Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21/05/2024, 12:38
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe
-
Size
512KB
-
MD5
635288d83f958b3ea281a508bbbebc8a
-
SHA1
de1cf0b510580da575b30a2f26afc6f544df49a2
-
SHA256
3b2cb70eeff04a2f432c8b595ba4296a456f853a41d7bcc2fdec1335ea4704b9
-
SHA512
0bb2c2ba152690ea9da91ab85931a1b385fc1831e38ab51763291506b86e0a08b1b319d234df64639fa4c8d89108825d3a0039240cc03656f35a73ece439bfc4
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5W
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vjhnvaxsfv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vjhnvaxsfv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vjhnvaxsfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vjhnvaxsfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vjhnvaxsfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vjhnvaxsfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vjhnvaxsfv.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vjhnvaxsfv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3580 vjhnvaxsfv.exe 1988 svdhdhwgklsujxd.exe 1020 qcrbpfjt.exe 1196 kexhsuqnirwpq.exe 1432 qcrbpfjt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vjhnvaxsfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vjhnvaxsfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vjhnvaxsfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vjhnvaxsfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vjhnvaxsfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vjhnvaxsfv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jshitycm = "vjhnvaxsfv.exe" svdhdhwgklsujxd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tiwekzyp = "svdhdhwgklsujxd.exe" svdhdhwgklsujxd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kexhsuqnirwpq.exe" svdhdhwgklsujxd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: qcrbpfjt.exe File opened (read-only) \??\t: qcrbpfjt.exe File opened (read-only) \??\y: vjhnvaxsfv.exe File opened (read-only) \??\o: qcrbpfjt.exe File opened (read-only) \??\v: qcrbpfjt.exe File opened (read-only) \??\b: qcrbpfjt.exe File opened (read-only) \??\h: qcrbpfjt.exe File opened (read-only) \??\l: qcrbpfjt.exe File opened (read-only) \??\r: qcrbpfjt.exe File opened (read-only) \??\a: vjhnvaxsfv.exe File opened (read-only) \??\e: qcrbpfjt.exe File opened (read-only) \??\x: qcrbpfjt.exe File opened (read-only) \??\l: vjhnvaxsfv.exe File opened (read-only) \??\w: vjhnvaxsfv.exe File opened (read-only) \??\m: qcrbpfjt.exe File opened (read-only) \??\e: vjhnvaxsfv.exe File opened (read-only) \??\s: vjhnvaxsfv.exe File opened (read-only) \??\x: vjhnvaxsfv.exe File opened (read-only) \??\n: qcrbpfjt.exe File opened (read-only) \??\w: qcrbpfjt.exe File opened (read-only) \??\b: vjhnvaxsfv.exe File opened (read-only) \??\v: vjhnvaxsfv.exe File opened (read-only) \??\l: qcrbpfjt.exe File opened (read-only) \??\o: qcrbpfjt.exe File opened (read-only) \??\u: qcrbpfjt.exe File opened (read-only) \??\r: vjhnvaxsfv.exe File opened (read-only) \??\t: vjhnvaxsfv.exe File opened (read-only) \??\p: qcrbpfjt.exe File opened (read-only) \??\s: qcrbpfjt.exe File opened (read-only) \??\g: vjhnvaxsfv.exe File opened (read-only) \??\j: vjhnvaxsfv.exe File opened (read-only) \??\n: vjhnvaxsfv.exe File opened (read-only) \??\p: vjhnvaxsfv.exe File opened (read-only) \??\i: qcrbpfjt.exe File opened (read-only) \??\y: qcrbpfjt.exe File opened (read-only) \??\k: vjhnvaxsfv.exe File opened (read-only) \??\x: qcrbpfjt.exe File opened (read-only) \??\y: qcrbpfjt.exe File opened (read-only) \??\q: qcrbpfjt.exe File opened (read-only) \??\t: qcrbpfjt.exe File opened (read-only) \??\z: qcrbpfjt.exe File opened (read-only) \??\n: qcrbpfjt.exe File opened (read-only) \??\q: qcrbpfjt.exe File opened (read-only) \??\h: qcrbpfjt.exe File opened (read-only) \??\j: qcrbpfjt.exe File opened (read-only) \??\k: qcrbpfjt.exe File opened (read-only) \??\a: qcrbpfjt.exe File opened (read-only) \??\j: qcrbpfjt.exe File opened (read-only) \??\e: qcrbpfjt.exe File opened (read-only) \??\g: qcrbpfjt.exe File opened (read-only) \??\i: qcrbpfjt.exe File opened (read-only) \??\v: qcrbpfjt.exe File opened (read-only) \??\z: vjhnvaxsfv.exe File opened (read-only) \??\r: qcrbpfjt.exe File opened (read-only) \??\k: qcrbpfjt.exe File opened (read-only) \??\m: qcrbpfjt.exe File opened (read-only) \??\m: vjhnvaxsfv.exe File opened (read-only) \??\q: vjhnvaxsfv.exe File opened (read-only) \??\u: vjhnvaxsfv.exe File opened (read-only) \??\a: qcrbpfjt.exe File opened (read-only) \??\z: qcrbpfjt.exe File opened (read-only) \??\h: vjhnvaxsfv.exe File opened (read-only) \??\i: vjhnvaxsfv.exe File opened (read-only) \??\b: qcrbpfjt.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vjhnvaxsfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vjhnvaxsfv.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3408-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023406-5.dat autoit_exe behavioral2/files/0x0008000000023402-18.dat autoit_exe behavioral2/files/0x0007000000023407-26.dat autoit_exe behavioral2/files/0x0007000000023408-32.dat autoit_exe behavioral2/files/0x00080000000233e8-66.dat autoit_exe behavioral2/files/0x0007000000023416-69.dat autoit_exe behavioral2/files/0x000900000002337f-87.dat autoit_exe behavioral2/files/0x000900000002337f-566.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\qcrbpfjt.exe 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vjhnvaxsfv.exe File created C:\Windows\SysWOW64\vjhnvaxsfv.exe 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vjhnvaxsfv.exe 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\svdhdhwgklsujxd.exe 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe File created C:\Windows\SysWOW64\kexhsuqnirwpq.exe 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qcrbpfjt.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qcrbpfjt.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qcrbpfjt.exe File created C:\Windows\SysWOW64\svdhdhwgklsujxd.exe 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe File created C:\Windows\SysWOW64\qcrbpfjt.exe 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kexhsuqnirwpq.exe 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qcrbpfjt.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qcrbpfjt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcrbpfjt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcrbpfjt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qcrbpfjt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qcrbpfjt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qcrbpfjt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qcrbpfjt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qcrbpfjt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcrbpfjt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcrbpfjt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcrbpfjt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qcrbpfjt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qcrbpfjt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qcrbpfjt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcrbpfjt.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qcrbpfjt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qcrbpfjt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qcrbpfjt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qcrbpfjt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qcrbpfjt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qcrbpfjt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qcrbpfjt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qcrbpfjt.exe File opened for modification C:\Windows\mydoc.rtf 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qcrbpfjt.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qcrbpfjt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qcrbpfjt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qcrbpfjt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qcrbpfjt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qcrbpfjt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qcrbpfjt.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qcrbpfjt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB1294497399952CEBAD4329FD4BB" 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vjhnvaxsfv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vjhnvaxsfv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C67814E5DABEB8CF7F97EC9737C9" 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vjhnvaxsfv.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDF9C9F910F19183743B32819C3996B0FB02F84212023CE1C445E808D5" 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFF824F2885199042D65B7E94BDE3E14058456640623ED6EC" 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78068B6FE6C21D1D10FD1A78A7A9167" 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vjhnvaxsfv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vjhnvaxsfv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vjhnvaxsfv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vjhnvaxsfv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452C0D9C2183516D4376D1772E2DDD7DF165DF" 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vjhnvaxsfv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vjhnvaxsfv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vjhnvaxsfv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vjhnvaxsfv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vjhnvaxsfv.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4176 WINWORD.EXE 4176 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3580 vjhnvaxsfv.exe 3580 vjhnvaxsfv.exe 3580 vjhnvaxsfv.exe 3580 vjhnvaxsfv.exe 3580 vjhnvaxsfv.exe 3580 vjhnvaxsfv.exe 3580 vjhnvaxsfv.exe 3580 vjhnvaxsfv.exe 3580 vjhnvaxsfv.exe 3580 vjhnvaxsfv.exe 1020 qcrbpfjt.exe 1020 qcrbpfjt.exe 1020 qcrbpfjt.exe 1020 qcrbpfjt.exe 1020 qcrbpfjt.exe 1020 qcrbpfjt.exe 1020 qcrbpfjt.exe 1020 qcrbpfjt.exe 1988 svdhdhwgklsujxd.exe 1988 svdhdhwgklsujxd.exe 1988 svdhdhwgklsujxd.exe 1988 svdhdhwgklsujxd.exe 1988 svdhdhwgklsujxd.exe 1988 svdhdhwgklsujxd.exe 1988 svdhdhwgklsujxd.exe 1988 svdhdhwgklsujxd.exe 1988 svdhdhwgklsujxd.exe 1988 svdhdhwgklsujxd.exe 1196 kexhsuqnirwpq.exe 1196 kexhsuqnirwpq.exe 1196 kexhsuqnirwpq.exe 1196 kexhsuqnirwpq.exe 1196 kexhsuqnirwpq.exe 1196 kexhsuqnirwpq.exe 1196 kexhsuqnirwpq.exe 1196 kexhsuqnirwpq.exe 1432 qcrbpfjt.exe 1432 qcrbpfjt.exe 1432 qcrbpfjt.exe 1432 qcrbpfjt.exe 1432 qcrbpfjt.exe 1432 qcrbpfjt.exe 1432 qcrbpfjt.exe 1432 qcrbpfjt.exe 1988 svdhdhwgklsujxd.exe 1988 svdhdhwgklsujxd.exe 1196 kexhsuqnirwpq.exe 1196 kexhsuqnirwpq.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3580 vjhnvaxsfv.exe 3580 vjhnvaxsfv.exe 3580 vjhnvaxsfv.exe 1020 qcrbpfjt.exe 1988 svdhdhwgklsujxd.exe 1020 qcrbpfjt.exe 1988 svdhdhwgklsujxd.exe 1020 qcrbpfjt.exe 1988 svdhdhwgklsujxd.exe 1196 kexhsuqnirwpq.exe 1196 kexhsuqnirwpq.exe 1196 kexhsuqnirwpq.exe 1432 qcrbpfjt.exe 1432 qcrbpfjt.exe 1432 qcrbpfjt.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 3580 vjhnvaxsfv.exe 3580 vjhnvaxsfv.exe 3580 vjhnvaxsfv.exe 1020 qcrbpfjt.exe 1988 svdhdhwgklsujxd.exe 1020 qcrbpfjt.exe 1988 svdhdhwgklsujxd.exe 1020 qcrbpfjt.exe 1988 svdhdhwgklsujxd.exe 1196 kexhsuqnirwpq.exe 1196 kexhsuqnirwpq.exe 1196 kexhsuqnirwpq.exe 1432 qcrbpfjt.exe 1432 qcrbpfjt.exe 1432 qcrbpfjt.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4176 WINWORD.EXE 4176 WINWORD.EXE 4176 WINWORD.EXE 4176 WINWORD.EXE 4176 WINWORD.EXE 4176 WINWORD.EXE 4176 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3408 wrote to memory of 3580 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 84 PID 3408 wrote to memory of 3580 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 84 PID 3408 wrote to memory of 3580 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 84 PID 3408 wrote to memory of 1988 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 85 PID 3408 wrote to memory of 1988 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 85 PID 3408 wrote to memory of 1988 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 85 PID 3408 wrote to memory of 1020 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 86 PID 3408 wrote to memory of 1020 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 86 PID 3408 wrote to memory of 1020 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 86 PID 3408 wrote to memory of 1196 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 87 PID 3408 wrote to memory of 1196 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 87 PID 3408 wrote to memory of 1196 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 87 PID 3408 wrote to memory of 4176 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 88 PID 3408 wrote to memory of 4176 3408 635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe 88 PID 3580 wrote to memory of 1432 3580 vjhnvaxsfv.exe 90 PID 3580 wrote to memory of 1432 3580 vjhnvaxsfv.exe 90 PID 3580 wrote to memory of 1432 3580 vjhnvaxsfv.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\635288d83f958b3ea281a508bbbebc8a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\vjhnvaxsfv.exevjhnvaxsfv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\qcrbpfjt.exeC:\Windows\system32\qcrbpfjt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1432
-
-
-
C:\Windows\SysWOW64\svdhdhwgklsujxd.exesvdhdhwgklsujxd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1988
-
-
C:\Windows\SysWOW64\qcrbpfjt.exeqcrbpfjt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1020
-
-
C:\Windows\SysWOW64\kexhsuqnirwpq.exekexhsuqnirwpq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1196
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4176
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5d0086cdabb56ff6f494f9270455392af
SHA1a36abf6619db1eb14e56d6f0fef4b1b4f308b67c
SHA256a6414a6b640dc1fee9c9d6cd548317ccdb8297628a832bf3ed4cf96976192e04
SHA5122ac7526287951126b44330345f271879fe362a448f26f6f5d5a74d3db8ab1e14d95ddf500a30e22c64669703abd660d42f7a8e8e0a84bc738176959e32583bc1
-
Filesize
512KB
MD580d10b89efd35c321a84dceb254a0e99
SHA1c979e0e50d7886e67c4f2ec5ff3d593ff2d714fe
SHA256bba891db37de83c92c2c4e160a5fc19a8481cf59a9d3e4cd566b70133a64cf52
SHA512fabdc9d89e185d82dac1d7e453b4a88b1cad9fd92730383c00976aac4a8fefd300de661f81f39bf16aac189f1b37b023aa3df7dced0607ba0afd8842db8d4b66
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD515924a0d98da3d88248a0aba4df0e39d
SHA13c415a42f690325194187f60e7ff847c6ebd2a00
SHA256ace70343d7240a6c74da2f4d5a480ac224256f5053bc330f7068cb76396ba014
SHA512dfcdef20f1a66dc43670cd395da07db87f1181e106f80437ad82b1f59e8cdfaea4f3ec4cf9be82fe85a8c73dbb12ec7b65626e3321c6414fdecc1c7e8b0d689b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e9ae96e3c49de3d96abd19fddc913ca9
SHA123b28f16e91189baad2c8031ed1d41263a856547
SHA256133330bd346b2dd9877b707fbac6bab1bbca0555b75075d01949bf8a27ee49db
SHA51290eefd23aac72145ff5250367de838be0595923fdc7fa1a33a8691ba4261918493ca0c4c2956041d1cc0a4fa7d8f35b84694fb32f2538d713baade700f803cf0
-
Filesize
512KB
MD5b090143e149e8f5de0b6653444ffac68
SHA19bb8d706853135687c36221ff36d28a349c6ae60
SHA256cd47be1f066f9a3433f7ff401471cd9abe625fe9055e514357550a3ff7ec4be3
SHA512ec645008cd8ea2a1abef2469a71fbc43d53da0b9ed346bb84cc66fb261bcc05924e38a32842ed719ca936b1e26e0e772aa768a89c9d4a8ea85907d783f9ab35d
-
Filesize
512KB
MD5902114947869f83105c17618fb6f9b9f
SHA10a7e1a6a3048a0be8a0ca7e59996d1705a375c1c
SHA256884f5dd5a276be537541326a2b6a1d9733948b34e09ac06c9c7cf4f2ab43c0e0
SHA51220b8e35126b326022d631a38a30a6c6d54afd90956b77aaae288d7c1f6f0b103d822a37444a78b604b0e45a99e0300358eb44c9d9bfb902a6bf195eefac2ee78
-
Filesize
512KB
MD59b25e5b0c7998f35a34f2031c72a34c9
SHA1eccbaec4a28d629c0d2f96b5936ba5fd5f86eeaf
SHA256f84a5bb97efd1c30114fa017c0582e1d71d6ae427972c9770dd38ff8b11232db
SHA5124b5446607de48e3afa9ab76da4161cb585f0af94d14d223527f1193d6b491ca720023e560daa8d3ae2fe8b1d20e9585a3a267d106b6ab823d3862816a23bc8e1
-
Filesize
512KB
MD5db99fb092ed0eef16de883fc9916daa4
SHA183f81d0b56608bc59202da068be102985c3c833e
SHA256de14146bd8933e91a67a2a0b4a10e2ed50bc9c7012adfcc8aa97d3efc89bfed5
SHA512021de900db0f9f0a480f4d073a56cd461c67cea457bed79da3d5cc18ec207640715756a41fb7fed55ad3de082753329d1edcea3e426d7aed739813778b9cd8ea
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD536112943b295a610835348e8204e4df6
SHA1f9bcbf31c9ab0d00e4834445fc87b53f22be7582
SHA25661aed0da3e41bac26ee211df8764bf0e300e0a2c9f60067cf02a4b2cc56361c6
SHA512a85be2b005fcc04461d6330b12b0d4a1358bd6323e17a7b3f38c1b6122bf9e34d87ad58c9747870a36cf48eabb6e6064fe4e7cc23e185d00e4e6d5de30c2249c
-
Filesize
512KB
MD535eb81f4b62de3824c638db6928bafbd
SHA1bd2808b2ce5ac99e331a19331e4fb92b74eb5fd6
SHA25601133c66908c20a0d01d856463c96f82775ca1a2f7bcb1fded835ba6851bc304
SHA512e4bcdeffc401a19b8fc0294540f978928d20db4fce52a4b8dabedf79282990c6c33fbc2ffc7e0f17df6022bcf6c5dc0c2c896dd928fa5f4841c1d6e4b80d461d