Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 06:07
Static task
static1
Behavioral task
behavioral1
Sample
69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe
-
Size
512KB
-
MD5
69fb7c6da6009ac973da145b4fc12bd4
-
SHA1
76f712be87c58d5d17a2754b6c091e4fa0ca3c23
-
SHA256
b606320b2db7ec86b819ac5463bb955932248868e1071b93804e189987e1238e
-
SHA512
3bd08cb86091f4928fb4c75e36cb5ce3d22c1e3de52d64b6bd43e1c71ca7e920d0212d019208045b8bec9fb7269573fcf2c1adfadda143e264c47ef79fc00eb8
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6K:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
xurwhptrbl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" xurwhptrbl.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
xurwhptrbl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xurwhptrbl.exe -
Processes:
xurwhptrbl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xurwhptrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xurwhptrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xurwhptrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xurwhptrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xurwhptrbl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
xurwhptrbl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xurwhptrbl.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
xurwhptrbl.exedzvvleusdhkwivj.exexrzmyerz.exeldhaacrazwiac.exexrzmyerz.exepid process 1532 xurwhptrbl.exe 4236 dzvvleusdhkwivj.exe 2120 xrzmyerz.exe 908 ldhaacrazwiac.exe 3172 xrzmyerz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
xurwhptrbl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xurwhptrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" xurwhptrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xurwhptrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xurwhptrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xurwhptrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xurwhptrbl.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
dzvvleusdhkwivj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dkwmwjqm = "xurwhptrbl.exe" dzvvleusdhkwivj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xradoivi = "dzvvleusdhkwivj.exe" dzvvleusdhkwivj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ldhaacrazwiac.exe" dzvvleusdhkwivj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
xrzmyerz.exexrzmyerz.exexurwhptrbl.exedescription ioc process File opened (read-only) \??\l: xrzmyerz.exe File opened (read-only) \??\p: xrzmyerz.exe File opened (read-only) \??\k: xrzmyerz.exe File opened (read-only) \??\j: xrzmyerz.exe File opened (read-only) \??\s: xrzmyerz.exe File opened (read-only) \??\t: xrzmyerz.exe File opened (read-only) \??\w: xrzmyerz.exe File opened (read-only) \??\n: xrzmyerz.exe File opened (read-only) \??\z: xrzmyerz.exe File opened (read-only) \??\a: xrzmyerz.exe File opened (read-only) \??\i: xurwhptrbl.exe File opened (read-only) \??\t: xurwhptrbl.exe File opened (read-only) \??\u: xurwhptrbl.exe File opened (read-only) \??\b: xrzmyerz.exe File opened (read-only) \??\r: xrzmyerz.exe File opened (read-only) \??\j: xrzmyerz.exe File opened (read-only) \??\w: xrzmyerz.exe File opened (read-only) \??\b: xurwhptrbl.exe File opened (read-only) \??\m: xurwhptrbl.exe File opened (read-only) \??\g: xrzmyerz.exe File opened (read-only) \??\o: xrzmyerz.exe File opened (read-only) \??\g: xurwhptrbl.exe File opened (read-only) \??\u: xrzmyerz.exe File opened (read-only) \??\b: xrzmyerz.exe File opened (read-only) \??\n: xrzmyerz.exe File opened (read-only) \??\v: xrzmyerz.exe File opened (read-only) \??\m: xrzmyerz.exe File opened (read-only) \??\u: xrzmyerz.exe File opened (read-only) \??\z: xurwhptrbl.exe File opened (read-only) \??\x: xrzmyerz.exe File opened (read-only) \??\q: xrzmyerz.exe File opened (read-only) \??\r: xrzmyerz.exe File opened (read-only) \??\h: xurwhptrbl.exe File opened (read-only) \??\p: xrzmyerz.exe File opened (read-only) \??\i: xrzmyerz.exe File opened (read-only) \??\s: xurwhptrbl.exe File opened (read-only) \??\n: xurwhptrbl.exe File opened (read-only) \??\i: xrzmyerz.exe File opened (read-only) \??\h: xrzmyerz.exe File opened (read-only) \??\k: xurwhptrbl.exe File opened (read-only) \??\x: xurwhptrbl.exe File opened (read-only) \??\a: xrzmyerz.exe File opened (read-only) \??\q: xurwhptrbl.exe File opened (read-only) \??\q: xrzmyerz.exe File opened (read-only) \??\z: xrzmyerz.exe File opened (read-only) \??\g: xrzmyerz.exe File opened (read-only) \??\e: xurwhptrbl.exe File opened (read-only) \??\p: xurwhptrbl.exe File opened (read-only) \??\h: xrzmyerz.exe File opened (read-only) \??\v: xrzmyerz.exe File opened (read-only) \??\y: xrzmyerz.exe File opened (read-only) \??\k: xrzmyerz.exe File opened (read-only) \??\o: xurwhptrbl.exe File opened (read-only) \??\r: xurwhptrbl.exe File opened (read-only) \??\v: xurwhptrbl.exe File opened (read-only) \??\w: xurwhptrbl.exe File opened (read-only) \??\y: xrzmyerz.exe File opened (read-only) \??\a: xurwhptrbl.exe File opened (read-only) \??\l: xrzmyerz.exe File opened (read-only) \??\m: xrzmyerz.exe File opened (read-only) \??\o: xrzmyerz.exe File opened (read-only) \??\s: xrzmyerz.exe File opened (read-only) \??\t: xrzmyerz.exe File opened (read-only) \??\y: xurwhptrbl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
xurwhptrbl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" xurwhptrbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" xurwhptrbl.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4192-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\dzvvleusdhkwivj.exe autoit_exe C:\Windows\SysWOW64\xurwhptrbl.exe autoit_exe C:\Windows\SysWOW64\xrzmyerz.exe autoit_exe C:\Windows\SysWOW64\ldhaacrazwiac.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\SyncConvertFrom.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exexrzmyerz.exexrzmyerz.exexurwhptrbl.exedescription ioc process File created C:\Windows\SysWOW64\xurwhptrbl.exe 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xrzmyerz.exe 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xurwhptrbl.exe 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe File created C:\Windows\SysWOW64\dzvvleusdhkwivj.exe 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xrzmyerz.exe File opened for modification C:\Windows\SysWOW64\ldhaacrazwiac.exe 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xrzmyerz.exe File opened for modification C:\Windows\SysWOW64\dzvvleusdhkwivj.exe 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe File created C:\Windows\SysWOW64\xrzmyerz.exe 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe File created C:\Windows\SysWOW64\ldhaacrazwiac.exe 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll xurwhptrbl.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xrzmyerz.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xrzmyerz.exe -
Drops file in Program Files directory 15 IoCs
Processes:
xrzmyerz.exexrzmyerz.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xrzmyerz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xrzmyerz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xrzmyerz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xrzmyerz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xrzmyerz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xrzmyerz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xrzmyerz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xrzmyerz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xrzmyerz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xrzmyerz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xrzmyerz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xrzmyerz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xrzmyerz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xrzmyerz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xrzmyerz.exe -
Drops file in Windows directory 19 IoCs
Processes:
xrzmyerz.exexrzmyerz.exe69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exeWINWORD.EXEdescription ioc process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xrzmyerz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xrzmyerz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xrzmyerz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xrzmyerz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xrzmyerz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xrzmyerz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xrzmyerz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xrzmyerz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xrzmyerz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xrzmyerz.exe File opened for modification C:\Windows\mydoc.rtf 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xrzmyerz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xrzmyerz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xrzmyerz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xrzmyerz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xrzmyerz.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xrzmyerz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exexurwhptrbl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8F9BEFE6BF2E4837C3B44819E3E92B08B02FC4363023EE1BE45E608A0" 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" xurwhptrbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" xurwhptrbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc xurwhptrbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg xurwhptrbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B02844E439EF52BEBAD733E8D4CC" 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFF83482885699140D75D7E97BD97E6415840674E633FD7EE" 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BC5FF1A21ACD10ED0A48B789167" 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat xurwhptrbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" xurwhptrbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh xurwhptrbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf xurwhptrbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" xurwhptrbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs xurwhptrbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" xurwhptrbl.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322D7D9D5282586A3477D077222DDC7DF564AC" 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C70815E3DABFB8CB7C92ECE334B9" 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" xurwhptrbl.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4532 WINWORD.EXE 4532 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exexurwhptrbl.exedzvvleusdhkwivj.exexrzmyerz.exeldhaacrazwiac.exexrzmyerz.exepid process 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 1532 xurwhptrbl.exe 1532 xurwhptrbl.exe 1532 xurwhptrbl.exe 1532 xurwhptrbl.exe 1532 xurwhptrbl.exe 1532 xurwhptrbl.exe 1532 xurwhptrbl.exe 1532 xurwhptrbl.exe 1532 xurwhptrbl.exe 1532 xurwhptrbl.exe 4236 dzvvleusdhkwivj.exe 4236 dzvvleusdhkwivj.exe 4236 dzvvleusdhkwivj.exe 4236 dzvvleusdhkwivj.exe 4236 dzvvleusdhkwivj.exe 4236 dzvvleusdhkwivj.exe 4236 dzvvleusdhkwivj.exe 4236 dzvvleusdhkwivj.exe 4236 dzvvleusdhkwivj.exe 4236 dzvvleusdhkwivj.exe 2120 xrzmyerz.exe 2120 xrzmyerz.exe 2120 xrzmyerz.exe 2120 xrzmyerz.exe 2120 xrzmyerz.exe 2120 xrzmyerz.exe 2120 xrzmyerz.exe 2120 xrzmyerz.exe 908 ldhaacrazwiac.exe 908 ldhaacrazwiac.exe 908 ldhaacrazwiac.exe 908 ldhaacrazwiac.exe 908 ldhaacrazwiac.exe 908 ldhaacrazwiac.exe 908 ldhaacrazwiac.exe 908 ldhaacrazwiac.exe 908 ldhaacrazwiac.exe 908 ldhaacrazwiac.exe 908 ldhaacrazwiac.exe 908 ldhaacrazwiac.exe 3172 xrzmyerz.exe 3172 xrzmyerz.exe 3172 xrzmyerz.exe 3172 xrzmyerz.exe 3172 xrzmyerz.exe 3172 xrzmyerz.exe 3172 xrzmyerz.exe 3172 xrzmyerz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exexurwhptrbl.exedzvvleusdhkwivj.exexrzmyerz.exeldhaacrazwiac.exexrzmyerz.exepid process 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 1532 xurwhptrbl.exe 4236 dzvvleusdhkwivj.exe 1532 xurwhptrbl.exe 4236 dzvvleusdhkwivj.exe 1532 xurwhptrbl.exe 4236 dzvvleusdhkwivj.exe 2120 xrzmyerz.exe 2120 xrzmyerz.exe 2120 xrzmyerz.exe 908 ldhaacrazwiac.exe 908 ldhaacrazwiac.exe 908 ldhaacrazwiac.exe 3172 xrzmyerz.exe 3172 xrzmyerz.exe 3172 xrzmyerz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exexurwhptrbl.exedzvvleusdhkwivj.exexrzmyerz.exeldhaacrazwiac.exexrzmyerz.exepid process 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe 1532 xurwhptrbl.exe 4236 dzvvleusdhkwivj.exe 1532 xurwhptrbl.exe 4236 dzvvleusdhkwivj.exe 1532 xurwhptrbl.exe 4236 dzvvleusdhkwivj.exe 2120 xrzmyerz.exe 2120 xrzmyerz.exe 2120 xrzmyerz.exe 908 ldhaacrazwiac.exe 908 ldhaacrazwiac.exe 908 ldhaacrazwiac.exe 3172 xrzmyerz.exe 3172 xrzmyerz.exe 3172 xrzmyerz.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4532 WINWORD.EXE 4532 WINWORD.EXE 4532 WINWORD.EXE 4532 WINWORD.EXE 4532 WINWORD.EXE 4532 WINWORD.EXE 4532 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exexurwhptrbl.exedescription pid process target process PID 4192 wrote to memory of 1532 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe xurwhptrbl.exe PID 4192 wrote to memory of 1532 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe xurwhptrbl.exe PID 4192 wrote to memory of 1532 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe xurwhptrbl.exe PID 4192 wrote to memory of 4236 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe dzvvleusdhkwivj.exe PID 4192 wrote to memory of 4236 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe dzvvleusdhkwivj.exe PID 4192 wrote to memory of 4236 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe dzvvleusdhkwivj.exe PID 4192 wrote to memory of 2120 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe xrzmyerz.exe PID 4192 wrote to memory of 2120 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe xrzmyerz.exe PID 4192 wrote to memory of 2120 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe xrzmyerz.exe PID 4192 wrote to memory of 908 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe ldhaacrazwiac.exe PID 4192 wrote to memory of 908 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe ldhaacrazwiac.exe PID 4192 wrote to memory of 908 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe ldhaacrazwiac.exe PID 4192 wrote to memory of 4532 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe WINWORD.EXE PID 4192 wrote to memory of 4532 4192 69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe WINWORD.EXE PID 1532 wrote to memory of 3172 1532 xurwhptrbl.exe xrzmyerz.exe PID 1532 wrote to memory of 3172 1532 xurwhptrbl.exe xrzmyerz.exe PID 1532 wrote to memory of 3172 1532 xurwhptrbl.exe xrzmyerz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\69fb7c6da6009ac973da145b4fc12bd4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\xurwhptrbl.exexurwhptrbl.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\xrzmyerz.exeC:\Windows\system32\xrzmyerz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3172 -
C:\Windows\SysWOW64\dzvvleusdhkwivj.exedzvvleusdhkwivj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4236 -
C:\Windows\SysWOW64\xrzmyerz.exexrzmyerz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2120 -
C:\Windows\SysWOW64\ldhaacrazwiac.exeldhaacrazwiac.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:908 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4532
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD52006c16a7312fa54ccc303f1a20967d2
SHA1ba84d3ad2fb7a4c9b997fd76a9422cf4d7188472
SHA2564611974ac9cdd5063261d88bbd6c31197b519ea1838afbf62f503b8be6c4b47c
SHA51207fcabefee9126d137f8241a166616adb5805fd1cb48a1375d228f913f64cfd232a5252b4061b1464af4727db9cb588691b6ca3b0c36979aa35c3a285263a09c
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD59d3b8a25f1b4ad77aa759a1fc0aef8d5
SHA168707a3232d53e51b25d4cf09eba54b48954c568
SHA256fe4f14b6cfc94290033e4897f58aa39aa6978e3fcf7db17d1e33c9fff68cb96a
SHA5122ee85b0f5716607de1fae356f4210ff8622f007d531508ad8f0df9326770a73e34c8f85e8062a9bd996bd8166ad709732d2bfff575c5c79e79bf3f9ab2682514
-
C:\Users\Admin\AppData\Local\Temp\TCD9941.tmp\gb.xslFilesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5d463f3a3c52d184048d6732d762a28e4
SHA197c86435342b4b235ecc8af8c98ab5877f8487e7
SHA25660427c5ecb5351edf71819c3a7ed0ad8aa4f508b89d1da1b5703de54255ab64f
SHA512e3f27e0630dc8df753893c4f18784756572d95be046fdcdc94404d267fe8dbe9a49c07bb97c9c3a7709f34f12606d08004af91c6085b00029d3f28f53714c709
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD51a9ec3a1b444af68aa099297355279bc
SHA194787d6eec6ac6fee42cfb8baf1a574edb302fc5
SHA256de4286ee75ab89b063b2344bc051c4e89b407e2e736e63f7786aba2778e7faf3
SHA512ae73371a7ba3536962657232899d4b6fa40712d802d95026828b1f5beb5852a464fab82f591ada5c6cfd36ea436114ec1292e9059338c70dfcb7a8b0c2741c6b
-
C:\Users\Admin\Documents\SyncConvertFrom.doc.exeFilesize
512KB
MD509410da3e54867c8073972f8ebe40bb8
SHA15afef8809ff762fc931501949c21e6d69ccd18e4
SHA25605a23727f7411f836f24f71bd0a0487e77ed910dec743e46066baa87ee941a93
SHA51268d1c908b81f35b24d867897a855f388bb9c7875e9dedf36410903c20efbf8f32aea2eac84a3de6b607625f2fe562da980312bf4788dff9969a3b958f1484ee2
-
C:\Windows\SysWOW64\dzvvleusdhkwivj.exeFilesize
512KB
MD551da4c463003e62f3a2bc3233957230d
SHA12f596a8f45669c5c9d98a73dd8296cb35d814401
SHA25605b43a88ce60f2814306c39ccae53fc885f6d3367ddf53e71d3d7ab3505d74cc
SHA51295d8195fcf30b54c260f48f7ab02308b0b44c7a097729289386e1d6eb3be608c79e315471c8ad858d08054136e2dd12eb403deb23eb1903a5bffc209be39061b
-
C:\Windows\SysWOW64\ldhaacrazwiac.exeFilesize
512KB
MD5ebbaa04519b8024bd3790d2c90eb6ac1
SHA12b53c402be22ec7f94a3545dded76f8132865094
SHA256ee9a5bb3e6588afff0d5b80a4306dd922d5b0719a50085f579880f7e409f2700
SHA512b4f5d6d539fa39041a08cfd457aea26cf268f0ba0f3fa30bc66523e9dabb5fb1318b246c9cb1619bc57c2963488afb2698d5939ee74dcd1ec637d0aa5e1aad91
-
C:\Windows\SysWOW64\xrzmyerz.exeFilesize
512KB
MD5ea65e40b3f6606afc5c6064e102be2b3
SHA1613cab4b66f1ddf69f2e8df5e627b805e6dd83f1
SHA256234b6f47dc4a1d6d5ea1735c4dbb36d2f86a1a13f89a2be3fe4117a5b3d12385
SHA512b540d3ed0d58af1ec992d8c31b4e094ee2179d5acc8508797b933b319a41bdfd734701a1e2fae161c7ed46e4b61f07eed561f808b542246a9eca0d14a6a530cd
-
C:\Windows\SysWOW64\xurwhptrbl.exeFilesize
512KB
MD561e0b804a0c3e4999ffffaed52905eb0
SHA1451b4be0d7afba9a50ed0fbf04dba191f82a4d6a
SHA256fb508aa112654ae730c8f01b65c9fee0f818ea287050e2557dd96746470472cc
SHA512dac503b446826d12bacdf96e4977cbcf52b18516bb88f8ad7359352a788e5bd9ece84dbb8284de66b27e049e5bf7417e80af8cd4e5722891d0e2511ed043d024
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD57f29206be9f0a118b5963e9621239836
SHA163b7bdd7f4f5c6f200ededd073948695b2c2aa84
SHA256e2a951bb571f3a63f537bb3587419d4ad853ed9a0c48cf87fb93833b913f8cfd
SHA512e5e3fc7d17f00588fbbf6a7774f5bc14988e060ff21fef5137be9e322a2e471952aeea903029d43ee2d60dca21428c409b4c5d3bcbd37d02d177f265db8ace8b
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD56b8964a9a24a9e3d352bb9f1a3cfa6b3
SHA18f1cc789d162d5c24fcae16714b751917ed2c9a3
SHA256ae10dfb2f008235a246c0ba83573cd7177ba21ee2c728fc1a12d14acaac0f617
SHA512e38ec9977b491a56687f7b81a93aa8f235691da2efdd891e20dc35255cb0b68af6972cc2ae314574f24ca38eba87fde11f29da520a7fbe084706f8400091461b
-
memory/4192-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4532-41-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmpFilesize
64KB
-
memory/4532-40-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmpFilesize
64KB
-
memory/4532-38-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmpFilesize
64KB
-
memory/4532-39-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmpFilesize
64KB
-
memory/4532-37-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmpFilesize
64KB
-
memory/4532-42-0x00007FFDFF5B0000-0x00007FFDFF5C0000-memory.dmpFilesize
64KB
-
memory/4532-43-0x00007FFDFF5B0000-0x00007FFDFF5C0000-memory.dmpFilesize
64KB
-
memory/4532-599-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmpFilesize
64KB
-
memory/4532-600-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmpFilesize
64KB
-
memory/4532-601-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmpFilesize
64KB
-
memory/4532-598-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmpFilesize
64KB