Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 09:01
Static task
static1
Behavioral task
behavioral1
Sample
6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe
-
Size
512KB
-
MD5
6a6b12c6756890e0a7b4ab47d9c407ec
-
SHA1
2c038b36ea5a6ff3f32b1f053839c7e315018cab
-
SHA256
7ab92886128d9ac22eb00e29a7c216d89930e5d21fd78af53b58c779728c7f21
-
SHA512
a739495190c08e51c00b70a6df0ff4eef26bef5ec451eaa14f8ab045f2c3c890ad997916a1763019476e7766bbfe10ca5b2cec607a10013c4857519ac9c03221
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5C
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
qnnzmgtfyt.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qnnzmgtfyt.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
qnnzmgtfyt.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qnnzmgtfyt.exe -
Processes:
qnnzmgtfyt.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qnnzmgtfyt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qnnzmgtfyt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qnnzmgtfyt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qnnzmgtfyt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qnnzmgtfyt.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
qnnzmgtfyt.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qnnzmgtfyt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
qnnzmgtfyt.exesyvhhqefzduvsgs.exennytzqio.exeifcbykqvurxuf.exennytzqio.exepid process 4688 qnnzmgtfyt.exe 2572 syvhhqefzduvsgs.exe 4436 nnytzqio.exe 1636 ifcbykqvurxuf.exe 4536 nnytzqio.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
qnnzmgtfyt.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qnnzmgtfyt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qnnzmgtfyt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qnnzmgtfyt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qnnzmgtfyt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qnnzmgtfyt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qnnzmgtfyt.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
syvhhqefzduvsgs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otwrdodf = "qnnzmgtfyt.exe" syvhhqefzduvsgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bpmvagwh = "syvhhqefzduvsgs.exe" syvhhqefzduvsgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ifcbykqvurxuf.exe" syvhhqefzduvsgs.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
nnytzqio.exeqnnzmgtfyt.exennytzqio.exedescription ioc process File opened (read-only) \??\r: nnytzqio.exe File opened (read-only) \??\i: qnnzmgtfyt.exe File opened (read-only) \??\e: nnytzqio.exe File opened (read-only) \??\m: nnytzqio.exe File opened (read-only) \??\k: nnytzqio.exe File opened (read-only) \??\l: qnnzmgtfyt.exe File opened (read-only) \??\q: qnnzmgtfyt.exe File opened (read-only) \??\n: nnytzqio.exe File opened (read-only) \??\o: nnytzqio.exe File opened (read-only) \??\y: nnytzqio.exe File opened (read-only) \??\g: nnytzqio.exe File opened (read-only) \??\n: qnnzmgtfyt.exe File opened (read-only) \??\b: nnytzqio.exe File opened (read-only) \??\i: nnytzqio.exe File opened (read-only) \??\j: nnytzqio.exe File opened (read-only) \??\x: nnytzqio.exe File opened (read-only) \??\z: nnytzqio.exe File opened (read-only) \??\a: nnytzqio.exe File opened (read-only) \??\b: nnytzqio.exe File opened (read-only) \??\n: nnytzqio.exe File opened (read-only) \??\s: nnytzqio.exe File opened (read-only) \??\e: qnnzmgtfyt.exe File opened (read-only) \??\q: nnytzqio.exe File opened (read-only) \??\o: nnytzqio.exe File opened (read-only) \??\p: qnnzmgtfyt.exe File opened (read-only) \??\u: qnnzmgtfyt.exe File opened (read-only) \??\v: qnnzmgtfyt.exe File opened (read-only) \??\h: nnytzqio.exe File opened (read-only) \??\u: nnytzqio.exe File opened (read-only) \??\w: qnnzmgtfyt.exe File opened (read-only) \??\z: qnnzmgtfyt.exe File opened (read-only) \??\p: nnytzqio.exe File opened (read-only) \??\w: nnytzqio.exe File opened (read-only) \??\y: nnytzqio.exe File opened (read-only) \??\a: qnnzmgtfyt.exe File opened (read-only) \??\k: qnnzmgtfyt.exe File opened (read-only) \??\s: qnnzmgtfyt.exe File opened (read-only) \??\i: nnytzqio.exe File opened (read-only) \??\y: qnnzmgtfyt.exe File opened (read-only) \??\g: nnytzqio.exe File opened (read-only) \??\r: nnytzqio.exe File opened (read-only) \??\x: qnnzmgtfyt.exe File opened (read-only) \??\k: nnytzqio.exe File opened (read-only) \??\h: nnytzqio.exe File opened (read-only) \??\l: nnytzqio.exe File opened (read-only) \??\q: nnytzqio.exe File opened (read-only) \??\x: nnytzqio.exe File opened (read-only) \??\h: qnnzmgtfyt.exe File opened (read-only) \??\t: qnnzmgtfyt.exe File opened (read-only) \??\s: nnytzqio.exe File opened (read-only) \??\b: qnnzmgtfyt.exe File opened (read-only) \??\r: qnnzmgtfyt.exe File opened (read-only) \??\v: nnytzqio.exe File opened (read-only) \??\e: nnytzqio.exe File opened (read-only) \??\j: nnytzqio.exe File opened (read-only) \??\p: nnytzqio.exe File opened (read-only) \??\v: nnytzqio.exe File opened (read-only) \??\g: qnnzmgtfyt.exe File opened (read-only) \??\j: qnnzmgtfyt.exe File opened (read-only) \??\m: nnytzqio.exe File opened (read-only) \??\z: nnytzqio.exe File opened (read-only) \??\l: nnytzqio.exe File opened (read-only) \??\t: nnytzqio.exe File opened (read-only) \??\t: nnytzqio.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
qnnzmgtfyt.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qnnzmgtfyt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qnnzmgtfyt.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4600-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\syvhhqefzduvsgs.exe autoit_exe C:\Windows\SysWOW64\qnnzmgtfyt.exe autoit_exe C:\Windows\SysWOW64\nnytzqio.exe autoit_exe C:\Windows\SysWOW64\ifcbykqvurxuf.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\AppData\Roaming\EditGet.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exennytzqio.exeqnnzmgtfyt.exennytzqio.exedescription ioc process File opened for modification C:\Windows\SysWOW64\nnytzqio.exe 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe File created C:\Windows\SysWOW64\ifcbykqvurxuf.exe 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nnytzqio.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nnytzqio.exe File opened for modification C:\Windows\SysWOW64\qnnzmgtfyt.exe 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe File created C:\Windows\SysWOW64\syvhhqefzduvsgs.exe 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\syvhhqefzduvsgs.exe 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe File created C:\Windows\SysWOW64\nnytzqio.exe 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe File created C:\Windows\SysWOW64\qnnzmgtfyt.exe 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ifcbykqvurxuf.exe 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qnnzmgtfyt.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nnytzqio.exe -
Drops file in Program Files directory 14 IoCs
Processes:
nnytzqio.exennytzqio.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nnytzqio.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal nnytzqio.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nnytzqio.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nnytzqio.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nnytzqio.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal nnytzqio.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nnytzqio.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nnytzqio.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nnytzqio.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal nnytzqio.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nnytzqio.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nnytzqio.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nnytzqio.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal nnytzqio.exe -
Drops file in Windows directory 19 IoCs
Processes:
6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exennytzqio.exennytzqio.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nnytzqio.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nnytzqio.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nnytzqio.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nnytzqio.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nnytzqio.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nnytzqio.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nnytzqio.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nnytzqio.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nnytzqio.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nnytzqio.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nnytzqio.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nnytzqio.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nnytzqio.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nnytzqio.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nnytzqio.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nnytzqio.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exeqnnzmgtfyt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC5B15D44E7389F52C4B9D3329CD7C9" 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FFF8485A85139031D72C7E94BC92E6375845664F6244D7E9" 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qnnzmgtfyt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qnnzmgtfyt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qnnzmgtfyt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qnnzmgtfyt.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768B1FF1A22DAD20FD0A18A7D9117" 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C70E1594DBC4B8BC7CE3ECE034BA" 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qnnzmgtfyt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qnnzmgtfyt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qnnzmgtfyt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qnnzmgtfyt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qnnzmgtfyt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422C769C2782556A3176D777222CD87C8765DD" 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDF9BDFE6BF19183783A40869E3997B3FC02F04214023FE2CD42E709A9" 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qnnzmgtfyt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qnnzmgtfyt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qnnzmgtfyt.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 5152 WINWORD.EXE 5152 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exesyvhhqefzduvsgs.exeqnnzmgtfyt.exennytzqio.exeifcbykqvurxuf.exennytzqio.exepid process 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 2572 syvhhqefzduvsgs.exe 2572 syvhhqefzduvsgs.exe 2572 syvhhqefzduvsgs.exe 2572 syvhhqefzduvsgs.exe 2572 syvhhqefzduvsgs.exe 2572 syvhhqefzduvsgs.exe 2572 syvhhqefzduvsgs.exe 2572 syvhhqefzduvsgs.exe 2572 syvhhqefzduvsgs.exe 2572 syvhhqefzduvsgs.exe 4688 qnnzmgtfyt.exe 4688 qnnzmgtfyt.exe 4688 qnnzmgtfyt.exe 4436 nnytzqio.exe 4688 qnnzmgtfyt.exe 4436 nnytzqio.exe 4688 qnnzmgtfyt.exe 4688 qnnzmgtfyt.exe 4688 qnnzmgtfyt.exe 4688 qnnzmgtfyt.exe 4436 nnytzqio.exe 4436 nnytzqio.exe 4688 qnnzmgtfyt.exe 4688 qnnzmgtfyt.exe 4436 nnytzqio.exe 4436 nnytzqio.exe 4436 nnytzqio.exe 4436 nnytzqio.exe 1636 ifcbykqvurxuf.exe 1636 ifcbykqvurxuf.exe 1636 ifcbykqvurxuf.exe 1636 ifcbykqvurxuf.exe 1636 ifcbykqvurxuf.exe 1636 ifcbykqvurxuf.exe 1636 ifcbykqvurxuf.exe 1636 ifcbykqvurxuf.exe 1636 ifcbykqvurxuf.exe 1636 ifcbykqvurxuf.exe 1636 ifcbykqvurxuf.exe 1636 ifcbykqvurxuf.exe 2572 syvhhqefzduvsgs.exe 2572 syvhhqefzduvsgs.exe 4536 nnytzqio.exe 4536 nnytzqio.exe 4536 nnytzqio.exe 4536 nnytzqio.exe 4536 nnytzqio.exe 4536 nnytzqio.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exesyvhhqefzduvsgs.exeqnnzmgtfyt.exennytzqio.exeifcbykqvurxuf.exennytzqio.exepid process 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 2572 syvhhqefzduvsgs.exe 2572 syvhhqefzduvsgs.exe 2572 syvhhqefzduvsgs.exe 4688 qnnzmgtfyt.exe 4436 nnytzqio.exe 4688 qnnzmgtfyt.exe 4436 nnytzqio.exe 4688 qnnzmgtfyt.exe 4436 nnytzqio.exe 1636 ifcbykqvurxuf.exe 1636 ifcbykqvurxuf.exe 1636 ifcbykqvurxuf.exe 4536 nnytzqio.exe 4536 nnytzqio.exe 4536 nnytzqio.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exesyvhhqefzduvsgs.exeqnnzmgtfyt.exennytzqio.exeifcbykqvurxuf.exennytzqio.exepid process 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe 2572 syvhhqefzduvsgs.exe 2572 syvhhqefzduvsgs.exe 2572 syvhhqefzduvsgs.exe 4688 qnnzmgtfyt.exe 4436 nnytzqio.exe 4688 qnnzmgtfyt.exe 4436 nnytzqio.exe 4688 qnnzmgtfyt.exe 4436 nnytzqio.exe 1636 ifcbykqvurxuf.exe 1636 ifcbykqvurxuf.exe 1636 ifcbykqvurxuf.exe 4536 nnytzqio.exe 4536 nnytzqio.exe 4536 nnytzqio.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 5152 WINWORD.EXE 5152 WINWORD.EXE 5152 WINWORD.EXE 5152 WINWORD.EXE 5152 WINWORD.EXE 5152 WINWORD.EXE 5152 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exeqnnzmgtfyt.exedescription pid process target process PID 4600 wrote to memory of 4688 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe qnnzmgtfyt.exe PID 4600 wrote to memory of 4688 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe qnnzmgtfyt.exe PID 4600 wrote to memory of 4688 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe qnnzmgtfyt.exe PID 4600 wrote to memory of 2572 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe syvhhqefzduvsgs.exe PID 4600 wrote to memory of 2572 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe syvhhqefzduvsgs.exe PID 4600 wrote to memory of 2572 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe syvhhqefzduvsgs.exe PID 4600 wrote to memory of 4436 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe nnytzqio.exe PID 4600 wrote to memory of 4436 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe nnytzqio.exe PID 4600 wrote to memory of 4436 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe nnytzqio.exe PID 4600 wrote to memory of 1636 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe ifcbykqvurxuf.exe PID 4600 wrote to memory of 1636 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe ifcbykqvurxuf.exe PID 4600 wrote to memory of 1636 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe ifcbykqvurxuf.exe PID 4600 wrote to memory of 5152 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe WINWORD.EXE PID 4600 wrote to memory of 5152 4600 6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe WINWORD.EXE PID 4688 wrote to memory of 4536 4688 qnnzmgtfyt.exe nnytzqio.exe PID 4688 wrote to memory of 4536 4688 qnnzmgtfyt.exe nnytzqio.exe PID 4688 wrote to memory of 4536 4688 qnnzmgtfyt.exe nnytzqio.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6a6b12c6756890e0a7b4ab47d9c407ec_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\qnnzmgtfyt.exeqnnzmgtfyt.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\nnytzqio.exeC:\Windows\system32\nnytzqio.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4536 -
C:\Windows\SysWOW64\syvhhqefzduvsgs.exesyvhhqefzduvsgs.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2572 -
C:\Windows\SysWOW64\nnytzqio.exennytzqio.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4436 -
C:\Windows\SysWOW64\ifcbykqvurxuf.exeifcbykqvurxuf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1636 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5152
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD58de46c99e82a12088d9355a22ce77f5f
SHA1e0b5b7ec8dd7117f9942f2eb5c8b4dbc6cc9f9e8
SHA256c53319fd9790f6427e2207c1e87b7b214af8c8e5147bd53463ea5e31e6b0ae9a
SHA51206ada762b92a7ad6d4c30f43cec3275649dc143528c23045e5cb7bd77a02fe4326db1f3cf294611b3ac19ac84c67f81b0ae91849de7735dc542f3ddf7028d8db
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD50c9b42b25441bc7e24de43e14d01ea10
SHA182abeeaab60c5fffef3e495cbc00de7ce1e00fa5
SHA256149d72332b606ef0d3e216bd9877d72d0092bc24da0ae12dce3a8b4fc8e5abcb
SHA51233d1a4eb8232325b071e25d32f968ce16522b81089939fcd4581d0ca3673fe13c96286a5b132735068166abb96eaef77c48b6289ec8c15792948ad5f01bb81fe
-
C:\Users\Admin\AppData\Local\Temp\TCD76B4.tmp\iso690.xslFilesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Roaming\EditGet.doc.exeFilesize
512KB
MD55331d4745bb117cd733adc46439507d1
SHA1b99d306021aebe26bcb9ad7e88f54c44cd3914ee
SHA256a58666d407e872047d62d04ba70950defce934e8713cf832f783085a0230de20
SHA5123222e9c29f17e5288cb19441b23c272f227b84fc3fec21b2be5da96d25873df80baae138f776746caad4beabdccbf0323dfede9830b2fe2d1da756e9bc6e9d6c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5914426e6f91fa054b5c14ff969fd931e
SHA1bf34acab6dd749b512c676e3b456882d8ef07ea9
SHA256ae8bd58294692b1dcdc6a14fbc06608db358b31f968e74f06d32bf6363d650be
SHA512226bc8fc35ae02310f7f50fc08e0fcc778165f75a9399c97a06672330a92516430eeaa31da690121f44be749ca2eadcf976345eda840acb5dd510b1c53fd404a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5aaaa270858d40b2f17bfd19bf5a6d6f2
SHA126d01da332c277460d4c695858c7c974d2e3c01d
SHA25650df57d4b6454bf47630e0d510201d0c443f80070d0fcfaaa769aa4a543a334c
SHA51268764fab37771498b2af58d6807bce587f758544619ca10098d987be8bc02dc4a6cfa0d66ff003911141da098acff0cc10f9561e5263de4f75388b001a16d3cc
-
C:\Windows\SysWOW64\ifcbykqvurxuf.exeFilesize
512KB
MD5099eb74608220c8159e1f16b4dc5bc74
SHA105b0718fad385d7f002aca1cb4a675df3f6767d6
SHA256b8d30d82c9bac14cc804fed09813734905fc592cacf4a18f086f171d662f29bb
SHA512c9fc384a5cfd4eac34079b492aff11d20d16e9dc1d20d480ba1cdbc03dc5d58bd31b0017f74f4005b31e20a5a65ca1b34c0526dd892f004f2f28a4a75ac09cbd
-
C:\Windows\SysWOW64\nnytzqio.exeFilesize
512KB
MD57b0e139b4a47a63865cf1cd21c5af002
SHA13836bb41fb78509e75bbcf64c10d1960826a6f0f
SHA256eb618a1b045f11e890341e307c874b3e22ccff426442a16c9c5446a685cf885c
SHA512a40b230f653b21e30dec4d0ceddbd5414c050e474299dc0f2c4a81f30147fea63d56ec66954163b7c09f6b723a4c779f5b107cbc686d9eeb48b937cec8711ce0
-
C:\Windows\SysWOW64\qnnzmgtfyt.exeFilesize
512KB
MD579a124ddb32f178fa43bb140c81ce46f
SHA125180cba80441cdb8db1e2cb061614db0c6d28a1
SHA256eee6457cd6aaae84c9ad1c15fd6b940c0340f55acc68ed0cb4ae91916bf29404
SHA5122771896286d8b917c6843d0cf3cbabe3bdccad644420fa0ce661c7c7b6b7c05fbb9a8cc3f26a85c6457b0af643c8722b1509ef7ab9e68dbc3c5334d64c3d3c69
-
C:\Windows\SysWOW64\syvhhqefzduvsgs.exeFilesize
512KB
MD54094dc10b633fdcfe433f7a3496f59d0
SHA1ab307b7e2b75859ec9e441a75021efe30b886459
SHA256a1c15e3e94dd5d586a92195cdc95a487aaeaaf4e979d94f2a3debda690538f68
SHA5127a5b2655ba21c31399eb084535e51a985c294dd875c95ed6a7d100ca7ed7cd83c28ec251b54512b82f2c7977a4886eefe11182fa01eb017643d685ee01592eb2
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5cf8fc6a8552fa72e5314f1126d3780ec
SHA18fd7ebcf6193c62fce4521e0ba6c43aa7fc21848
SHA2567dbc793162900522e90790ecdf0dcac51ac47752e0a9254b9bbd15c8b4ea29d3
SHA5124b08526d0226b7e505b1566b817d057e70f6795a291746136ef8a0b1a28ce386fec39b1bf5091ae1238f5f0616c7cca51b83446cdc34d42aaa15ccac3eb0ac64
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5d91b9bacbb8b2e3a4a631cb633001750
SHA1fb7757d9fee95f1ce881a7865418f372265ef2b9
SHA256af3606f327221ffd8fd1d77c470568247bae7532fb33a0a6cfd991dc739bbc20
SHA51232959f01f20e7dfa8ae6e2cfc58f607b2a6a3215a663d155e8b507f283165a315be51e895acc0a77aa2908c8cb2f01fde89ddae432e438e22d83eb1ecf7bb549
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5f30f2fbbeb91258a44dec27f89cac693
SHA1c60ebb0d5385c9ac4d0cd1ce4d21fa23bb24bdde
SHA2565c78a4af316405a85b39f0cc01fb266bbf008d2b9735d6c2302a25707e72bde2
SHA5122449d899b8213bc08fafd6c19d72dc1a35b5aa836c2ff92f9b716f433eb950ecd3dbb125b4aa8b9e2ffda57d5b1ced2c5a210d5161c7426787a1440dfab0ac56
-
memory/4600-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/5152-35-0x00007FF9ED230000-0x00007FF9ED240000-memory.dmpFilesize
64KB
-
memory/5152-37-0x00007FF9ED230000-0x00007FF9ED240000-memory.dmpFilesize
64KB
-
memory/5152-38-0x00007FF9ED230000-0x00007FF9ED240000-memory.dmpFilesize
64KB
-
memory/5152-36-0x00007FF9ED230000-0x00007FF9ED240000-memory.dmpFilesize
64KB
-
memory/5152-40-0x00007FF9EAF40000-0x00007FF9EAF50000-memory.dmpFilesize
64KB
-
memory/5152-43-0x00007FF9EAF40000-0x00007FF9EAF50000-memory.dmpFilesize
64KB
-
memory/5152-39-0x00007FF9ED230000-0x00007FF9ED240000-memory.dmpFilesize
64KB
-
memory/5152-612-0x00007FF9ED230000-0x00007FF9ED240000-memory.dmpFilesize
64KB
-
memory/5152-613-0x00007FF9ED230000-0x00007FF9ED240000-memory.dmpFilesize
64KB
-
memory/5152-614-0x00007FF9ED230000-0x00007FF9ED240000-memory.dmpFilesize
64KB
-
memory/5152-611-0x00007FF9ED230000-0x00007FF9ED240000-memory.dmpFilesize
64KB