Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 10:48
Static task
static1
Behavioral task
behavioral1
Sample
6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe
-
Size
512KB
-
MD5
6ab05762e64bab75773f3d89cc4e7f45
-
SHA1
bdb715a7e8071d9232e38b14c681a74d522ddf37
-
SHA256
7b57c8b33de679d4024622f7cae20fe9e1c37a83383ad73d657dd0b0ce060bbd
-
SHA512
1588cef85014f3ca3d01bc3fdf3db4af891b0bfd054862a1afb7e474b8411224c79dff5647f04fb9beb510b28bd398e1f9f03c6b4ee15a5a04ea5c27f554b4dc
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6x:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
otgxqlvzun.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" otgxqlvzun.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
otgxqlvzun.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" otgxqlvzun.exe -
Processes:
otgxqlvzun.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" otgxqlvzun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" otgxqlvzun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" otgxqlvzun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" otgxqlvzun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" otgxqlvzun.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
otgxqlvzun.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" otgxqlvzun.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
otgxqlvzun.exesnlzbaeckrxyolf.exefollskzn.execdwiveyqsnunj.exefollskzn.exepid process 4940 otgxqlvzun.exe 2080 snlzbaeckrxyolf.exe 3016 follskzn.exe 3568 cdwiveyqsnunj.exe 464 follskzn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
otgxqlvzun.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" otgxqlvzun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" otgxqlvzun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" otgxqlvzun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" otgxqlvzun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" otgxqlvzun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" otgxqlvzun.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
snlzbaeckrxyolf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vreetwpp = "otgxqlvzun.exe" snlzbaeckrxyolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vaudyeym = "snlzbaeckrxyolf.exe" snlzbaeckrxyolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cdwiveyqsnunj.exe" snlzbaeckrxyolf.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
follskzn.exefollskzn.exeotgxqlvzun.exedescription ioc process File opened (read-only) \??\u: follskzn.exe File opened (read-only) \??\u: follskzn.exe File opened (read-only) \??\b: follskzn.exe File opened (read-only) \??\i: follskzn.exe File opened (read-only) \??\g: follskzn.exe File opened (read-only) \??\x: follskzn.exe File opened (read-only) \??\i: otgxqlvzun.exe File opened (read-only) \??\n: follskzn.exe File opened (read-only) \??\w: follskzn.exe File opened (read-only) \??\a: otgxqlvzun.exe File opened (read-only) \??\v: otgxqlvzun.exe File opened (read-only) \??\p: follskzn.exe File opened (read-only) \??\b: otgxqlvzun.exe File opened (read-only) \??\p: otgxqlvzun.exe File opened (read-only) \??\t: otgxqlvzun.exe File opened (read-only) \??\k: follskzn.exe File opened (read-only) \??\m: follskzn.exe File opened (read-only) \??\s: otgxqlvzun.exe File opened (read-only) \??\y: follskzn.exe File opened (read-only) \??\o: follskzn.exe File opened (read-only) \??\h: otgxqlvzun.exe File opened (read-only) \??\q: otgxqlvzun.exe File opened (read-only) \??\g: otgxqlvzun.exe File opened (read-only) \??\w: otgxqlvzun.exe File opened (read-only) \??\h: follskzn.exe File opened (read-only) \??\u: otgxqlvzun.exe File opened (read-only) \??\q: follskzn.exe File opened (read-only) \??\r: follskzn.exe File opened (read-only) \??\w: follskzn.exe File opened (read-only) \??\p: follskzn.exe File opened (read-only) \??\r: follskzn.exe File opened (read-only) \??\y: follskzn.exe File opened (read-only) \??\z: follskzn.exe File opened (read-only) \??\s: follskzn.exe File opened (read-only) \??\j: otgxqlvzun.exe File opened (read-only) \??\k: otgxqlvzun.exe File opened (read-only) \??\n: otgxqlvzun.exe File opened (read-only) \??\x: otgxqlvzun.exe File opened (read-only) \??\z: otgxqlvzun.exe File opened (read-only) \??\k: follskzn.exe File opened (read-only) \??\s: follskzn.exe File opened (read-only) \??\v: follskzn.exe File opened (read-only) \??\n: follskzn.exe File opened (read-only) \??\a: follskzn.exe File opened (read-only) \??\g: follskzn.exe File opened (read-only) \??\b: follskzn.exe File opened (read-only) \??\l: follskzn.exe File opened (read-only) \??\t: follskzn.exe File opened (read-only) \??\t: follskzn.exe File opened (read-only) \??\i: follskzn.exe File opened (read-only) \??\q: follskzn.exe File opened (read-only) \??\y: otgxqlvzun.exe File opened (read-only) \??\r: otgxqlvzun.exe File opened (read-only) \??\j: follskzn.exe File opened (read-only) \??\h: follskzn.exe File opened (read-only) \??\j: follskzn.exe File opened (read-only) \??\l: otgxqlvzun.exe File opened (read-only) \??\z: follskzn.exe File opened (read-only) \??\o: otgxqlvzun.exe File opened (read-only) \??\e: follskzn.exe File opened (read-only) \??\v: follskzn.exe File opened (read-only) \??\a: follskzn.exe File opened (read-only) \??\e: follskzn.exe File opened (read-only) \??\m: follskzn.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
otgxqlvzun.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" otgxqlvzun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" otgxqlvzun.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2492-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\snlzbaeckrxyolf.exe autoit_exe C:\Windows\SysWOW64\otgxqlvzun.exe autoit_exe C:\Windows\SysWOW64\follskzn.exe autoit_exe C:\Windows\SysWOW64\cdwiveyqsnunj.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\ResizeSubmit.doc.exe autoit_exe C:\Users\Admin\Documents\StepLock.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exefollskzn.exefollskzn.exeotgxqlvzun.exedescription ioc process File opened for modification C:\Windows\SysWOW64\otgxqlvzun.exe 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\snlzbaeckrxyolf.exe 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\follskzn.exe 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe follskzn.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe follskzn.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll otgxqlvzun.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe follskzn.exe File created C:\Windows\SysWOW64\otgxqlvzun.exe 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe File created C:\Windows\SysWOW64\snlzbaeckrxyolf.exe 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe File created C:\Windows\SysWOW64\follskzn.exe 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe File created C:\Windows\SysWOW64\cdwiveyqsnunj.exe 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cdwiveyqsnunj.exe 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
follskzn.exefollskzn.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe follskzn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe follskzn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe follskzn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe follskzn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal follskzn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe follskzn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal follskzn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe follskzn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe follskzn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal follskzn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe follskzn.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe follskzn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal follskzn.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe follskzn.exe -
Drops file in Windows directory 19 IoCs
Processes:
follskzn.exefollskzn.exe6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe follskzn.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe follskzn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe follskzn.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe follskzn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe follskzn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe follskzn.exe File opened for modification C:\Windows\mydoc.rtf 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe follskzn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe follskzn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe follskzn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe follskzn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe follskzn.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe follskzn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe follskzn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe follskzn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe follskzn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe follskzn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
otgxqlvzun.exe6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat otgxqlvzun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" otgxqlvzun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" otgxqlvzun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" otgxqlvzun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33372D7C9C5582576D4676DC77202DAD7CF464D7" 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" otgxqlvzun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" otgxqlvzun.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC60914E7DABFB9CD7CE1EC9734BD" 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc otgxqlvzun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" otgxqlvzun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFABAF961F293830B3B40869E3992B0FB038F4260024BE1B842EC08D3" 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh otgxqlvzun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768B7FE1821DDD10FD1A98B79906A" 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf otgxqlvzun.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs otgxqlvzun.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg otgxqlvzun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B15A47E239EE52CDBAA0339FD7C8" 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFF834F2785189045D75B7E9CBC97E631593266426330D79E" 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1140 WINWORD.EXE 1140 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exeotgxqlvzun.exefollskzn.exesnlzbaeckrxyolf.execdwiveyqsnunj.exefollskzn.exepid process 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 4940 otgxqlvzun.exe 4940 otgxqlvzun.exe 4940 otgxqlvzun.exe 4940 otgxqlvzun.exe 4940 otgxqlvzun.exe 4940 otgxqlvzun.exe 4940 otgxqlvzun.exe 4940 otgxqlvzun.exe 4940 otgxqlvzun.exe 4940 otgxqlvzun.exe 3016 follskzn.exe 3016 follskzn.exe 3016 follskzn.exe 3016 follskzn.exe 3016 follskzn.exe 3016 follskzn.exe 3016 follskzn.exe 3016 follskzn.exe 2080 snlzbaeckrxyolf.exe 2080 snlzbaeckrxyolf.exe 2080 snlzbaeckrxyolf.exe 2080 snlzbaeckrxyolf.exe 2080 snlzbaeckrxyolf.exe 2080 snlzbaeckrxyolf.exe 2080 snlzbaeckrxyolf.exe 2080 snlzbaeckrxyolf.exe 2080 snlzbaeckrxyolf.exe 2080 snlzbaeckrxyolf.exe 3568 cdwiveyqsnunj.exe 3568 cdwiveyqsnunj.exe 3568 cdwiveyqsnunj.exe 3568 cdwiveyqsnunj.exe 3568 cdwiveyqsnunj.exe 3568 cdwiveyqsnunj.exe 3568 cdwiveyqsnunj.exe 3568 cdwiveyqsnunj.exe 3568 cdwiveyqsnunj.exe 3568 cdwiveyqsnunj.exe 3568 cdwiveyqsnunj.exe 3568 cdwiveyqsnunj.exe 464 follskzn.exe 464 follskzn.exe 464 follskzn.exe 464 follskzn.exe 464 follskzn.exe 464 follskzn.exe 464 follskzn.exe 464 follskzn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exeotgxqlvzun.exesnlzbaeckrxyolf.exefollskzn.execdwiveyqsnunj.exefollskzn.exepid process 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 4940 otgxqlvzun.exe 4940 otgxqlvzun.exe 4940 otgxqlvzun.exe 2080 snlzbaeckrxyolf.exe 3016 follskzn.exe 2080 snlzbaeckrxyolf.exe 3016 follskzn.exe 3016 follskzn.exe 2080 snlzbaeckrxyolf.exe 3568 cdwiveyqsnunj.exe 3568 cdwiveyqsnunj.exe 3568 cdwiveyqsnunj.exe 464 follskzn.exe 464 follskzn.exe 464 follskzn.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exeotgxqlvzun.exesnlzbaeckrxyolf.exefollskzn.execdwiveyqsnunj.exefollskzn.exepid process 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe 4940 otgxqlvzun.exe 4940 otgxqlvzun.exe 4940 otgxqlvzun.exe 2080 snlzbaeckrxyolf.exe 3016 follskzn.exe 2080 snlzbaeckrxyolf.exe 3016 follskzn.exe 3016 follskzn.exe 2080 snlzbaeckrxyolf.exe 3568 cdwiveyqsnunj.exe 3568 cdwiveyqsnunj.exe 3568 cdwiveyqsnunj.exe 464 follskzn.exe 464 follskzn.exe 464 follskzn.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1140 WINWORD.EXE 1140 WINWORD.EXE 1140 WINWORD.EXE 1140 WINWORD.EXE 1140 WINWORD.EXE 1140 WINWORD.EXE 1140 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exeotgxqlvzun.exedescription pid process target process PID 2492 wrote to memory of 4940 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe otgxqlvzun.exe PID 2492 wrote to memory of 4940 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe otgxqlvzun.exe PID 2492 wrote to memory of 4940 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe otgxqlvzun.exe PID 2492 wrote to memory of 2080 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe snlzbaeckrxyolf.exe PID 2492 wrote to memory of 2080 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe snlzbaeckrxyolf.exe PID 2492 wrote to memory of 2080 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe snlzbaeckrxyolf.exe PID 2492 wrote to memory of 3016 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe follskzn.exe PID 2492 wrote to memory of 3016 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe follskzn.exe PID 2492 wrote to memory of 3016 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe follskzn.exe PID 2492 wrote to memory of 3568 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe cdwiveyqsnunj.exe PID 2492 wrote to memory of 3568 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe cdwiveyqsnunj.exe PID 2492 wrote to memory of 3568 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe cdwiveyqsnunj.exe PID 2492 wrote to memory of 1140 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe WINWORD.EXE PID 2492 wrote to memory of 1140 2492 6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe WINWORD.EXE PID 4940 wrote to memory of 464 4940 otgxqlvzun.exe follskzn.exe PID 4940 wrote to memory of 464 4940 otgxqlvzun.exe follskzn.exe PID 4940 wrote to memory of 464 4940 otgxqlvzun.exe follskzn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\otgxqlvzun.exeotgxqlvzun.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\follskzn.exeC:\Windows\system32\follskzn.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\snlzbaeckrxyolf.exesnlzbaeckrxyolf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\follskzn.exefollskzn.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cdwiveyqsnunj.execdwiveyqsnunj.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5236de3dbf3e6e3ec6a2a9624f9609898
SHA1468e4cc9f5f2ed05d655332193c49440930dc0a9
SHA256393f6c88c6d879ce2dc07d69f6d6dad60e4534ea4faec9679b0e8ad242f4562f
SHA512330648c60aacbfeb39d4a28f7488028a4d8839d446c66d4e5edb2d0db5bdb287f8828abb2328da91805e3463ffd7133b67afb525709e2659d8055e0e1a1feba7
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5c87917a81c42c5385e234bb8cda983f8
SHA1a826ebb5f27809143ce6a5f1ba1b67a9a7008fcb
SHA256e8ae88b19e3a9754c16385cffa790636640a82aed3e6f33c00a2a0e3876092bc
SHA512676a762ba50d82a85bb404cbb009adaf4898785bce1bcb181e60be2b2608226dd8b2b0f3b9e4e6dd03da3be6c3ee2af76b03a8bfa1a9fd97b2969ad77c03a37d
-
C:\Users\Admin\AppData\Local\Temp\TCD945C.tmp\gb.xslFilesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5948ed6dd91b0fc60f7884761f429f19e
SHA1c6f29c76da8ef4059ffe7d3102f85308ac0e62e3
SHA25625ec240e04053d9240929be0d0878541448bf4c8894971a5afcd3a305160cce2
SHA51244d0c571ed5419137443c71333919d03d881aec8c2c8a1cf79fb7235b2b1a86fe816f00ebcdad48b87b6e2ebcb4b66361f73d4dce3945b661204e285fd1a4a0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5f6bdb4115d1a9c8d9f1fcfde333d95af
SHA16b25686f4833cf06ef36370b72497c2996172e64
SHA256550c018bf988da64875ed177179c64f3cfd2d75b5fd99fbc0c10650ce3654878
SHA5120dbdb0fe875e6f1d6af5ae9f4b3c88abba6c66c4e15241fd5cc83a252b5c13d2fc047b72db0fa699a0bd2e028619b54e23c94299383b833c17820392fda8d400
-
C:\Users\Admin\Documents\ResizeSubmit.doc.exeFilesize
512KB
MD5a7a9a10fbafa87d0425da78d4c569c00
SHA19abb3851d7fb817d8d880e9a0920cf1e6632d755
SHA2563430803f5ec29eac50b2b78b95d5d926952881cbaa8d52378a0e5930c0cb81c2
SHA512c58431b374502ac6feec499cb4f64fdf919ebaf435d4d4e98eabc940e9bc8a26499a478a9df3256f7fd968b8f970593e92fdf186596a11058ada04e0732cc294
-
C:\Users\Admin\Documents\StepLock.doc.exeFilesize
512KB
MD5c91abb9fcb56b94f7fc34005d01b9e20
SHA1aea0c3576c10e4899c8bd0c55880062e2334d520
SHA256b945853726460719507cc37f54fc91275a014694863fef3fddc103cfb4998954
SHA512311b5751b1524af0b33c3cf35f342ebdf8f451934a2246c9338fc534ac125c83cd24060a43ecf9e00002c526550a8e9ce6bfb78e98a635a2d40b25ca44774ba6
-
C:\Windows\SysWOW64\cdwiveyqsnunj.exeFilesize
512KB
MD5fb89df37c00299dd9bd944d43a16793b
SHA116f80e2403f05b155ff664b768c5f6281ee29e1a
SHA256add3a9144be0a90e9125d94f753ff35147555660786e143e39654a803df1a8d4
SHA5129e3e6aae78fdcc4022eec29aa0cd630d31c4fe9456ea1e8a60143f88d6bfe15977797c3f6f9a21f7cdd93a902a5eac1f4fb2aab57a1185e2ab86ebe54eeee2a6
-
C:\Windows\SysWOW64\follskzn.exeFilesize
512KB
MD54c6f61b9bbd82c4c4ac2246738570f5c
SHA1d394f7986ee3d08f6b7d1e2a55f436007ce2d246
SHA256291909801f285ee8a7170f52f04b53281327e63da502c4435e0cd1d7cc17cd22
SHA512376ab4c592d1dd3f2a02dd6dc864706117eadd1d6eb08ef25506b566369bde39f12077ff1f6adfb45c3f8f8df2f84627c7e234627f1ac6f612093a09a232bbea
-
C:\Windows\SysWOW64\otgxqlvzun.exeFilesize
512KB
MD5333f72aa690e9db9d6dac9b0177c6e25
SHA15d3a5ce54ab908c902e779aca551e15fd5ba11eb
SHA256bed12936882664696409c4485a8a1bda7441025dcd2baa780d4740807a5bcb05
SHA5128e2614fdb331d2387026492b47b81215bfd5b9209cc784ef37f84f68608292925b56aca3b09ea4a618d4d2d1046589c2fc2f9cda1980305d3e19e1665b5d51de
-
C:\Windows\SysWOW64\snlzbaeckrxyolf.exeFilesize
512KB
MD53da95825e837c114fc7242342af0258e
SHA1d4ee42fb60bdd57eca832a605eea608cce392a2f
SHA256b23c934d7922e8049abb145424e0b7adf03a86841d4492066bc5202b90cc8736
SHA512e956ff55f7a887e9765e8b5eae6db0d7990eec9f7ae57a09d3f9cce786a7bca7559cc749d25229b74d4b298a6abf6e143a0dc9519f67df33c7ceca191d65aaf3
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD54c8b73e10da71c4cc1690de574b8d78c
SHA1aa2b9ec9611c706ba336492182e9a3169bd8e0e6
SHA256736b4842aa46bf9edf3d6b8dd5cbcc2d5e9367bc827ad433a1d1a52e87c71fa1
SHA512f3452c8d0833d336338e46d1f165c24b83f4850aa3f3540e07f3343fa279cd8733efd9d79d63915f5b522912eb408eeda97ef877d6c8e8c7b16f46c50606ee95
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD522afc1c5507357f8997ce5ae3ef65aee
SHA1073c3e129b74fda19d5d747dfd5f2a1f696b905d
SHA2565be0516ed5ae1bcc430f8a2db0c9602ba727f4be76c214084100986f8d3df89b
SHA512278c746938afc75fa749069f33e0ba433a1c883ceacaa31c62bcb512f83b864a481fc22ecc30ccd09d92faacaf9c46f40606181dc51fa92aa1f21490e66681b4
-
memory/1140-39-0x00007FFD912F0000-0x00007FFD91300000-memory.dmpFilesize
64KB
-
memory/1140-36-0x00007FFD912F0000-0x00007FFD91300000-memory.dmpFilesize
64KB
-
memory/1140-38-0x00007FFD912F0000-0x00007FFD91300000-memory.dmpFilesize
64KB
-
memory/1140-37-0x00007FFD912F0000-0x00007FFD91300000-memory.dmpFilesize
64KB
-
memory/1140-40-0x00007FFD8EA90000-0x00007FFD8EAA0000-memory.dmpFilesize
64KB
-
memory/1140-35-0x00007FFD912F0000-0x00007FFD91300000-memory.dmpFilesize
64KB
-
memory/1140-41-0x00007FFD8EA90000-0x00007FFD8EAA0000-memory.dmpFilesize
64KB
-
memory/1140-609-0x00007FFD912F0000-0x00007FFD91300000-memory.dmpFilesize
64KB
-
memory/1140-610-0x00007FFD912F0000-0x00007FFD91300000-memory.dmpFilesize
64KB
-
memory/1140-608-0x00007FFD912F0000-0x00007FFD91300000-memory.dmpFilesize
64KB
-
memory/1140-611-0x00007FFD912F0000-0x00007FFD91300000-memory.dmpFilesize
64KB
-
memory/2492-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB