Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe
-
Size
512KB
-
MD5
658e7379a10fc02deab35987b5b9c9e7
-
SHA1
b056a36f59c8f1ddd34713cc4939764e34ef9c98
-
SHA256
d13e693c2f11aad7e810be1be2276653fc747d3b6c8781af20c769c18eb95556
-
SHA512
c2b28701d9967e07b620d11d5226f872072ae46a75fde06ccbbb122270bada6596491ed91e0db1dd6192f1e331d0e67a6db922684467be98d25abc7d22b2d164
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6C:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5B
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
abizoxkchv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" abizoxkchv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
abizoxkchv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" abizoxkchv.exe -
Processes:
abizoxkchv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" abizoxkchv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" abizoxkchv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" abizoxkchv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" abizoxkchv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" abizoxkchv.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
abizoxkchv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" abizoxkchv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
abizoxkchv.exejnofbaboheoautr.exejyzioshg.exeyxpxswawypovz.exejyzioshg.exepid process 1512 abizoxkchv.exe 312 jnofbaboheoautr.exe 4988 jyzioshg.exe 2196 yxpxswawypovz.exe 3712 jyzioshg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
abizoxkchv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" abizoxkchv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" abizoxkchv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" abizoxkchv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" abizoxkchv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" abizoxkchv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" abizoxkchv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
jnofbaboheoautr.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dbjcvvjf = "abizoxkchv.exe" jnofbaboheoautr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\areinnbb = "jnofbaboheoautr.exe" jnofbaboheoautr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yxpxswawypovz.exe" jnofbaboheoautr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
jyzioshg.exeabizoxkchv.exejyzioshg.exedescription ioc process File opened (read-only) \??\s: jyzioshg.exe File opened (read-only) \??\x: jyzioshg.exe File opened (read-only) \??\t: abizoxkchv.exe File opened (read-only) \??\y: abizoxkchv.exe File opened (read-only) \??\h: jyzioshg.exe File opened (read-only) \??\s: jyzioshg.exe File opened (read-only) \??\u: jyzioshg.exe File opened (read-only) \??\k: jyzioshg.exe File opened (read-only) \??\t: jyzioshg.exe File opened (read-only) \??\v: jyzioshg.exe File opened (read-only) \??\i: jyzioshg.exe File opened (read-only) \??\r: jyzioshg.exe File opened (read-only) \??\o: abizoxkchv.exe File opened (read-only) \??\x: abizoxkchv.exe File opened (read-only) \??\a: jyzioshg.exe File opened (read-only) \??\z: jyzioshg.exe File opened (read-only) \??\w: jyzioshg.exe File opened (read-only) \??\v: abizoxkchv.exe File opened (read-only) \??\e: jyzioshg.exe File opened (read-only) \??\g: abizoxkchv.exe File opened (read-only) \??\n: abizoxkchv.exe File opened (read-only) \??\g: jyzioshg.exe File opened (read-only) \??\p: jyzioshg.exe File opened (read-only) \??\m: jyzioshg.exe File opened (read-only) \??\p: jyzioshg.exe File opened (read-only) \??\r: jyzioshg.exe File opened (read-only) \??\t: jyzioshg.exe File opened (read-only) \??\v: jyzioshg.exe File opened (read-only) \??\j: abizoxkchv.exe File opened (read-only) \??\e: jyzioshg.exe File opened (read-only) \??\n: jyzioshg.exe File opened (read-only) \??\n: jyzioshg.exe File opened (read-only) \??\z: abizoxkchv.exe File opened (read-only) \??\g: jyzioshg.exe File opened (read-only) \??\j: jyzioshg.exe File opened (read-only) \??\k: jyzioshg.exe File opened (read-only) \??\l: jyzioshg.exe File opened (read-only) \??\q: jyzioshg.exe File opened (read-only) \??\u: jyzioshg.exe File opened (read-only) \??\z: jyzioshg.exe File opened (read-only) \??\m: jyzioshg.exe File opened (read-only) \??\q: jyzioshg.exe File opened (read-only) \??\o: jyzioshg.exe File opened (read-only) \??\h: jyzioshg.exe File opened (read-only) \??\j: jyzioshg.exe File opened (read-only) \??\y: jyzioshg.exe File opened (read-only) \??\b: abizoxkchv.exe File opened (read-only) \??\k: abizoxkchv.exe File opened (read-only) \??\m: abizoxkchv.exe File opened (read-only) \??\l: jyzioshg.exe File opened (read-only) \??\x: jyzioshg.exe File opened (read-only) \??\r: abizoxkchv.exe File opened (read-only) \??\u: abizoxkchv.exe File opened (read-only) \??\s: abizoxkchv.exe File opened (read-only) \??\i: jyzioshg.exe File opened (read-only) \??\y: jyzioshg.exe File opened (read-only) \??\w: abizoxkchv.exe File opened (read-only) \??\b: jyzioshg.exe File opened (read-only) \??\w: jyzioshg.exe File opened (read-only) \??\a: jyzioshg.exe File opened (read-only) \??\e: abizoxkchv.exe File opened (read-only) \??\h: abizoxkchv.exe File opened (read-only) \??\i: abizoxkchv.exe File opened (read-only) \??\l: abizoxkchv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
abizoxkchv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" abizoxkchv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" abizoxkchv.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4900-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\jnofbaboheoautr.exe autoit_exe C:\Windows\SysWOW64\abizoxkchv.exe autoit_exe C:\Windows\SysWOW64\jyzioshg.exe autoit_exe C:\Windows\SysWOW64\yxpxswawypovz.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\RestoreMove.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exeabizoxkchv.exejyzioshg.exejyzioshg.exedescription ioc process File created C:\Windows\SysWOW64\jnofbaboheoautr.exe 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe File created C:\Windows\SysWOW64\jyzioshg.exe 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jyzioshg.exe 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe File created C:\Windows\SysWOW64\yxpxswawypovz.exe 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yxpxswawypovz.exe 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll abizoxkchv.exe File created C:\Windows\SysWOW64\abizoxkchv.exe 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\abizoxkchv.exe 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jnofbaboheoautr.exe 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jyzioshg.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jyzioshg.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jyzioshg.exe -
Drops file in Program Files directory 15 IoCs
Processes:
jyzioshg.exejyzioshg.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jyzioshg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jyzioshg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jyzioshg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jyzioshg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jyzioshg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jyzioshg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jyzioshg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jyzioshg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jyzioshg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jyzioshg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jyzioshg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jyzioshg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jyzioshg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jyzioshg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jyzioshg.exe -
Drops file in Windows directory 3 IoCs
Processes:
658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
abizoxkchv.exe658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc abizoxkchv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" abizoxkchv.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422C7A9C2082556A3377A770562CDD7D8665DF" 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C70815E7DAB2B8CA7C93EDE734CB" 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf abizoxkchv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" abizoxkchv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B05844E439EB53B8B9D1329DD7BE" 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FC8F4F5B82199042D6207D94BC95E640584767316241D69E" 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh abizoxkchv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" abizoxkchv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs abizoxkchv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" abizoxkchv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg abizoxkchv.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BB7FE6E21DBD109D1A88A089117" 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat abizoxkchv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" abizoxkchv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" abizoxkchv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFFABAF962F1E4830B3B40869939E5B0FE02F143670338E2CB459D09A8" 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1604 WINWORD.EXE 1604 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exeabizoxkchv.exejnofbaboheoautr.exejyzioshg.exeyxpxswawypovz.exepid process 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 1512 abizoxkchv.exe 1512 abizoxkchv.exe 1512 abizoxkchv.exe 1512 abizoxkchv.exe 1512 abizoxkchv.exe 1512 abizoxkchv.exe 1512 abizoxkchv.exe 1512 abizoxkchv.exe 1512 abizoxkchv.exe 1512 abizoxkchv.exe 312 jnofbaboheoautr.exe 312 jnofbaboheoautr.exe 312 jnofbaboheoautr.exe 312 jnofbaboheoautr.exe 312 jnofbaboheoautr.exe 312 jnofbaboheoautr.exe 312 jnofbaboheoautr.exe 312 jnofbaboheoautr.exe 312 jnofbaboheoautr.exe 312 jnofbaboheoautr.exe 4988 jyzioshg.exe 4988 jyzioshg.exe 4988 jyzioshg.exe 4988 jyzioshg.exe 4988 jyzioshg.exe 4988 jyzioshg.exe 4988 jyzioshg.exe 4988 jyzioshg.exe 312 jnofbaboheoautr.exe 312 jnofbaboheoautr.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 312 jnofbaboheoautr.exe 312 jnofbaboheoautr.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exeabizoxkchv.exejnofbaboheoautr.exejyzioshg.exeyxpxswawypovz.exejyzioshg.exepid process 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 1512 abizoxkchv.exe 1512 abizoxkchv.exe 1512 abizoxkchv.exe 312 jnofbaboheoautr.exe 312 jnofbaboheoautr.exe 312 jnofbaboheoautr.exe 4988 jyzioshg.exe 4988 jyzioshg.exe 4988 jyzioshg.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 3712 jyzioshg.exe 3712 jyzioshg.exe 3712 jyzioshg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exeabizoxkchv.exejnofbaboheoautr.exejyzioshg.exeyxpxswawypovz.exejyzioshg.exepid process 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe 1512 abizoxkchv.exe 1512 abizoxkchv.exe 1512 abizoxkchv.exe 312 jnofbaboheoautr.exe 312 jnofbaboheoautr.exe 312 jnofbaboheoautr.exe 4988 jyzioshg.exe 4988 jyzioshg.exe 4988 jyzioshg.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 2196 yxpxswawypovz.exe 3712 jyzioshg.exe 3712 jyzioshg.exe 3712 jyzioshg.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1604 WINWORD.EXE 1604 WINWORD.EXE 1604 WINWORD.EXE 1604 WINWORD.EXE 1604 WINWORD.EXE 1604 WINWORD.EXE 1604 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exeabizoxkchv.exedescription pid process target process PID 4900 wrote to memory of 1512 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe abizoxkchv.exe PID 4900 wrote to memory of 1512 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe abizoxkchv.exe PID 4900 wrote to memory of 1512 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe abizoxkchv.exe PID 4900 wrote to memory of 312 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe jnofbaboheoautr.exe PID 4900 wrote to memory of 312 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe jnofbaboheoautr.exe PID 4900 wrote to memory of 312 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe jnofbaboheoautr.exe PID 4900 wrote to memory of 4988 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe jyzioshg.exe PID 4900 wrote to memory of 4988 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe jyzioshg.exe PID 4900 wrote to memory of 4988 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe jyzioshg.exe PID 4900 wrote to memory of 2196 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe yxpxswawypovz.exe PID 4900 wrote to memory of 2196 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe yxpxswawypovz.exe PID 4900 wrote to memory of 2196 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe yxpxswawypovz.exe PID 1512 wrote to memory of 3712 1512 abizoxkchv.exe jyzioshg.exe PID 1512 wrote to memory of 3712 1512 abizoxkchv.exe jyzioshg.exe PID 1512 wrote to memory of 3712 1512 abizoxkchv.exe jyzioshg.exe PID 4900 wrote to memory of 1604 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe WINWORD.EXE PID 4900 wrote to memory of 1604 4900 658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\658e7379a10fc02deab35987b5b9c9e7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\abizoxkchv.exeabizoxkchv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\jyzioshg.exeC:\Windows\system32\jyzioshg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\jnofbaboheoautr.exejnofbaboheoautr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\jyzioshg.exejyzioshg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\yxpxswawypovz.exeyxpxswawypovz.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5405991f2ef1783f24114213cb345f14d
SHA1587861f9a96330c40cbb899dcde3929e7160453e
SHA256afd9db6b19e63cdfbf783c2302c4b836af65c44bebbdee970d6c778ac27caf28
SHA5126672ed061ae3df48d57e15cc10c48361f361c5367028f2f27267fc92b196c4f4d7a5edf9fe0fa6cfe87db9596ba4f6e7debc98b30b196e51a614352001efb362
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5155021b0306dacd45818a0aa57825e28
SHA1c4e8ae3b756fbb7ab2ddc74a8d3e34e62b36fce3
SHA2564f3620cf8d205be9580d01a671c50188aa5e05bc6a9a65f1c384811b67895c4a
SHA51296bbbed62b1919a22738ecfa17ebd01ad5aaa0370d913710bab652a12c895bcecba71c131abcb7217074cfeb2f5c795432fac0bd9af8286d0a97272909397a18
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5b4e6e5d84c29472130ab77bddc7ee01f
SHA16ba7d6c251bde0b035568f17fe8569638098bee2
SHA256dc7e38da2fa75799907195d7dc558018ba9a7cb4d75b8c400d466e34c45cba7f
SHA512c17490cfa65ac0add9d2d636bbf0b4a460cd563bc14bd87d9e4313444a2366a9cbdd371356f76c25a8f6592584a23729ebc8af235af146d940893c49828c52bd
-
C:\Users\Admin\Documents\RestoreMove.doc.exeFilesize
512KB
MD5926b8908cc305f6ce837bfbe36ed6968
SHA19c0b90c7bcaa589ccc0d453b3127e6f61bfba7d4
SHA2568f0c7fd0e7eeed4dfc97a0ba3a4bf64970d11ec1aa9e5498dfb259dc6366cd2c
SHA51246351798b27c017e330474e11326f2336184cda35d7a440d6696b69ab5858dd6e51d41cd4d65971b28a3845a8813af36b4b4de48f846183afd1d6957f79aa1a7
-
C:\Windows\SysWOW64\abizoxkchv.exeFilesize
512KB
MD50c43451a848ab54d0d32e81012b974de
SHA16f2ce787ef88f22cfa224e89aab92d85f5a71e31
SHA256e341d319f646d6296b2f604e9ca9b9932a4d8116a9b4edc78b91033873480f48
SHA512b5778855d41478ba4cd0e080dde3d4545bf9fa99bf0c0135285ceac161ac4229b406e99247f71c278e76007994c4a55796b100a83f8d3993efbaca64879d2c2a
-
C:\Windows\SysWOW64\jnofbaboheoautr.exeFilesize
512KB
MD5724d4009a325af2b062560d51badfb3d
SHA1ff3651142d7e53ac296f6234b3e056975e3c57df
SHA2564bfe8d7ba267069305d8f4d1386483c74bb1b4a6f14d152df951fc1e92c78ebd
SHA512d094c998f9e290e6102710591f3cea64e137f433789e40491b07c81a974ed37a668183a58107102c99a3f6aa5253e992b1f0fe16a5727bb72c184ba34401aad2
-
C:\Windows\SysWOW64\jyzioshg.exeFilesize
512KB
MD519022bf1702fdc1db46eaa49c4d5c9aa
SHA17df756e06ad56d8de24aba1ed0e3454dfe14326d
SHA25612c98785266fd1bf3524d60d87794ebc6b1bbecda63a04a559ee57d2a442ca31
SHA51245bf80bcdc06fe33f0210b273f00a2ad0de53dd16d1c112bfdc93ccf764526fcd30cc9b883e9a0ca6db00629cde2c5d439da0777759160d04e79120914f3d1bb
-
C:\Windows\SysWOW64\yxpxswawypovz.exeFilesize
512KB
MD5c4363c10c2899167feada1dcbf03bbdc
SHA1a8b1c4be9c4a28195376b850ba81f963bef84532
SHA25643b0d47a46cb56ad25d0d7867e1d3670c3b5ebb5333ff21111f9b5dd6eb40140
SHA5120a0c245c73d5fc5d36516260c99fd217df5b7045b9ae2f3da943da434e47013653a5fb3ba8c5b0876ae63250edc89622dcf048a0e9121440faed4c5fed880a65
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD51a7b0f03da7653aabdcff27def5a91ee
SHA1519f03083d951c4cb648537aadc7396f642cf841
SHA256f298abad443979484f89ddffcc870e9a33f13c1456be2005e2072dd21583ecf2
SHA5127c8126f70d5150395c7d1444ce37514dbc7b8acedc8cdede71508213df238e9233b06b8fbe869e885ac5800687563469a3e644c9c5013884fdbc9bff9b7dad35
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5700e67c5efcdfe25980aad2205820556
SHA1cd77674e51983bf4834bb42a69108584b223cb33
SHA2568bec5072b3c03a484ea4713159f7ce066b0ceb7e3db2c90bbd3c3b59bd7652e4
SHA512a2071fa51e9e3d93808b6c6c595897ab5f4ce4eef1bd8ec20d7740c9e26e8b8bc3ef8af732a233e615395b51a8793e3803ec125b4ad36edc8f8cdc61d7b565bd
-
memory/1604-37-0x00007FFE3F490000-0x00007FFE3F4A0000-memory.dmpFilesize
64KB
-
memory/1604-43-0x00007FFE3CF80000-0x00007FFE3CF90000-memory.dmpFilesize
64KB
-
memory/1604-42-0x00007FFE3CF80000-0x00007FFE3CF90000-memory.dmpFilesize
64KB
-
memory/1604-41-0x00007FFE3F490000-0x00007FFE3F4A0000-memory.dmpFilesize
64KB
-
memory/1604-40-0x00007FFE3F490000-0x00007FFE3F4A0000-memory.dmpFilesize
64KB
-
memory/1604-39-0x00007FFE3F490000-0x00007FFE3F4A0000-memory.dmpFilesize
64KB
-
memory/1604-38-0x00007FFE3F490000-0x00007FFE3F4A0000-memory.dmpFilesize
64KB
-
memory/1604-121-0x00007FFE3F490000-0x00007FFE3F4A0000-memory.dmpFilesize
64KB
-
memory/1604-122-0x00007FFE3F490000-0x00007FFE3F4A0000-memory.dmpFilesize
64KB
-
memory/1604-124-0x00007FFE3F490000-0x00007FFE3F4A0000-memory.dmpFilesize
64KB
-
memory/1604-123-0x00007FFE3F490000-0x00007FFE3F4A0000-memory.dmpFilesize
64KB
-
memory/4900-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB