Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 14:34
Static task
static1
Behavioral task
behavioral1
Sample
63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe
-
Size
512KB
-
MD5
63a24a8d6ca7b81f9ab13a3573856d53
-
SHA1
8f3fb98762af2aedde63d30306b2e16d527d88eb
-
SHA256
ab59175e370241bd828506dcbeacef6982a1db97aa5ca4135585336e6a994530
-
SHA512
382fdc9f01f667dd8eb1f0b283c42a19c981e2442af128ffc01790061f96a85e98d62010c9201e1be9e1ff27713a8c274130fdf2e030d0393e82031befda1169
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6R:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
ckdnmoxqiu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ckdnmoxqiu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
ckdnmoxqiu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ckdnmoxqiu.exe -
Processes:
ckdnmoxqiu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ckdnmoxqiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ckdnmoxqiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ckdnmoxqiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ckdnmoxqiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ckdnmoxqiu.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ckdnmoxqiu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ckdnmoxqiu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
ckdnmoxqiu.exeueostodmhprvyhi.exelopfarui.exesswleozvrtoeo.exelopfarui.exepid process 1188 ckdnmoxqiu.exe 4912 ueostodmhprvyhi.exe 428 lopfarui.exe 4820 sswleozvrtoeo.exe 4236 lopfarui.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ckdnmoxqiu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ckdnmoxqiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ckdnmoxqiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ckdnmoxqiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ckdnmoxqiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ckdnmoxqiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ckdnmoxqiu.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ueostodmhprvyhi.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\esibnlcj = "ckdnmoxqiu.exe" ueostodmhprvyhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zgtelhko = "ueostodmhprvyhi.exe" ueostodmhprvyhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "sswleozvrtoeo.exe" ueostodmhprvyhi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
lopfarui.exelopfarui.execkdnmoxqiu.exedescription ioc process File opened (read-only) \??\x: lopfarui.exe File opened (read-only) \??\i: lopfarui.exe File opened (read-only) \??\j: ckdnmoxqiu.exe File opened (read-only) \??\n: ckdnmoxqiu.exe File opened (read-only) \??\a: lopfarui.exe File opened (read-only) \??\q: ckdnmoxqiu.exe File opened (read-only) \??\y: ckdnmoxqiu.exe File opened (read-only) \??\n: lopfarui.exe File opened (read-only) \??\r: lopfarui.exe File opened (read-only) \??\h: lopfarui.exe File opened (read-only) \??\t: lopfarui.exe File opened (read-only) \??\u: lopfarui.exe File opened (read-only) \??\b: lopfarui.exe File opened (read-only) \??\k: lopfarui.exe File opened (read-only) \??\e: ckdnmoxqiu.exe File opened (read-only) \??\r: ckdnmoxqiu.exe File opened (read-only) \??\j: lopfarui.exe File opened (read-only) \??\t: lopfarui.exe File opened (read-only) \??\w: lopfarui.exe File opened (read-only) \??\g: ckdnmoxqiu.exe File opened (read-only) \??\o: ckdnmoxqiu.exe File opened (read-only) \??\o: lopfarui.exe File opened (read-only) \??\y: lopfarui.exe File opened (read-only) \??\a: ckdnmoxqiu.exe File opened (read-only) \??\m: lopfarui.exe File opened (read-only) \??\r: lopfarui.exe File opened (read-only) \??\u: lopfarui.exe File opened (read-only) \??\l: ckdnmoxqiu.exe File opened (read-only) \??\e: lopfarui.exe File opened (read-only) \??\l: lopfarui.exe File opened (read-only) \??\q: lopfarui.exe File opened (read-only) \??\s: ckdnmoxqiu.exe File opened (read-only) \??\t: ckdnmoxqiu.exe File opened (read-only) \??\o: lopfarui.exe File opened (read-only) \??\y: lopfarui.exe File opened (read-only) \??\u: ckdnmoxqiu.exe File opened (read-only) \??\x: ckdnmoxqiu.exe File opened (read-only) \??\v: lopfarui.exe File opened (read-only) \??\k: lopfarui.exe File opened (read-only) \??\p: lopfarui.exe File opened (read-only) \??\j: lopfarui.exe File opened (read-only) \??\q: lopfarui.exe File opened (read-only) \??\v: lopfarui.exe File opened (read-only) \??\i: ckdnmoxqiu.exe File opened (read-only) \??\w: ckdnmoxqiu.exe File opened (read-only) \??\b: lopfarui.exe File opened (read-only) \??\x: lopfarui.exe File opened (read-only) \??\z: lopfarui.exe File opened (read-only) \??\s: lopfarui.exe File opened (read-only) \??\p: lopfarui.exe File opened (read-only) \??\b: ckdnmoxqiu.exe File opened (read-only) \??\h: ckdnmoxqiu.exe File opened (read-only) \??\g: lopfarui.exe File opened (read-only) \??\g: lopfarui.exe File opened (read-only) \??\v: ckdnmoxqiu.exe File opened (read-only) \??\z: ckdnmoxqiu.exe File opened (read-only) \??\e: lopfarui.exe File opened (read-only) \??\m: ckdnmoxqiu.exe File opened (read-only) \??\w: lopfarui.exe File opened (read-only) \??\s: lopfarui.exe File opened (read-only) \??\z: lopfarui.exe File opened (read-only) \??\a: lopfarui.exe File opened (read-only) \??\k: ckdnmoxqiu.exe File opened (read-only) \??\h: lopfarui.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ckdnmoxqiu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ckdnmoxqiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ckdnmoxqiu.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4768-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\ueostodmhprvyhi.exe autoit_exe C:\Windows\SysWOW64\ckdnmoxqiu.exe autoit_exe C:\Windows\SysWOW64\lopfarui.exe autoit_exe C:\Windows\SysWOW64\sswleozvrtoeo.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\MeasureLock.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.execkdnmoxqiu.exelopfarui.exelopfarui.exedescription ioc process File created C:\Windows\SysWOW64\sswleozvrtoeo.exe 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe File created C:\Windows\SysWOW64\ueostodmhprvyhi.exe 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ckdnmoxqiu.exe File opened for modification C:\Windows\SysWOW64\ueostodmhprvyhi.exe 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe File created C:\Windows\SysWOW64\lopfarui.exe 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lopfarui.exe 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sswleozvrtoeo.exe 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lopfarui.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lopfarui.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lopfarui.exe File created C:\Windows\SysWOW64\ckdnmoxqiu.exe 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ckdnmoxqiu.exe 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lopfarui.exe -
Drops file in Program Files directory 14 IoCs
Processes:
lopfarui.exelopfarui.exedescription ioc process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lopfarui.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lopfarui.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lopfarui.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lopfarui.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lopfarui.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lopfarui.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lopfarui.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lopfarui.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lopfarui.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lopfarui.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lopfarui.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lopfarui.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lopfarui.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lopfarui.exe -
Drops file in Windows directory 19 IoCs
Processes:
lopfarui.exelopfarui.exe63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lopfarui.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lopfarui.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lopfarui.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lopfarui.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lopfarui.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lopfarui.exe File opened for modification C:\Windows\mydoc.rtf 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lopfarui.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lopfarui.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lopfarui.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lopfarui.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lopfarui.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lopfarui.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lopfarui.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lopfarui.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lopfarui.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lopfarui.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.execkdnmoxqiu.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F468B6FE6D21DAD27ED0A28A7A9160" 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ckdnmoxqiu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ckdnmoxqiu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ckdnmoxqiu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ckdnmoxqiu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402C0A9C2D83516A3176A6772E2DDF7D8765DC" 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFCFF4F27851D913DD7287EE6BC92E630584367316344D79B" 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ckdnmoxqiu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ckdnmoxqiu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B15A44EE399D53CFB9D033E9D7CF" 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ckdnmoxqiu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ckdnmoxqiu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ckdnmoxqiu.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFFAB1F962F2E384743B37869F39E3B0FE038D4211023FE2BE42E808A3" 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC60F14E6DABEB8C87C95ED9534C6" 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ckdnmoxqiu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ckdnmoxqiu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ckdnmoxqiu.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2408 WINWORD.EXE 2408 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.execkdnmoxqiu.exeueostodmhprvyhi.exesswleozvrtoeo.exelopfarui.exelopfarui.exepid process 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 1188 ckdnmoxqiu.exe 4912 ueostodmhprvyhi.exe 1188 ckdnmoxqiu.exe 4912 ueostodmhprvyhi.exe 1188 ckdnmoxqiu.exe 4912 ueostodmhprvyhi.exe 4912 ueostodmhprvyhi.exe 1188 ckdnmoxqiu.exe 1188 ckdnmoxqiu.exe 4912 ueostodmhprvyhi.exe 1188 ckdnmoxqiu.exe 4912 ueostodmhprvyhi.exe 1188 ckdnmoxqiu.exe 4912 ueostodmhprvyhi.exe 1188 ckdnmoxqiu.exe 4912 ueostodmhprvyhi.exe 1188 ckdnmoxqiu.exe 1188 ckdnmoxqiu.exe 4912 ueostodmhprvyhi.exe 4912 ueostodmhprvyhi.exe 4820 sswleozvrtoeo.exe 4820 sswleozvrtoeo.exe 4820 sswleozvrtoeo.exe 4820 sswleozvrtoeo.exe 4820 sswleozvrtoeo.exe 4820 sswleozvrtoeo.exe 4820 sswleozvrtoeo.exe 4820 sswleozvrtoeo.exe 4820 sswleozvrtoeo.exe 4820 sswleozvrtoeo.exe 4820 sswleozvrtoeo.exe 4820 sswleozvrtoeo.exe 428 lopfarui.exe 428 lopfarui.exe 428 lopfarui.exe 428 lopfarui.exe 428 lopfarui.exe 428 lopfarui.exe 428 lopfarui.exe 428 lopfarui.exe 4912 ueostodmhprvyhi.exe 4912 ueostodmhprvyhi.exe 4236 lopfarui.exe 4236 lopfarui.exe 4236 lopfarui.exe 4236 lopfarui.exe 4236 lopfarui.exe 4236 lopfarui.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.execkdnmoxqiu.exeueostodmhprvyhi.exelopfarui.exesswleozvrtoeo.exelopfarui.exepid process 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 1188 ckdnmoxqiu.exe 1188 ckdnmoxqiu.exe 1188 ckdnmoxqiu.exe 4912 ueostodmhprvyhi.exe 4912 ueostodmhprvyhi.exe 4912 ueostodmhprvyhi.exe 428 lopfarui.exe 428 lopfarui.exe 428 lopfarui.exe 4820 sswleozvrtoeo.exe 4820 sswleozvrtoeo.exe 4820 sswleozvrtoeo.exe 4236 lopfarui.exe 4236 lopfarui.exe 4236 lopfarui.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.execkdnmoxqiu.exeueostodmhprvyhi.exelopfarui.exesswleozvrtoeo.exelopfarui.exepid process 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe 1188 ckdnmoxqiu.exe 1188 ckdnmoxqiu.exe 1188 ckdnmoxqiu.exe 4912 ueostodmhprvyhi.exe 4912 ueostodmhprvyhi.exe 4912 ueostodmhprvyhi.exe 428 lopfarui.exe 428 lopfarui.exe 428 lopfarui.exe 4820 sswleozvrtoeo.exe 4820 sswleozvrtoeo.exe 4820 sswleozvrtoeo.exe 4236 lopfarui.exe 4236 lopfarui.exe 4236 lopfarui.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2408 WINWORD.EXE 2408 WINWORD.EXE 2408 WINWORD.EXE 2408 WINWORD.EXE 2408 WINWORD.EXE 2408 WINWORD.EXE 2408 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.execkdnmoxqiu.exedescription pid process target process PID 4768 wrote to memory of 1188 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe ckdnmoxqiu.exe PID 4768 wrote to memory of 1188 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe ckdnmoxqiu.exe PID 4768 wrote to memory of 1188 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe ckdnmoxqiu.exe PID 4768 wrote to memory of 4912 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe ueostodmhprvyhi.exe PID 4768 wrote to memory of 4912 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe ueostodmhprvyhi.exe PID 4768 wrote to memory of 4912 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe ueostodmhprvyhi.exe PID 4768 wrote to memory of 428 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe lopfarui.exe PID 4768 wrote to memory of 428 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe lopfarui.exe PID 4768 wrote to memory of 428 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe lopfarui.exe PID 4768 wrote to memory of 4820 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe sswleozvrtoeo.exe PID 4768 wrote to memory of 4820 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe sswleozvrtoeo.exe PID 4768 wrote to memory of 4820 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe sswleozvrtoeo.exe PID 4768 wrote to memory of 2408 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe WINWORD.EXE PID 4768 wrote to memory of 2408 4768 63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe WINWORD.EXE PID 1188 wrote to memory of 4236 1188 ckdnmoxqiu.exe lopfarui.exe PID 1188 wrote to memory of 4236 1188 ckdnmoxqiu.exe lopfarui.exe PID 1188 wrote to memory of 4236 1188 ckdnmoxqiu.exe lopfarui.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\63a24a8d6ca7b81f9ab13a3573856d53_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ckdnmoxqiu.execkdnmoxqiu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lopfarui.exeC:\Windows\system32\lopfarui.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ueostodmhprvyhi.exeueostodmhprvyhi.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\lopfarui.exelopfarui.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\sswleozvrtoeo.exesswleozvrtoeo.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5f5e4bc94ba4711cb5e91ffd9dc00964b
SHA1955143c89a2e8cd94861a4ef15cf8ccea22f22aa
SHA256c1e622053018ddf652c1400ad9fe8b404d095e056a39d1a3144eb3c5a7971782
SHA5128b6c4e5ccd6b29af170ac2a869feab04401d8b157f0a879153478099522cc0a7dbd8b62a955c5b129f8a4276e31cd38179f1c74a4308ae6b0897c3bf0d6725fd
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5db8b2b771d5831da2bb897fbd3849326
SHA1188bd82abaaa564330a07542e7437f31451e0687
SHA25664f00909c7bce6f07e83bab73347c60a0108cb95145cda75e0b39d3f01f229c5
SHA51217bf469812f893ae35a04a4bbe5b9ab93f5746ad4f49af2d40ed08f87825bd4cd130379e3302ed12116b8d02244ee9e1cec8b160238c031d65ddc2d61cc0794e
-
C:\Users\Admin\AppData\Local\Temp\TCD8B90.tmp\iso690.xslFilesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD5602dad6ee0e60cde6698692534ef100b
SHA1c3e20be4cf62746964ff865964f4f354d412bfac
SHA256596069f7c5d4c9cea8266af60fcc730fbaec42eb5dd0c6f4203e463b742fb598
SHA512bc1fdcc479d9d46977847557985ca1744f1d4f135da27d82dd2f131419c16fbc70968eb27458a1769e59a9a166847be39aa81b82936e39e753d578ee13df8669
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5f9be6cdd252a302f2e57175928faa091
SHA1c6aa8dd58af43549cc4e66b499fe0a1133215e70
SHA2566fb011a399e156736ab3805a23b790f9ac0ea8c9d08adc4c9d217bdca801db89
SHA5121f9d2bfcb0372f8f9a39b57050fac8b1ce968cd671f6eeba626d337145ba2b5fc15e798b0eebe66e3da126b85ea8e4d9318a775321d2825f46d2ed789bd3d330
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5ab26f568bcc3b13df71049ae701b0260
SHA1c6ff11e727ae415d8f3faeda0d67d074aa2e4520
SHA256f2599a8499b591d980175de853c5d67b1dfe67af7ba4fdc28dcc386a5b1fa422
SHA51226bbd5ef556325bf63e514b1f5bf1d9addd90e0372fcc1ab6f68255ea4bf41fbb8724ea55e4e603b75f1f553fa301d27b644b8d40b22723306597c5eac0a6bc4
-
C:\Users\Admin\Documents\MeasureLock.doc.exeFilesize
512KB
MD5dad13e53a1d4f5d404ceb2c1a7e2e9a4
SHA1f0412372a76dbf2f9d4d3648cbedc1cbcabfebab
SHA2566c0b412bc6e12a0e8ec916f57975021f2a39728d639274a3121559751de2b92b
SHA5124668333dcc3f31e72bdfdfad2f4ecbe34af594c27778645c2ccf4d472eb204b63a191f881a41ebd157d9e7ee3b93d0b304280041f6d2ed4bcc3bf950bdd73eb9
-
C:\Windows\SysWOW64\ckdnmoxqiu.exeFilesize
512KB
MD5a86b9858e94d006d18d52242f51ff208
SHA165598bf49023d178fc1cfa319b1af87b5011e092
SHA2564634433766264e4dd910cc9517ebb35f9ec00ef8b58fd00c9cf4a8a426584bf4
SHA5120c1946aff02525e50526306382e48e7f5a203fb7407ba3a507012b3592e130f5a12c643a94d6886d5f1cffac1961d91b9a617fc8acbc39c4041af552c1e2ee20
-
C:\Windows\SysWOW64\lopfarui.exeFilesize
512KB
MD5573c1f4a212e01737089e9c954395803
SHA1b43c5ec144668aba265057f39f175a859b83dc47
SHA256ec66457e0baaa5d9b7cdbbee1fb920f5994ec182a128db71c61326ff471f2605
SHA5125751aa86e45119a6ac74fa45e46754fef0695d65a8065dfd5b776d459d537d22e650805eb0004b8b5763b54ed4e93b4b9103a67b54fef562826f16b5d58a85c5
-
C:\Windows\SysWOW64\sswleozvrtoeo.exeFilesize
512KB
MD506bdee874adc46a291228a1b4f4eccc7
SHA1f3f5a0f19e43d98b3447cf96c8bf2350d8dc9a49
SHA2566d352ef6837150b6f7ec504b28c0ca815438ebbc5e5a00d80a6503423650e968
SHA51219f336c0ee834393beecb56b92a754c7a3847a7b5a41e08bbc29fcad47557d5bea9b36faccbed52747d8e7a9c7d301f1d012ec4d173de8c518e2c05b6918a0d1
-
C:\Windows\SysWOW64\ueostodmhprvyhi.exeFilesize
512KB
MD5a9ad1d96394a062eb3ab1ce789276dff
SHA1304bb3ffd17824eaf1e6a53044dea2a038f55b61
SHA256de3217608282c5f88c694cef27f5dfb220390b77f0248d84aad8121c558bc1d5
SHA51220f966a3fa45ca350697746551d005e79c3948598e3c523f5bb55d5ae9037ea04fa216407a88bb60d1a5a4255dc0dd3571358f69b83bcbf7c85f7fe554002c1e
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5b9e4c85b3fbb81f55acf15b9c8da2333
SHA1bf2f47599f1391707fe6a5582d2d6ecf5c48099c
SHA25635baaec48213eb1d4db7f410936604aeb8c5edec84a009ae6947554c1c76916d
SHA51257c7cdef2995d6dab84ccae64fa5c0feeea00377031c021556013fe5834dd138475f34b28fb7c2e932c35dcc6b2ad025373a65ead7a156637ad0a70baf91b64d
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD57ea1022bd907067b9be326b70af227d5
SHA1dd5c44c9e7cc964426e8ecbc968866541b57f27e
SHA2569f49d1445de4a6fca9a0a69b7af773264973833859c58286cdf393c64f6b0c0b
SHA512976fa62aea847d3950400126af513ef8347bc4207f998d234ae72051d54526b5624993324360667c237d586aec70c8f4b2ad4cb96cbde97fd0695740b1bcf8af
-
memory/2408-41-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmpFilesize
64KB
-
memory/2408-40-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmpFilesize
64KB
-
memory/2408-39-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmpFilesize
64KB
-
memory/2408-38-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmpFilesize
64KB
-
memory/2408-42-0x00007FF836C90000-0x00007FF836CA0000-memory.dmpFilesize
64KB
-
memory/2408-36-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmpFilesize
64KB
-
memory/2408-43-0x00007FF836C90000-0x00007FF836CA0000-memory.dmpFilesize
64KB
-
memory/2408-608-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmpFilesize
64KB
-
memory/2408-607-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmpFilesize
64KB
-
memory/2408-605-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmpFilesize
64KB
-
memory/2408-606-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmpFilesize
64KB
-
memory/4768-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB