Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 04:08
Static task
static1
Behavioral task
behavioral1
Sample
69af959794532432a508040c0b496ccb_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
69af959794532432a508040c0b496ccb_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
69af959794532432a508040c0b496ccb_JaffaCakes118.exe
-
Size
512KB
-
MD5
69af959794532432a508040c0b496ccb
-
SHA1
032f20c3b0225859ab53f23b59087f858a6f066e
-
SHA256
b667fa0a0ee06d7237e16ef8ca43c6e4b6704ff2e32262be8c63a25ca61cfe67
-
SHA512
964454aabc120f66172a4f5be7d44c048233be9558e31fb606a049bf46ac1583c469e39a067623c94c33c77befc444f5429bcafaf1c6fa0e15fb0fca3428c4df
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6T:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
uzbabeblux.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" uzbabeblux.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
uzbabeblux.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" uzbabeblux.exe -
Processes:
uzbabeblux.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uzbabeblux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uzbabeblux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uzbabeblux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uzbabeblux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uzbabeblux.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
uzbabeblux.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uzbabeblux.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
69af959794532432a508040c0b496ccb_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 69af959794532432a508040c0b496ccb_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
uzbabeblux.exeibolntfdapjypzf.exeksukkfmm.exenecjjhggpibfy.exeksukkfmm.exepid process 1900 uzbabeblux.exe 1364 ibolntfdapjypzf.exe 2080 ksukkfmm.exe 3508 necjjhggpibfy.exe 4216 ksukkfmm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
uzbabeblux.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uzbabeblux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" uzbabeblux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uzbabeblux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uzbabeblux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uzbabeblux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uzbabeblux.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ibolntfdapjypzf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vvpaxkhc = "uzbabeblux.exe" ibolntfdapjypzf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rrpjjbmi = "ibolntfdapjypzf.exe" ibolntfdapjypzf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "necjjhggpibfy.exe" ibolntfdapjypzf.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ksukkfmm.exeksukkfmm.exeuzbabeblux.exedescription ioc process File opened (read-only) \??\r: ksukkfmm.exe File opened (read-only) \??\e: ksukkfmm.exe File opened (read-only) \??\j: ksukkfmm.exe File opened (read-only) \??\o: ksukkfmm.exe File opened (read-only) \??\v: ksukkfmm.exe File opened (read-only) \??\a: ksukkfmm.exe File opened (read-only) \??\n: uzbabeblux.exe File opened (read-only) \??\z: uzbabeblux.exe File opened (read-only) \??\h: ksukkfmm.exe File opened (read-only) \??\b: ksukkfmm.exe File opened (read-only) \??\j: ksukkfmm.exe File opened (read-only) \??\t: uzbabeblux.exe File opened (read-only) \??\g: ksukkfmm.exe File opened (read-only) \??\l: ksukkfmm.exe File opened (read-only) \??\n: ksukkfmm.exe File opened (read-only) \??\b: uzbabeblux.exe File opened (read-only) \??\o: uzbabeblux.exe File opened (read-only) \??\q: ksukkfmm.exe File opened (read-only) \??\v: ksukkfmm.exe File opened (read-only) \??\i: uzbabeblux.exe File opened (read-only) \??\k: uzbabeblux.exe File opened (read-only) \??\s: uzbabeblux.exe File opened (read-only) \??\p: ksukkfmm.exe File opened (read-only) \??\u: ksukkfmm.exe File opened (read-only) \??\z: ksukkfmm.exe File opened (read-only) \??\o: ksukkfmm.exe File opened (read-only) \??\r: uzbabeblux.exe File opened (read-only) \??\w: uzbabeblux.exe File opened (read-only) \??\x: uzbabeblux.exe File opened (read-only) \??\i: ksukkfmm.exe File opened (read-only) \??\m: ksukkfmm.exe File opened (read-only) \??\t: ksukkfmm.exe File opened (read-only) \??\l: ksukkfmm.exe File opened (read-only) \??\t: ksukkfmm.exe File opened (read-only) \??\x: ksukkfmm.exe File opened (read-only) \??\y: ksukkfmm.exe File opened (read-only) \??\a: ksukkfmm.exe File opened (read-only) \??\r: ksukkfmm.exe File opened (read-only) \??\j: uzbabeblux.exe File opened (read-only) \??\q: uzbabeblux.exe File opened (read-only) \??\u: uzbabeblux.exe File opened (read-only) \??\y: uzbabeblux.exe File opened (read-only) \??\b: ksukkfmm.exe File opened (read-only) \??\s: ksukkfmm.exe File opened (read-only) \??\s: ksukkfmm.exe File opened (read-only) \??\e: uzbabeblux.exe File opened (read-only) \??\w: ksukkfmm.exe File opened (read-only) \??\x: ksukkfmm.exe File opened (read-only) \??\m: uzbabeblux.exe File opened (read-only) \??\p: uzbabeblux.exe File opened (read-only) \??\n: ksukkfmm.exe File opened (read-only) \??\y: ksukkfmm.exe File opened (read-only) \??\z: ksukkfmm.exe File opened (read-only) \??\m: ksukkfmm.exe File opened (read-only) \??\h: uzbabeblux.exe File opened (read-only) \??\k: ksukkfmm.exe File opened (read-only) \??\h: ksukkfmm.exe File opened (read-only) \??\i: ksukkfmm.exe File opened (read-only) \??\k: ksukkfmm.exe File opened (read-only) \??\q: ksukkfmm.exe File opened (read-only) \??\a: uzbabeblux.exe File opened (read-only) \??\e: ksukkfmm.exe File opened (read-only) \??\g: ksukkfmm.exe File opened (read-only) \??\w: ksukkfmm.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
uzbabeblux.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" uzbabeblux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" uzbabeblux.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4000-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\ibolntfdapjypzf.exe autoit_exe C:\Windows\SysWOW64\uzbabeblux.exe autoit_exe C:\Windows\SysWOW64\necjjhggpibfy.exe autoit_exe C:\Windows\SysWOW64\ksukkfmm.exe autoit_exe C:\Program Files\EditResume.doc.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\DismountStop.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
69af959794532432a508040c0b496ccb_JaffaCakes118.exeksukkfmm.exeuzbabeblux.exeksukkfmm.exedescription ioc process File created C:\Windows\SysWOW64\ibolntfdapjypzf.exe 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File created C:\Windows\SysWOW64\ksukkfmm.exe 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File created C:\Windows\SysWOW64\necjjhggpibfy.exe 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ksukkfmm.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ksukkfmm.exe File created C:\Windows\SysWOW64\uzbabeblux.exe 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uzbabeblux.exe 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ibolntfdapjypzf.exe 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ksukkfmm.exe 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\necjjhggpibfy.exe 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll uzbabeblux.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ksukkfmm.exe -
Drops file in Program Files directory 22 IoCs
Processes:
ksukkfmm.exeksukkfmm.exedescription ioc process File opened for modification \??\c:\Program Files\EditResume.doc.exe ksukkfmm.exe File opened for modification \??\c:\Program Files\EditResume.doc.exe ksukkfmm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ksukkfmm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ksukkfmm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ksukkfmm.exe File created \??\c:\Program Files\EditResume.doc.exe ksukkfmm.exe File opened for modification C:\Program Files\EditResume.doc.exe ksukkfmm.exe File opened for modification C:\Program Files\EditResume.nal ksukkfmm.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ksukkfmm.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ksukkfmm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ksukkfmm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ksukkfmm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ksukkfmm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ksukkfmm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ksukkfmm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ksukkfmm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ksukkfmm.exe File created \??\c:\Program Files\EditResume.doc.exe ksukkfmm.exe File opened for modification C:\Program Files\EditResume.doc.exe ksukkfmm.exe File opened for modification C:\Program Files\EditResume.nal ksukkfmm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ksukkfmm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ksukkfmm.exe -
Drops file in Windows directory 19 IoCs
Processes:
ksukkfmm.exeksukkfmm.exe69af959794532432a508040c0b496ccb_JaffaCakes118.exeWINWORD.EXEdescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ksukkfmm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ksukkfmm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ksukkfmm.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ksukkfmm.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ksukkfmm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ksukkfmm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ksukkfmm.exe File opened for modification C:\Windows\mydoc.rtf 69af959794532432a508040c0b496ccb_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ksukkfmm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ksukkfmm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ksukkfmm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ksukkfmm.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ksukkfmm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ksukkfmm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ksukkfmm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ksukkfmm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ksukkfmm.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
uzbabeblux.exe69af959794532432a508040c0b496ccb_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs uzbabeblux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B029449239E953C5BAD43298D7CB" 69af959794532432a508040c0b496ccb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat uzbabeblux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" uzbabeblux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" uzbabeblux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" uzbabeblux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" uzbabeblux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCFACDF962F195837E3A45869D3995B08E038D4362024BE2CE45EA08D3" 69af959794532432a508040c0b496ccb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" uzbabeblux.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf uzbabeblux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" uzbabeblux.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg uzbabeblux.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc uzbabeblux.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 69af959794532432a508040c0b496ccb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462D0D9C5283276A3E76D570242CAB7CF465A8" 69af959794532432a508040c0b496ccb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFF82485A851B9132D72F7D92BD95E632593767456341D69D" 69af959794532432a508040c0b496ccb_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings 69af959794532432a508040c0b496ccb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh uzbabeblux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768B3FF1F21D9D178D0A58A0E9110" 69af959794532432a508040c0b496ccb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C70814E2DAB1B8CE7CE6ED9334B9" 69af959794532432a508040c0b496ccb_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 5060 WINWORD.EXE 5060 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
69af959794532432a508040c0b496ccb_JaffaCakes118.exeuzbabeblux.exeksukkfmm.exenecjjhggpibfy.exeibolntfdapjypzf.exeksukkfmm.exepid process 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 1900 uzbabeblux.exe 1900 uzbabeblux.exe 1900 uzbabeblux.exe 1900 uzbabeblux.exe 1900 uzbabeblux.exe 1900 uzbabeblux.exe 1900 uzbabeblux.exe 1900 uzbabeblux.exe 1900 uzbabeblux.exe 1900 uzbabeblux.exe 2080 ksukkfmm.exe 2080 ksukkfmm.exe 2080 ksukkfmm.exe 2080 ksukkfmm.exe 2080 ksukkfmm.exe 2080 ksukkfmm.exe 2080 ksukkfmm.exe 2080 ksukkfmm.exe 3508 necjjhggpibfy.exe 3508 necjjhggpibfy.exe 3508 necjjhggpibfy.exe 3508 necjjhggpibfy.exe 3508 necjjhggpibfy.exe 3508 necjjhggpibfy.exe 3508 necjjhggpibfy.exe 3508 necjjhggpibfy.exe 3508 necjjhggpibfy.exe 3508 necjjhggpibfy.exe 3508 necjjhggpibfy.exe 3508 necjjhggpibfy.exe 1364 ibolntfdapjypzf.exe 1364 ibolntfdapjypzf.exe 1364 ibolntfdapjypzf.exe 1364 ibolntfdapjypzf.exe 1364 ibolntfdapjypzf.exe 1364 ibolntfdapjypzf.exe 1364 ibolntfdapjypzf.exe 1364 ibolntfdapjypzf.exe 1364 ibolntfdapjypzf.exe 1364 ibolntfdapjypzf.exe 1364 ibolntfdapjypzf.exe 1364 ibolntfdapjypzf.exe 4216 ksukkfmm.exe 4216 ksukkfmm.exe 4216 ksukkfmm.exe 4216 ksukkfmm.exe 4216 ksukkfmm.exe 4216 ksukkfmm.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
69af959794532432a508040c0b496ccb_JaffaCakes118.exeuzbabeblux.exeibolntfdapjypzf.exenecjjhggpibfy.exeksukkfmm.exeksukkfmm.exepid process 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 1900 uzbabeblux.exe 1900 uzbabeblux.exe 1900 uzbabeblux.exe 1364 ibolntfdapjypzf.exe 1364 ibolntfdapjypzf.exe 1364 ibolntfdapjypzf.exe 3508 necjjhggpibfy.exe 2080 ksukkfmm.exe 3508 necjjhggpibfy.exe 2080 ksukkfmm.exe 3508 necjjhggpibfy.exe 2080 ksukkfmm.exe 4216 ksukkfmm.exe 4216 ksukkfmm.exe 4216 ksukkfmm.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
69af959794532432a508040c0b496ccb_JaffaCakes118.exeuzbabeblux.exeibolntfdapjypzf.exenecjjhggpibfy.exeksukkfmm.exeksukkfmm.exepid process 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe 1900 uzbabeblux.exe 1900 uzbabeblux.exe 1900 uzbabeblux.exe 1364 ibolntfdapjypzf.exe 1364 ibolntfdapjypzf.exe 1364 ibolntfdapjypzf.exe 3508 necjjhggpibfy.exe 2080 ksukkfmm.exe 3508 necjjhggpibfy.exe 2080 ksukkfmm.exe 3508 necjjhggpibfy.exe 2080 ksukkfmm.exe 4216 ksukkfmm.exe 4216 ksukkfmm.exe 4216 ksukkfmm.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
69af959794532432a508040c0b496ccb_JaffaCakes118.exeuzbabeblux.exedescription pid process target process PID 4000 wrote to memory of 1900 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe uzbabeblux.exe PID 4000 wrote to memory of 1900 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe uzbabeblux.exe PID 4000 wrote to memory of 1900 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe uzbabeblux.exe PID 4000 wrote to memory of 1364 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe ibolntfdapjypzf.exe PID 4000 wrote to memory of 1364 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe ibolntfdapjypzf.exe PID 4000 wrote to memory of 1364 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe ibolntfdapjypzf.exe PID 4000 wrote to memory of 2080 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe ksukkfmm.exe PID 4000 wrote to memory of 2080 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe ksukkfmm.exe PID 4000 wrote to memory of 2080 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe ksukkfmm.exe PID 4000 wrote to memory of 3508 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe necjjhggpibfy.exe PID 4000 wrote to memory of 3508 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe necjjhggpibfy.exe PID 4000 wrote to memory of 3508 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe necjjhggpibfy.exe PID 4000 wrote to memory of 5060 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe WINWORD.EXE PID 4000 wrote to memory of 5060 4000 69af959794532432a508040c0b496ccb_JaffaCakes118.exe WINWORD.EXE PID 1900 wrote to memory of 4216 1900 uzbabeblux.exe ksukkfmm.exe PID 1900 wrote to memory of 4216 1900 uzbabeblux.exe ksukkfmm.exe PID 1900 wrote to memory of 4216 1900 uzbabeblux.exe ksukkfmm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69af959794532432a508040c0b496ccb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\69af959794532432a508040c0b496ccb_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\uzbabeblux.exeuzbabeblux.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ksukkfmm.exeC:\Windows\system32\ksukkfmm.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ibolntfdapjypzf.exeibolntfdapjypzf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ksukkfmm.exeksukkfmm.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\necjjhggpibfy.exenecjjhggpibfy.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\EditResume.doc.exeFilesize
512KB
MD5f188f1f2f567d1ded42fe5db323b0854
SHA12b4f71420071328f4403b5092e1df42a75e9cfb3
SHA256a63735cbde131ae339520f1d51976ecdebcb9975d6367fc394660f7346ba9c88
SHA5126ac21caa2427e15a6bea9428ebfd7ba4694e218365fbdce64c591892cbc07f84b12fb86e8c5adf2f80a2b7c7c652a538c3c88ba2517ce17617dcb2ec68b82276
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD52ef6f0e95bac9099eee7eca067ce84af
SHA119674b85916f8c9b0edd84cf381138fe819ca066
SHA256b0379f7fe9f94b3d458353b6d67bdf0aa492339c3da5220e6e0c348f0b4008b3
SHA512bbedd7ce9982c02a82d5f65060544d7c00a052b493921a79912524e2e768cb665eefa0784f8e6ec2bcbfb4371423f1deb2217bd763bb56b3bd6e7aad31a99596
-
C:\Users\Admin\AppData\Local\Temp\TCDAEA6.tmp\gb.xslFilesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
247B
MD51b529425a37b1334b8b33ebd890269a4
SHA184768e6475b45e3431d5dd62968dde9b92bcb799
SHA256774609fb895e024729e533b8420e732453a0f7ad9cc4599a871157b4f2ca0440
SHA5128d82cb100fb6e979061a2a86aedf2f77de9bb5abf4431ed7add5c75d04988a3cd747119ade26856e8c2fdf7fe75e6aedf0025f2015e525b6835c80cfa2eff295
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD59c46bb1c73b2dcf353c68cc7afb8fe52
SHA10d70ef6fe1c5ba4e9884bf6f9e52f4f6a2d9ce00
SHA2568a140d644e89025e7e264418462da6096f889fbc3ce25f6721a014a3b69048e6
SHA512016b064fb021699ddcf2f4adaa60d322a9a105c40897063a19e37ca1d5052f43547cc90e712faed4ceb67d43b27fa02a310712815c05c8ad3f8862ae295c337b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD50620882c81f2807ded448b7a190483cb
SHA17c26f1f651d86bb027e13477fb2ed29f6e6bc9d7
SHA256542b4d843ada9bdffcc0adcd2cfc73a2585d6dff8c0286ef5f06cef44e75e369
SHA512291a635a34666e7efa0982196daa8cee38126def61f71d141e13b521f8dbb0e1df5bc0742f91fd8c54504e451e45c2c6875e8ddc9ceda2d062fbcfab6f03ce8a
-
C:\Users\Admin\Documents\DismountStop.doc.exeFilesize
512KB
MD5c889e404cf3e60b93adce856158d5915
SHA197d9a875f674d31c3d92e921e0771876a601509d
SHA256fa966d268bcccd0988ccf5c980b4862671d7b0596f7ad3c4b204d5796e011103
SHA512aa234fddc8238c9abcf222df07dc98b78f704efefe95fddb3ed654911e8ecc13c76f4534a701fdb2e778eecbe38f2110543cd471b7efbfa5b2db9cb8a691d555
-
C:\Windows\SysWOW64\ibolntfdapjypzf.exeFilesize
512KB
MD59f018355c51ba26888a846ddd6b2ee73
SHA19dfa82831aaae7e13f277b82aa4a16ed0dc1d7b4
SHA256b5272baa8f7ef20965eb42e954581f3ce24bc98bddb658f98676e6896deb47bc
SHA512ec678766c9c8f8b09228357b384223a6c60e6a62898d4d789ae274e696b9b7f69b7b16d98dc8f23f79eae334fa3f704dd0910d70069f13f949f26ada339712f3
-
C:\Windows\SysWOW64\ksukkfmm.exeFilesize
512KB
MD56e58d8061aa49c54bd288cbdd15b5f18
SHA1510fbc56e39fd7313b514b8319eacdb797096241
SHA256f45939e0d463c4a1843b7d8b0b4b2a5db3401e6f680825397116937cca37b703
SHA51275582d683c78156a9cd26d3cc476541ab4a665487367b935110c0b2ec42ac44816af6c89218f39d35d9e64f4de1f645dbf344279effaead861d1b45c4b2d32be
-
C:\Windows\SysWOW64\necjjhggpibfy.exeFilesize
512KB
MD54e9c2273f54dfa878ed895c99a985a6c
SHA1a175c69bbd2bfab75fc8f3d6217385efda399326
SHA256b57cf05d51191de1b41070a86c411ed7a387f1dc688700565a49260504f5edaa
SHA5124fea6b08739c3b087b08326d7ec8d4dd68a66fee51b4c960cab67304fe8c936d4df63d9985066167a5d2abb6d82da5907920e0cdf18d5532d0ab2db7c9937c89
-
C:\Windows\SysWOW64\uzbabeblux.exeFilesize
512KB
MD50ee68474ce486aa4093ed7a76e53de5f
SHA10a1d0ede79d1f94ff6fef723daf94b804c155891
SHA256332acf216ead8c4c46b33a4356ae775e137462b2a8b9b41a51cc981371c766ed
SHA512dcc657ad4024e67ebcf55ce72777cb0d2ea8bb3a59510b2da239e4fb7600d27ca6bc4ee44cd3680fbdd689182194dc515eccf9cd771175d243a332051d4f3414
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD56d394b8aa12865fcd9d5e3f8fd0f900b
SHA1abae817b9e9d6616e68432c19f645e9e8ec8315e
SHA256a3bea818e596ebaf5d4d2b87a615315b5f30be6cdb8faaf64ad4aab9d5a83f79
SHA5120e4abd0d854b1cbc4581bb2c65d13ed65853aaea9d54267d3b8cc71f47ac4226a623f0400401704f9016149618e53534d4947bcbdfe6f680db64b5d54d445129
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD59abc0062a61c97f54b4c281b66d92911
SHA11f568f3892923a62eef3bde6d97f418b39abac38
SHA2565418aee06ac15e572f79d397e311ccb0ee95b10d6c4ad34c3c16f81ee59533e7
SHA5129d215b51d616601fd5bbc93f51c348541cfc324923625a7221c3fec17c1151da88ac0c32aadd1b0fd5ac7f00d80f5a0e69c3e6636ee9d9b267b52e49362a309b
-
memory/4000-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/5060-39-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmpFilesize
64KB
-
memory/5060-36-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmpFilesize
64KB
-
memory/5060-38-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmpFilesize
64KB
-
memory/5060-37-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmpFilesize
64KB
-
memory/5060-40-0x00007FF9D4A70000-0x00007FF9D4A80000-memory.dmpFilesize
64KB
-
memory/5060-35-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmpFilesize
64KB
-
memory/5060-41-0x00007FF9D4A70000-0x00007FF9D4A80000-memory.dmpFilesize
64KB
-
memory/5060-606-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmpFilesize
64KB
-
memory/5060-607-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmpFilesize
64KB
-
memory/5060-609-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmpFilesize
64KB
-
memory/5060-608-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmpFilesize
64KB