Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 03:35
Static task
static1
Behavioral task
behavioral1
Sample
699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe
-
Size
512KB
-
MD5
699abc287d13163b8bb3026aa713dcb6
-
SHA1
899554a9cb47a686b99a5c69786eed376c726f13
-
SHA256
b697b55106ac91d268527ca90b0a3dde60039262b864f21466255d4187f616cf
-
SHA512
26480aef7573c4a100ef1389caa9fdf31126068eec19ef7d5273590e56bac7448c28f2ce3c22e79600f6d9fc967cd3122b7141a7679fd5725d721fda8045c282
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm50
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
uvywaaxarf.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" uvywaaxarf.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
uvywaaxarf.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" uvywaaxarf.exe -
Processes:
uvywaaxarf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uvywaaxarf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uvywaaxarf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uvywaaxarf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uvywaaxarf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uvywaaxarf.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
uvywaaxarf.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uvywaaxarf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
uvywaaxarf.exezktrykabgkghozx.exegbltsvoa.exevszklabncszea.exegbltsvoa.exepid process 1184 uvywaaxarf.exe 2124 zktrykabgkghozx.exe 2340 gbltsvoa.exe 436 vszklabncszea.exe 3436 gbltsvoa.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
uvywaaxarf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uvywaaxarf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uvywaaxarf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uvywaaxarf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" uvywaaxarf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uvywaaxarf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uvywaaxarf.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
zktrykabgkghozx.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qeubjmtt = "uvywaaxarf.exe" zktrykabgkghozx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fckjwpdk = "zktrykabgkghozx.exe" zktrykabgkghozx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vszklabncszea.exe" zktrykabgkghozx.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
gbltsvoa.exegbltsvoa.exeuvywaaxarf.exedescription ioc process File opened (read-only) \??\l: gbltsvoa.exe File opened (read-only) \??\t: gbltsvoa.exe File opened (read-only) \??\q: gbltsvoa.exe File opened (read-only) \??\b: gbltsvoa.exe File opened (read-only) \??\i: gbltsvoa.exe File opened (read-only) \??\e: gbltsvoa.exe File opened (read-only) \??\o: gbltsvoa.exe File opened (read-only) \??\o: gbltsvoa.exe File opened (read-only) \??\w: gbltsvoa.exe File opened (read-only) \??\g: uvywaaxarf.exe File opened (read-only) \??\x: uvywaaxarf.exe File opened (read-only) \??\s: gbltsvoa.exe File opened (read-only) \??\x: gbltsvoa.exe File opened (read-only) \??\m: uvywaaxarf.exe File opened (read-only) \??\a: gbltsvoa.exe File opened (read-only) \??\b: gbltsvoa.exe File opened (read-only) \??\m: gbltsvoa.exe File opened (read-only) \??\p: gbltsvoa.exe File opened (read-only) \??\n: uvywaaxarf.exe File opened (read-only) \??\q: uvywaaxarf.exe File opened (read-only) \??\t: uvywaaxarf.exe File opened (read-only) \??\a: gbltsvoa.exe File opened (read-only) \??\a: uvywaaxarf.exe File opened (read-only) \??\l: uvywaaxarf.exe File opened (read-only) \??\r: uvywaaxarf.exe File opened (read-only) \??\h: gbltsvoa.exe File opened (read-only) \??\y: gbltsvoa.exe File opened (read-only) \??\v: gbltsvoa.exe File opened (read-only) \??\x: gbltsvoa.exe File opened (read-only) \??\y: gbltsvoa.exe File opened (read-only) \??\g: gbltsvoa.exe File opened (read-only) \??\t: gbltsvoa.exe File opened (read-only) \??\i: uvywaaxarf.exe File opened (read-only) \??\j: uvywaaxarf.exe File opened (read-only) \??\y: uvywaaxarf.exe File opened (read-only) \??\g: gbltsvoa.exe File opened (read-only) \??\z: gbltsvoa.exe File opened (read-only) \??\p: gbltsvoa.exe File opened (read-only) \??\k: gbltsvoa.exe File opened (read-only) \??\n: gbltsvoa.exe File opened (read-only) \??\w: gbltsvoa.exe File opened (read-only) \??\n: gbltsvoa.exe File opened (read-only) \??\r: gbltsvoa.exe File opened (read-only) \??\o: uvywaaxarf.exe File opened (read-only) \??\p: uvywaaxarf.exe File opened (read-only) \??\e: uvywaaxarf.exe File opened (read-only) \??\s: uvywaaxarf.exe File opened (read-only) \??\j: gbltsvoa.exe File opened (read-only) \??\r: gbltsvoa.exe File opened (read-only) \??\h: gbltsvoa.exe File opened (read-only) \??\j: gbltsvoa.exe File opened (read-only) \??\s: gbltsvoa.exe File opened (read-only) \??\b: uvywaaxarf.exe File opened (read-only) \??\v: gbltsvoa.exe File opened (read-only) \??\m: gbltsvoa.exe File opened (read-only) \??\u: uvywaaxarf.exe File opened (read-only) \??\i: gbltsvoa.exe File opened (read-only) \??\l: gbltsvoa.exe File opened (read-only) \??\w: uvywaaxarf.exe File opened (read-only) \??\z: uvywaaxarf.exe File opened (read-only) \??\u: gbltsvoa.exe File opened (read-only) \??\e: gbltsvoa.exe File opened (read-only) \??\q: gbltsvoa.exe File opened (read-only) \??\h: uvywaaxarf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
uvywaaxarf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" uvywaaxarf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" uvywaaxarf.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2984-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\zktrykabgkghozx.exe autoit_exe C:\Windows\SysWOW64\uvywaaxarf.exe autoit_exe C:\Windows\SysWOW64\gbltsvoa.exe autoit_exe C:\Windows\SysWOW64\vszklabncszea.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Desktop\GetConfirm.doc.exe autoit_exe C:\Users\Admin\Documents\ResizeReset.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exegbltsvoa.exegbltsvoa.exeuvywaaxarf.exedescription ioc process File created C:\Windows\SysWOW64\gbltsvoa.exe 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe File created C:\Windows\SysWOW64\uvywaaxarf.exe 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zktrykabgkghozx.exe 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gbltsvoa.exe 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vszklabncszea.exe 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gbltsvoa.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gbltsvoa.exe File opened for modification C:\Windows\SysWOW64\uvywaaxarf.exe 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe File created C:\Windows\SysWOW64\zktrykabgkghozx.exe 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gbltsvoa.exe File created C:\Windows\SysWOW64\vszklabncszea.exe 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll uvywaaxarf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gbltsvoa.exe -
Drops file in Program Files directory 14 IoCs
Processes:
gbltsvoa.exegbltsvoa.exedescription ioc process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbltsvoa.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbltsvoa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gbltsvoa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbltsvoa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gbltsvoa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gbltsvoa.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbltsvoa.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbltsvoa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbltsvoa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gbltsvoa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbltsvoa.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbltsvoa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbltsvoa.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbltsvoa.exe -
Drops file in Windows directory 19 IoCs
Processes:
gbltsvoa.exegbltsvoa.exe699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exeWINWORD.EXEdescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gbltsvoa.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gbltsvoa.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gbltsvoa.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gbltsvoa.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gbltsvoa.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gbltsvoa.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gbltsvoa.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gbltsvoa.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gbltsvoa.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gbltsvoa.exe File opened for modification C:\Windows\mydoc.rtf 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gbltsvoa.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gbltsvoa.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gbltsvoa.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gbltsvoa.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gbltsvoa.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gbltsvoa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
uvywaaxarf.exe699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs uvywaaxarf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" uvywaaxarf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg uvywaaxarf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFCFF4F2A851A9134D75F7D97BDE3E131584466366344D7EC" 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" uvywaaxarf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" uvywaaxarf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc uvywaaxarf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf uvywaaxarf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" uvywaaxarf.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat uvywaaxarf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" uvywaaxarf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" uvywaaxarf.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B12847E2389F52CDB9D4329AD7BC" 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F06BB0FF1821DAD27AD0A38B7D9011" 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh uvywaaxarf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462D7E9D2082586A4676D1772E2CDF7CF564DF" 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFABFFE10F2E084793B4A869A3993B08802FF43160348E1B845EA09A2" 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC60B1596DAB1B9BA7FE4EDE534BB" 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2552 WINWORD.EXE 2552 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exeuvywaaxarf.exegbltsvoa.exezktrykabgkghozx.exevszklabncszea.exegbltsvoa.exepid process 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 1184 uvywaaxarf.exe 1184 uvywaaxarf.exe 1184 uvywaaxarf.exe 1184 uvywaaxarf.exe 1184 uvywaaxarf.exe 1184 uvywaaxarf.exe 1184 uvywaaxarf.exe 1184 uvywaaxarf.exe 1184 uvywaaxarf.exe 1184 uvywaaxarf.exe 2340 gbltsvoa.exe 2340 gbltsvoa.exe 2340 gbltsvoa.exe 2340 gbltsvoa.exe 2340 gbltsvoa.exe 2340 gbltsvoa.exe 2340 gbltsvoa.exe 2340 gbltsvoa.exe 2124 zktrykabgkghozx.exe 2124 zktrykabgkghozx.exe 2124 zktrykabgkghozx.exe 2124 zktrykabgkghozx.exe 2124 zktrykabgkghozx.exe 2124 zktrykabgkghozx.exe 2124 zktrykabgkghozx.exe 2124 zktrykabgkghozx.exe 436 vszklabncszea.exe 436 vszklabncszea.exe 436 vszklabncszea.exe 436 vszklabncszea.exe 436 vszklabncszea.exe 436 vszklabncszea.exe 436 vszklabncszea.exe 436 vszklabncszea.exe 436 vszklabncszea.exe 436 vszklabncszea.exe 436 vszklabncszea.exe 436 vszklabncszea.exe 2124 zktrykabgkghozx.exe 2124 zktrykabgkghozx.exe 3436 gbltsvoa.exe 3436 gbltsvoa.exe 3436 gbltsvoa.exe 3436 gbltsvoa.exe 3436 gbltsvoa.exe 3436 gbltsvoa.exe 3436 gbltsvoa.exe 3436 gbltsvoa.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exeuvywaaxarf.exezktrykabgkghozx.exegbltsvoa.exevszklabncszea.exegbltsvoa.exepid process 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 1184 uvywaaxarf.exe 1184 uvywaaxarf.exe 1184 uvywaaxarf.exe 2124 zktrykabgkghozx.exe 2340 gbltsvoa.exe 2124 zktrykabgkghozx.exe 2340 gbltsvoa.exe 2124 zktrykabgkghozx.exe 2340 gbltsvoa.exe 436 vszklabncszea.exe 436 vszklabncszea.exe 436 vszklabncszea.exe 3436 gbltsvoa.exe 3436 gbltsvoa.exe 3436 gbltsvoa.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exeuvywaaxarf.exezktrykabgkghozx.exegbltsvoa.exevszklabncszea.exegbltsvoa.exepid process 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe 1184 uvywaaxarf.exe 1184 uvywaaxarf.exe 1184 uvywaaxarf.exe 2124 zktrykabgkghozx.exe 2340 gbltsvoa.exe 2124 zktrykabgkghozx.exe 2340 gbltsvoa.exe 2124 zktrykabgkghozx.exe 2340 gbltsvoa.exe 436 vszklabncszea.exe 436 vszklabncszea.exe 436 vszklabncszea.exe 3436 gbltsvoa.exe 3436 gbltsvoa.exe 3436 gbltsvoa.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2552 WINWORD.EXE 2552 WINWORD.EXE 2552 WINWORD.EXE 2552 WINWORD.EXE 2552 WINWORD.EXE 2552 WINWORD.EXE 2552 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exeuvywaaxarf.exedescription pid process target process PID 2984 wrote to memory of 1184 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe uvywaaxarf.exe PID 2984 wrote to memory of 1184 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe uvywaaxarf.exe PID 2984 wrote to memory of 1184 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe uvywaaxarf.exe PID 2984 wrote to memory of 2124 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe zktrykabgkghozx.exe PID 2984 wrote to memory of 2124 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe zktrykabgkghozx.exe PID 2984 wrote to memory of 2124 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe zktrykabgkghozx.exe PID 2984 wrote to memory of 2340 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe gbltsvoa.exe PID 2984 wrote to memory of 2340 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe gbltsvoa.exe PID 2984 wrote to memory of 2340 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe gbltsvoa.exe PID 2984 wrote to memory of 436 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe vszklabncszea.exe PID 2984 wrote to memory of 436 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe vszklabncszea.exe PID 2984 wrote to memory of 436 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe vszklabncszea.exe PID 2984 wrote to memory of 2552 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe WINWORD.EXE PID 2984 wrote to memory of 2552 2984 699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe WINWORD.EXE PID 1184 wrote to memory of 3436 1184 uvywaaxarf.exe gbltsvoa.exe PID 1184 wrote to memory of 3436 1184 uvywaaxarf.exe gbltsvoa.exe PID 1184 wrote to memory of 3436 1184 uvywaaxarf.exe gbltsvoa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\uvywaaxarf.exeuvywaaxarf.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\gbltsvoa.exeC:\Windows\system32\gbltsvoa.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\zktrykabgkghozx.exezktrykabgkghozx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\gbltsvoa.exegbltsvoa.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\vszklabncszea.exevszklabncszea.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5362afaa1aa9fcb983c06aa0764a6e8bb
SHA1ee2e5d54c96ebf6924e4eb7f2fb37956e8f0917f
SHA25687a9c7eabcb6271c0e96fcf85b321b1dc4e15a66aaa52111b764441e47020f74
SHA5121548481f8d2db98f4e147877edf1229a0cced823f2ead0062e54238341f91635efcefc789ad100ec273f996ceeb02cb3904e569fc175d570921ca5bc89441ce4
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5eac9a463eb995d57517ee0f172082c4d
SHA1e8216a679c27af36cfc61076521491a17594251f
SHA25660e851f7951e44ffedc46dfd8965aa81c6abe28e9d4eb1c6b220da268bd7bc2a
SHA5128922b6b2a94093b1191e569c05e280b610a4a9295938b19bc04618c4d71f9ddaf87f691366a6fec0be4379a4a8d331add4a396a9efe2943298b331993445881f
-
C:\Users\Admin\AppData\Local\Temp\TCD7EB1.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5a4a63e301d64329d1b85c13e33a2ea31
SHA1f2a9fb1d91106c311b7a944fc948ba1db8325ad7
SHA2560fba9c2d8fd205cfc016b5fd15f7bc85955647e0d51f7094d890f1674eb66956
SHA51260ecb205501bcdfec50d95d7f5895e87ce9e6992a89fc587b64816c7c0177a9f447e3195c5a771910d76b47d620fb699e7037dec946a45d54b4d76180823b07e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5812e3317af7ce3ac5ab620b74680de5a
SHA13623dde349c7e44d1fe6cb0209a12c015ccc0ee2
SHA2561b8edcb7c436b052a20c5fdd0d3cab45d7014514e8a5351c52a09b70adc5a9a7
SHA512108e7ed73307e6c7880c76cc14fe41dbd231f49b1ab8f1160bc08edb78e95b59ca1f223113de391f61da1453087136cec5633937a788658d0d283e4bf0ad2835
-
C:\Users\Admin\Desktop\GetConfirm.doc.exeFilesize
512KB
MD52ae84b23ab436d59f47945b84c5db790
SHA1c37d9aea25bec6d3a5da36ced68e1e4775fcf88d
SHA25658aef471f474efd67d6bd3128ecbb56ff6d72837b65c7259b324cd18b595647b
SHA5128ed53ab1547aa258f0ce1c3949887df7553e719fe7985926733a63cf59efcc1220ddf1d812c62f28d58c2eb08e7f71c16a53d97205bf20ebb93c94cb3c308732
-
C:\Users\Admin\Documents\ResizeReset.doc.exeFilesize
512KB
MD5974584b48fd5116575f4b376f902a0cc
SHA14c3793482f049e149673791e256eef9113334877
SHA256a0ca4039db5f7ccb66e830952792be3edb8983ab1159600f353fe40acba2ab8f
SHA5124e98c4a3ddd37ec9d5b17c1f0d689080de9bf9692747b62a2af0e333ac78f03b02ad8d214fceb9df1693b64c27bf42b9bd879f77e115435eef30993e83ac6b53
-
C:\Windows\SysWOW64\gbltsvoa.exeFilesize
512KB
MD5b49ffc11f561b34e3339b3a895f46a25
SHA1bb5c514cdee98dc27ffaa93caf5d5d09a66ec374
SHA2567508035141569cd5e644502c1bd9c7c5eda3b493b2e8f39b44344fc08d612447
SHA5129e4c8e7871582221007291ee17fb48c2963166f4c9b4b46085e9b8421a40e6825a2d9bde0b6b6a42d40ba27366e180b590227a5c99926fe4c0745c5a6d6485c9
-
C:\Windows\SysWOW64\uvywaaxarf.exeFilesize
512KB
MD5e2e0357186dbbb24de547317401a00f1
SHA1c3969430a71a7076305306908a146e02ee8ee749
SHA256a5550b83649629eb0c213fcb03dc354f1d91df1c8e7f79e8b6554d73305d4158
SHA51213479a4a195a651794375a6b9f96aa3c740a867a73491b7625992aea50a57088b5e646e8f52a3a0e0337924ce9ed7daa4a11d67575b697ed9d342aeeb579752b
-
C:\Windows\SysWOW64\vszklabncszea.exeFilesize
512KB
MD5649893d669f71ae9e5f1acc6d5bdbdbf
SHA17d67eb22e4c0964b4cc1b66473818cfe96aa2e46
SHA256c3e6f73b5eaab79c242f1622a32f4958c824494a24acee22dcdfac5785055440
SHA51260c054410ecfa19be080c4d3e44c0a49b152fc98eaa4befed9a12642dfb652e217a71b6c66c209a4a18825edb89e4e53ae27d2f22645e8fbcfc718c456d65896
-
C:\Windows\SysWOW64\zktrykabgkghozx.exeFilesize
512KB
MD5392fa65758f5375279b0e71eaabfea23
SHA124dd982cccf03e210f434196fb0ef677ee6cef69
SHA256fdaa6ad6a1e9e051e70b941db3883083ce3f5bc249ea55e4c7f7ef14e6ad5d7e
SHA512281305420b123442a5018e460ee38f41f86512f59a3526e77f4def071991f26d1a3c122fc4f2a45eb4206c9892ceee197f2a53df853b8f597e8ca88dd69470f4
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD50f39e737470f99a218a8527dc4f3e8ab
SHA166bb47ab778bfd569eacb7454ab066ea5b85ac82
SHA256104a43839867cdd50e7f22ac99f5976d16da9cc8b391bb8bfd61f3e9251372f5
SHA512fa4713083cd1717974762991dbcfd60cba35674de6ea32fcab8509b3a9f9822d8f4932af2beb37d82152add6bace3a9dd42025e608fea81d266152e472b15f8c
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD564f2ad0bd887e11a5c3cba68a4281aab
SHA1b89aa9ddbcf88b82447710d47cd6fd91b23ed472
SHA2564f77c474200c3337cbcd0ee757da3c20f2513c732a205232c0a9bb658c512787
SHA512ebada38f15072711e3f23dcee66dc0eff309fb237ebe5248e206286a603a2b69a38848b656ce37c117fc203f502610b2154f4a04511db88be753489221c40ffb
-
memory/2552-38-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2552-39-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2552-36-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2552-37-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2552-35-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2552-40-0x00007FFA30290000-0x00007FFA302A0000-memory.dmpFilesize
64KB
-
memory/2552-41-0x00007FFA30290000-0x00007FFA302A0000-memory.dmpFilesize
64KB
-
memory/2552-612-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2552-613-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2552-615-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2552-614-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/2984-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB