008 xdrgbxaz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 2372 ersmiifujt.exe 2372 ersmiifujt.exe 2372 ersmiifujt.exe 4820 xdrgbxaz.exe 2952 cmsozvwuqhddkzr.exe 4820 xdrgbxaz.exe 2952 cmsozvwuqhddkzr.exe 4820 xdrgbxaz.exe 2952 cmsozvwuqhddkzr.exe 2040 snmhwqboxiuoz.exe 2040 snmhwqboxiuoz.exe 2040 snmhwqboxiuoz.exe 4008 xdrgbxaz.exe 4008 xdrgbxaz.exe 4008 xdrgbxaz.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1028 WINWORD.EXE 1028 WINWORD.EXE 1028 WINWORD.EXE 1028 WINWORD.EXE 1028 WINWORD.EXE 1028 WINWORD.EXE 1028 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2372 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 82 PID 2340 wrote to memory of 2372 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 82 PID 2340 wrote to memory of 2372 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 82 PID 2340 wrote to memory of 2952 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 83 PID 2340 wrote to memory of 2952 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 83 PID 2340 wrote to memory of 2952 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 83 PID 2340 wrote to memory of 4820 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 84 PID 2340 wrote to memory of 4820 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 84 PID 2340 wrote to memory of 4820 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 84 PID 2340 wrote to memory of 2040 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 85 PID 2340 wrote to memory of 2040 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 85 PID 2340 wrote to memory of 2040 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 85 PID 2340 wrote to memory of 1028 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 86 PID 2340 wrote to memory of 1028 2340 61946460ec904339300b33a8de9119c8_JaffaCakes118.exe 86 PID 2372 wrote to memory of 4008 2372 ersmiifujt.exe 88 PID 2372 wrote to memory of 4008 2372 ersmiifujt.exe 88 PID 2372 wrote to memory of 4008 2372 ersmiifujt.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\61946460ec904339300b33a8de9119c8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\61946460ec904339300b33a8de9119c8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\ersmiifujt.exeersmiifujt.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\xdrgbxaz.exeC:\Windows\system32\xdrgbxaz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4008
-
-
-
C:\Windows\SysWOW64\cmsozvwuqhddkzr.execmsozvwuqhddkzr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2952
-
-
C:\Windows\SysWOW64\xdrgbxaz.exexdrgbxaz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4820
-
-
C:\Windows\SysWOW64\snmhwqboxiuoz.exesnmhwqboxiuoz.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2040
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1028
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5f6326a236cb771c3df87c744b1f63a9f
SHA14ae96ed8ca95654024736dd67ca6ebea33f2a271
SHA25685a44f66b1deebe232460acf89b16c67ce9df4141439c7500db3228cace5a202
SHA512ac5ca0c330dde628de0184b5d8ca3ced395e0efd42b58810bb2727e6f8a306a7fc37d7f81cf11f57c6b3f4c340e080914b5ec11787ce99917faadcbc33fd0a6b
-
Filesize
512KB
MD512e9f2a0ed0f48ded44843d4b4368d7b
SHA157a6efd76364ff92170747ccd582df628e3f5b52
SHA256babe0f1e594c2c9925e50f2df3e762f0cebb88dca859638ea8056c7c18e53d84
SHA5126b0713c9f6b07349f55264388bca1e3402c7ac9d8a5a16ae624b5fa7f64bf069e4dd292c743c5176fd6a442331f2f0c9b9505bb3ee1f9efbbfa523b2a431a85b
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f0d6697cdbe742df71e8dc9bf7bc8402
SHA131c626f55f0d53a4c6d22232aa8eead53ef196bc
SHA25648bd705ddaf13af0b8af82e3e58c665c3d82836660515ebf615e743dfc7a6b55
SHA5126964287fa3f5365145f5b395101a3eeaf17ae1ce7caf0554a1f94083231db1089c4679cc5796cd76f6e76b83cf90baeac09ba678f962d638c65b456f170b3ea7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD53cfb8224cecd39f88b3811f83e533135
SHA16d0195eb665c3144fdaf78907a43c19f3e89e7fb
SHA256276c764546c13dbc8f42a48995fa20a2e3455a750b9ffbbcc2853fc88ff64529
SHA51200905b000ac6d3d9859069511648a92866a8fb5087a082a5c2ac34c7fded3b2a496e91c007a533c04c7b7bda4b2be3721c4715d22ebc66bbaf3b246825346d09
-
Filesize
512KB
MD5c95628744626b7b4f83568ecb41a8060
SHA1dd865fc74646d2d21d813c9fea298a2634bb6f34
SHA2563db41819bd9ac35b92b43a24a6719909115d6e2b81abe58510515834016abe89
SHA512b1699fddf37e78ca922402e8bd1ee78a3666f96b537cbffe1629f68677ab29b371ea45709c5d50e9d951bf423f7b701b87f70331b3118075e3539bc5c7d24b91
-
Filesize
512KB
MD576a5eb139ea25977cf376de4c9a2010d
SHA10523812542f1bf4f60abb754cfa8eda26d669ee4
SHA256227e4abed6a4057df19d52a4b53db9100ea8b3abe7719941379dd54a883fc96d
SHA5121a182774270e319a9977952348d0ee68e04fe0f53de1bebb36f3ffba7ab743268a9f78f804ce35b0a1231196e5b5759bbe92294b77593854e01217b0cf6f7cd9
-
Filesize
512KB
MD51520cb19d7b6866c4522edce766a338f
SHA131ccaa3bcf8590ed84942621a34fdb52e26fe866
SHA256eb16c23ae6fe98735b45b77db47a69fcedfcf35bee3f707f2b759641416f1825
SHA5120112e51b3e12ff0ca6d1b155dc809b034a152ba49bf9f4ff9c3afc4122f591e0df3a42608bf3a8e89d7a9343fd6cf5339d52f62913e570d19543864deacfdaa0
-
Filesize
512KB
MD5cf43a6e7dff4529f16369e3bb0780971
SHA14e633dc5a13fe74dfa1b7b40c8dcbcef4e938252
SHA25681082e9718b89256e14279b7ef5c1a7cffdddf0f09c5c6350deb6c3ac27cacfb
SHA512ad8de6f06fbe35fc39660e5eb7941dda9e9bc8626f823ba609ad8c995ebf45d104ece51aa3f0e17811043100de05f2cdd34c5f8df5bf985523112d72d59a7bc2
-
Filesize
512KB
MD5ab046c61277de5d45016b9f3866cc9f7
SHA1cdcf410f5fc0c0b7dd483200a091c18bbe5a8226
SHA256f646337aceb91e9b5154df3f1a6648606d6de01990b324a0c10ca26bd4679591
SHA51248d611c831342cee3a1c846cde0f1c6bd3233ad7e87e8666f1cd5b66facfbe4526a34814275f634167f32e09f4cc3ed39f3c6fa89bc465c4f8b9bb648ed84e2c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD552266f75499273e13865f1dcead2d080
SHA18fe7ba91229b69fd17152101c3626683af24b678
SHA256f81e4dddaa9fa8e6b73632d81571dd07f8e27f8c68e68f676a375d83176126bb
SHA512add25c55ba2be4ced4a6408db448f3630a8d3ec9c365a49d2ccf7838c00b7a654eb90b436ce66f119d703f5908a5511b19f804f18ccc8559efe5c1677e97c13d
-
Filesize
512KB
MD5761260c72f9e747581933d2aee7d0d3c
SHA14cc7b80f2e6fdca6970b8740dc493fe4b1c8d3f7
SHA2562afeb79f12fc27b7f979ccd6b996070e3d4bacd47ff8f8a4c58f7a55530ef759
SHA512add77d75efd636d4d3ec05afb38cd6080be5e8848719b1164c80fdf246139ae0ed1dbec8488993a28730188d28e7a6e1a0244a3e41c9d7cd5b23c4cfed348c6a