Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 06:24
Static task
static1
Behavioral task
behavioral1
Sample
6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe
-
Size
512KB
-
MD5
6a065dd1770bd82e5074cb544503727d
-
SHA1
a9f1b72cecc728d538780b8df10c147a7032fd05
-
SHA256
cdb7b46d261a3effb53583585210e60d1102a5a6cf2dc971839e9edc07b0f4c5
-
SHA512
33b90458826a8359c8cf1fc68b4f6e96f616f4aca6e80e6747b17a3259fd0714f478b6d3c06364dafe0cfb08eefe16a8f62e38a11177d976369d0c619d679885
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6r:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5o
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
bskbgpksuz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bskbgpksuz.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
bskbgpksuz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bskbgpksuz.exe -
Processes:
bskbgpksuz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bskbgpksuz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bskbgpksuz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bskbgpksuz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bskbgpksuz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bskbgpksuz.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
bskbgpksuz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bskbgpksuz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
bskbgpksuz.exedclaxqjpudczygq.exemtzjtbkd.exeiekbjkkjoeoqk.exemtzjtbkd.exepid process 4572 bskbgpksuz.exe 2416 dclaxqjpudczygq.exe 4984 mtzjtbkd.exe 1488 iekbjkkjoeoqk.exe 1340 mtzjtbkd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
bskbgpksuz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bskbgpksuz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bskbgpksuz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bskbgpksuz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bskbgpksuz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bskbgpksuz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bskbgpksuz.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
dclaxqjpudczygq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\flwwebmq = "dclaxqjpudczygq.exe" dclaxqjpudczygq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "iekbjkkjoeoqk.exe" dclaxqjpudczygq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yoitjpth = "bskbgpksuz.exe" dclaxqjpudczygq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
mtzjtbkd.exebskbgpksuz.exemtzjtbkd.exedescription ioc process File opened (read-only) \??\p: mtzjtbkd.exe File opened (read-only) \??\t: bskbgpksuz.exe File opened (read-only) \??\z: bskbgpksuz.exe File opened (read-only) \??\j: mtzjtbkd.exe File opened (read-only) \??\n: mtzjtbkd.exe File opened (read-only) \??\s: bskbgpksuz.exe File opened (read-only) \??\x: bskbgpksuz.exe File opened (read-only) \??\l: mtzjtbkd.exe File opened (read-only) \??\v: mtzjtbkd.exe File opened (read-only) \??\z: mtzjtbkd.exe File opened (read-only) \??\h: bskbgpksuz.exe File opened (read-only) \??\w: mtzjtbkd.exe File opened (read-only) \??\o: bskbgpksuz.exe File opened (read-only) \??\v: bskbgpksuz.exe File opened (read-only) \??\w: bskbgpksuz.exe File opened (read-only) \??\g: mtzjtbkd.exe File opened (read-only) \??\b: mtzjtbkd.exe File opened (read-only) \??\n: mtzjtbkd.exe File opened (read-only) \??\j: mtzjtbkd.exe File opened (read-only) \??\o: mtzjtbkd.exe File opened (read-only) \??\e: bskbgpksuz.exe File opened (read-only) \??\g: bskbgpksuz.exe File opened (read-only) \??\b: mtzjtbkd.exe File opened (read-only) \??\p: mtzjtbkd.exe File opened (read-only) \??\t: mtzjtbkd.exe File opened (read-only) \??\u: mtzjtbkd.exe File opened (read-only) \??\e: mtzjtbkd.exe File opened (read-only) \??\p: bskbgpksuz.exe File opened (read-only) \??\e: mtzjtbkd.exe File opened (read-only) \??\h: mtzjtbkd.exe File opened (read-only) \??\q: mtzjtbkd.exe File opened (read-only) \??\a: mtzjtbkd.exe File opened (read-only) \??\y: mtzjtbkd.exe File opened (read-only) \??\l: mtzjtbkd.exe File opened (read-only) \??\s: mtzjtbkd.exe File opened (read-only) \??\r: mtzjtbkd.exe File opened (read-only) \??\g: mtzjtbkd.exe File opened (read-only) \??\n: bskbgpksuz.exe File opened (read-only) \??\m: mtzjtbkd.exe File opened (read-only) \??\m: bskbgpksuz.exe File opened (read-only) \??\t: mtzjtbkd.exe File opened (read-only) \??\z: mtzjtbkd.exe File opened (read-only) \??\k: bskbgpksuz.exe File opened (read-only) \??\i: mtzjtbkd.exe File opened (read-only) \??\r: mtzjtbkd.exe File opened (read-only) \??\j: bskbgpksuz.exe File opened (read-only) \??\u: bskbgpksuz.exe File opened (read-only) \??\s: mtzjtbkd.exe File opened (read-only) \??\u: mtzjtbkd.exe File opened (read-only) \??\k: mtzjtbkd.exe File opened (read-only) \??\x: mtzjtbkd.exe File opened (read-only) \??\i: bskbgpksuz.exe File opened (read-only) \??\r: bskbgpksuz.exe File opened (read-only) \??\i: mtzjtbkd.exe File opened (read-only) \??\y: mtzjtbkd.exe File opened (read-only) \??\q: mtzjtbkd.exe File opened (read-only) \??\m: mtzjtbkd.exe File opened (read-only) \??\v: mtzjtbkd.exe File opened (read-only) \??\a: bskbgpksuz.exe File opened (read-only) \??\b: bskbgpksuz.exe File opened (read-only) \??\k: mtzjtbkd.exe File opened (read-only) \??\o: mtzjtbkd.exe File opened (read-only) \??\h: mtzjtbkd.exe File opened (read-only) \??\x: mtzjtbkd.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
bskbgpksuz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bskbgpksuz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bskbgpksuz.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/544-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\dclaxqjpudczygq.exe autoit_exe C:\Windows\SysWOW64\bskbgpksuz.exe autoit_exe C:\Windows\SysWOW64\mtzjtbkd.exe autoit_exe C:\Windows\SysWOW64\iekbjkkjoeoqk.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\MergeDisconnect.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exebskbgpksuz.exemtzjtbkd.exemtzjtbkd.exedescription ioc process File opened for modification C:\Windows\SysWOW64\dclaxqjpudczygq.exe 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe File created C:\Windows\SysWOW64\mtzjtbkd.exe 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\iekbjkkjoeoqk.exe 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bskbgpksuz.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mtzjtbkd.exe File opened for modification C:\Windows\SysWOW64\bskbgpksuz.exe 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe File created C:\Windows\SysWOW64\dclaxqjpudczygq.exe 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe File created C:\Windows\SysWOW64\iekbjkkjoeoqk.exe 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mtzjtbkd.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mtzjtbkd.exe File created C:\Windows\SysWOW64\bskbgpksuz.exe 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mtzjtbkd.exe 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
mtzjtbkd.exemtzjtbkd.exedescription ioc process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mtzjtbkd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mtzjtbkd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mtzjtbkd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mtzjtbkd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mtzjtbkd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mtzjtbkd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mtzjtbkd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mtzjtbkd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mtzjtbkd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mtzjtbkd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mtzjtbkd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mtzjtbkd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mtzjtbkd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mtzjtbkd.exe -
Drops file in Windows directory 19 IoCs
Processes:
mtzjtbkd.exemtzjtbkd.exe6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exeWINWORD.EXEdescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mtzjtbkd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mtzjtbkd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mtzjtbkd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mtzjtbkd.exe File opened for modification C:\Windows\mydoc.rtf 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mtzjtbkd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mtzjtbkd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mtzjtbkd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mtzjtbkd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mtzjtbkd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mtzjtbkd.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mtzjtbkd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mtzjtbkd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mtzjtbkd.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mtzjtbkd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mtzjtbkd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mtzjtbkd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
bskbgpksuz.exe6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bskbgpksuz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bskbgpksuz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bskbgpksuz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bskbgpksuz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bskbgpksuz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bskbgpksuz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bskbgpksuz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bskbgpksuz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bskbgpksuz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412D7B9C2283226A4477D070562DDD7CF465AA" 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8FACEF961F19884783A4086EA3E91B38A02F043120233E2BE42E709D2" 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bskbgpksuz.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC67D14E5DBC7B8C17CE6ED9337C8" 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0816BC1FE6D22DCD27AD1D58B7D9162" 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bskbgpksuz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bskbgpksuz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B02E44E439E852CABAD0329ED7BB" 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FF82482B85139132D72C7DE5BDE7E13D59426731623FD79F" 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1016 WINWORD.EXE 1016 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exemtzjtbkd.exebskbgpksuz.exeiekbjkkjoeoqk.exedclaxqjpudczygq.exemtzjtbkd.exepid process 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 4984 mtzjtbkd.exe 4984 mtzjtbkd.exe 4984 mtzjtbkd.exe 4984 mtzjtbkd.exe 4984 mtzjtbkd.exe 4984 mtzjtbkd.exe 4984 mtzjtbkd.exe 4984 mtzjtbkd.exe 4572 bskbgpksuz.exe 4572 bskbgpksuz.exe 4572 bskbgpksuz.exe 4572 bskbgpksuz.exe 4572 bskbgpksuz.exe 4572 bskbgpksuz.exe 4572 bskbgpksuz.exe 4572 bskbgpksuz.exe 4572 bskbgpksuz.exe 1488 iekbjkkjoeoqk.exe 4572 bskbgpksuz.exe 1488 iekbjkkjoeoqk.exe 1488 iekbjkkjoeoqk.exe 1488 iekbjkkjoeoqk.exe 1488 iekbjkkjoeoqk.exe 1488 iekbjkkjoeoqk.exe 1488 iekbjkkjoeoqk.exe 1488 iekbjkkjoeoqk.exe 1488 iekbjkkjoeoqk.exe 1488 iekbjkkjoeoqk.exe 1488 iekbjkkjoeoqk.exe 1488 iekbjkkjoeoqk.exe 2416 dclaxqjpudczygq.exe 2416 dclaxqjpudczygq.exe 2416 dclaxqjpudczygq.exe 2416 dclaxqjpudczygq.exe 2416 dclaxqjpudczygq.exe 2416 dclaxqjpudczygq.exe 2416 dclaxqjpudczygq.exe 2416 dclaxqjpudczygq.exe 2416 dclaxqjpudczygq.exe 2416 dclaxqjpudczygq.exe 1340 mtzjtbkd.exe 1340 mtzjtbkd.exe 1340 mtzjtbkd.exe 1340 mtzjtbkd.exe 1340 mtzjtbkd.exe 1340 mtzjtbkd.exe 1340 mtzjtbkd.exe 1340 mtzjtbkd.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exemtzjtbkd.exeiekbjkkjoeoqk.exebskbgpksuz.exedclaxqjpudczygq.exemtzjtbkd.exepid process 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 4984 mtzjtbkd.exe 4984 mtzjtbkd.exe 4984 mtzjtbkd.exe 1488 iekbjkkjoeoqk.exe 4572 bskbgpksuz.exe 2416 dclaxqjpudczygq.exe 1488 iekbjkkjoeoqk.exe 4572 bskbgpksuz.exe 2416 dclaxqjpudczygq.exe 1488 iekbjkkjoeoqk.exe 4572 bskbgpksuz.exe 2416 dclaxqjpudczygq.exe 1340 mtzjtbkd.exe 1340 mtzjtbkd.exe 1340 mtzjtbkd.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exemtzjtbkd.exeiekbjkkjoeoqk.exebskbgpksuz.exedclaxqjpudczygq.exemtzjtbkd.exepid process 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe 4984 mtzjtbkd.exe 4984 mtzjtbkd.exe 4984 mtzjtbkd.exe 1488 iekbjkkjoeoqk.exe 4572 bskbgpksuz.exe 2416 dclaxqjpudczygq.exe 1488 iekbjkkjoeoqk.exe 4572 bskbgpksuz.exe 2416 dclaxqjpudczygq.exe 1488 iekbjkkjoeoqk.exe 4572 bskbgpksuz.exe 2416 dclaxqjpudczygq.exe 1340 mtzjtbkd.exe 1340 mtzjtbkd.exe 1340 mtzjtbkd.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1016 WINWORD.EXE 1016 WINWORD.EXE 1016 WINWORD.EXE 1016 WINWORD.EXE 1016 WINWORD.EXE 1016 WINWORD.EXE 1016 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exebskbgpksuz.exedescription pid process target process PID 544 wrote to memory of 4572 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe bskbgpksuz.exe PID 544 wrote to memory of 4572 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe bskbgpksuz.exe PID 544 wrote to memory of 4572 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe bskbgpksuz.exe PID 544 wrote to memory of 2416 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe dclaxqjpudczygq.exe PID 544 wrote to memory of 2416 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe dclaxqjpudczygq.exe PID 544 wrote to memory of 2416 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe dclaxqjpudczygq.exe PID 544 wrote to memory of 4984 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe mtzjtbkd.exe PID 544 wrote to memory of 4984 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe mtzjtbkd.exe PID 544 wrote to memory of 4984 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe mtzjtbkd.exe PID 544 wrote to memory of 1488 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe iekbjkkjoeoqk.exe PID 544 wrote to memory of 1488 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe iekbjkkjoeoqk.exe PID 544 wrote to memory of 1488 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe iekbjkkjoeoqk.exe PID 544 wrote to memory of 1016 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe WINWORD.EXE PID 544 wrote to memory of 1016 544 6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe WINWORD.EXE PID 4572 wrote to memory of 1340 4572 bskbgpksuz.exe mtzjtbkd.exe PID 4572 wrote to memory of 1340 4572 bskbgpksuz.exe mtzjtbkd.exe PID 4572 wrote to memory of 1340 4572 bskbgpksuz.exe mtzjtbkd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6a065dd1770bd82e5074cb544503727d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bskbgpksuz.exebskbgpksuz.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mtzjtbkd.exeC:\Windows\system32\mtzjtbkd.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\dclaxqjpudczygq.exedclaxqjpudczygq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\mtzjtbkd.exemtzjtbkd.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\iekbjkkjoeoqk.exeiekbjkkjoeoqk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD51844cbb4fb115ff99aa64616dbe90ff4
SHA138e49a812724580f4379f1616202de0ed2434398
SHA2568e96f282c9e81249735bf1ede52493dc4fb51a8fb9b4b0a8150ff7e17c914ff2
SHA5124e79e6814955134efe66690f907c0719025aae170c82425a9be95fc525f4a878987606a7ee2700fc59f82301e8abfbf4aa67573f8cf145a1349045d7eb402a00
-
C:\Users\Admin\AppData\Local\Temp\TCD33A3.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5065a899baeb81ac67e2cf014f7c10ce3
SHA1fc70f90df012e551bdf8d0f7432e96a7f02c2714
SHA2567f1770a73d7b8772f84f06c09b175a457dc2c73c7522110b1a40f288eff7ecb9
SHA51222b1983c030c22e432eeb8e0e83ddddb2b770bb5df08455114b0849bc0578f34a4a00af21f4d7cda17aa888dd9aa94470351fdc03fba23101e6d3e515c41ec6e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5af54e2148ce40046a5aa43b35b2be04b
SHA1f5eb24b3ae6ccc9f06577f34c05525c6d8e8f738
SHA256abc4422a45f4738a93e3f7de972b2b1cdbf54903db16349e1acce65dbb66aa3b
SHA512ba410c5426d9f1aa1fa24924a16c22b7b70fee7e9ac95f3c21f43f2ceed0af8d9e67257b7891d8a6a8659a444b1c72a3c836db441436e11fcc17e1267930e1b1
-
C:\Users\Admin\Documents\MergeDisconnect.doc.exeFilesize
512KB
MD57776f968b949e58c388030fbabbdd1ef
SHA10c6ebef3501e55e30cd2891c2c616ff8d514671c
SHA25677eb80419091f4b72a56965f65bed020d5f5bf0771f02ebdba6a77ddbd8fe6cc
SHA5123572e4bf5225e0f4e5e7a21716a93a08a27af8857c8fc3e94fff6a1e2cea4eabc4e0fe80d5cbde3f7b88a52fe5e68e01f338cc6f3af8b1af484d2ab4430842c1
-
C:\Windows\SysWOW64\bskbgpksuz.exeFilesize
512KB
MD5f4777660c75d46c4ebbed4b328cd6d59
SHA16cdf1914dc3db1140884cf290a007204b09c574a
SHA25679f140562585207273ddbb88277f4fd503245a59c5dfe17db52f215e0d129ce8
SHA5129b86a9ed429c5a5bbed8917bd394bd8cdec36e291bcd9478942f8c8d834262ddb3fc71d6c75a3fd484a129d2913f493fa63ec6f03b45f9216a0b8041387024df
-
C:\Windows\SysWOW64\dclaxqjpudczygq.exeFilesize
512KB
MD5eb929038f693ccb198faaf2cc81322e0
SHA1207e5a8627bae72b1f497e9b1aa209c2632137f3
SHA256426c9fcba7b7b04b81dd1f38813bfe0ec517e112808f56606536935e92b89231
SHA512fd15f168a9f81de389b892331c4e011f735ab4fe78e33e62fc704b36d5cbfec9b69d45782765f1f74297c5bbc56e60f8f8f0b88f27b9dbc8db23423ea1d5e8d8
-
C:\Windows\SysWOW64\iekbjkkjoeoqk.exeFilesize
512KB
MD5064e79ddd703bfe88cff1f7c8273d679
SHA1c69f7943024f840b3b35d9fa0d758e9ff3107a6d
SHA25613941249166c42385ad249a865f263e6f2d5f736c9043d2b93d2b617997c4dfa
SHA512c1139ea98e9b1cfcbc616fef932566a58f0aed821782e7614eaca6fbb1b33abb47c08957479164e7059340ccd3a45b4548333c5cbb1e4abb8db93a072b83e3a8
-
C:\Windows\SysWOW64\mtzjtbkd.exeFilesize
512KB
MD5aaad5f89707a792c1aed9f0bb8a5ec75
SHA1c8baab767643cbc7983f1a3ec0633505d6507abf
SHA256efd304232f47720a7fc22d6f26ae8ccbd13aa96800bcda5de7f0ad550ac10664
SHA5129dee3a1f0ec83e16ad7fd0a7ca4f53edd576751092ed6306eebdf9ccbf669002757dbc8f8702420a3f64a35c09b04954139d667637e9432620fe0ba0024d47d3
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5c3388c25fb699f155a1c4e58db637dcb
SHA1823c9aecef173afba5c2930a5cc4b58fe1930740
SHA256e4d1db1544f042cf6741a1f650bdca9416e66c285c5efc763043be20b8645838
SHA512be0d48ff6216203d6f445b181062da157eaf73a341d2e04e7d09e2abd15912a910e8045783388bc9a05fb7ec8bc010c7508f1e2dfa3270ea5164c9fa6ac58204
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD54d2a631ebddbf76a81d001468e9dd607
SHA1c13093602a50da163dc9fd497d6e15d97211f29a
SHA2565916cc9dfb757dda3bd2d93abe42702b21471eae6b8da7e492e9a81fead94587
SHA5127ec19b0a753c97647cf63aef0f868d662a2a3e13dfa42fae7353cce2bca877603e848172932091506fbdeba0c3b48434b87a2d6cf14f4ab20b64283ae77bf9e2
-
memory/544-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/1016-39-0x00007FFC86C70000-0x00007FFC86C80000-memory.dmpFilesize
64KB
-
memory/1016-38-0x00007FFC86C70000-0x00007FFC86C80000-memory.dmpFilesize
64KB
-
memory/1016-36-0x00007FFC86C70000-0x00007FFC86C80000-memory.dmpFilesize
64KB
-
memory/1016-37-0x00007FFC86C70000-0x00007FFC86C80000-memory.dmpFilesize
64KB
-
memory/1016-35-0x00007FFC86C70000-0x00007FFC86C80000-memory.dmpFilesize
64KB
-
memory/1016-43-0x00007FFC84310000-0x00007FFC84320000-memory.dmpFilesize
64KB
-
memory/1016-40-0x00007FFC84310000-0x00007FFC84320000-memory.dmpFilesize
64KB
-
memory/1016-601-0x00007FFC86C70000-0x00007FFC86C80000-memory.dmpFilesize
64KB
-
memory/1016-602-0x00007FFC86C70000-0x00007FFC86C80000-memory.dmpFilesize
64KB
-
memory/1016-600-0x00007FFC86C70000-0x00007FFC86C80000-memory.dmpFilesize
64KB
-
memory/1016-603-0x00007FFC86C70000-0x00007FFC86C80000-memory.dmpFilesize
64KB