Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 21:46
Static task
static1
Behavioral task
behavioral1
Sample
6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe
-
Size
512KB
-
MD5
6fe3cb2dc4388e19c65af3d0db5525ec
-
SHA1
ff5812a826a147795cc8c8ce9420e6bac9c49ee1
-
SHA256
5cef037a03b7fcfed6eb99589fa864213689e61e8582476d135aff73d6761eda
-
SHA512
da8aab36d9d1870683f3837af83f5f34fe3afd52583e5b71cfbd254e1772717d6d8c7acf697c93b3b1ed391f5c6fa7d948fa5aaeb15815d59e8805cb1c01fde1
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5L
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
wjyexttmyv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wjyexttmyv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
wjyexttmyv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wjyexttmyv.exe -
Processes:
wjyexttmyv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wjyexttmyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wjyexttmyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wjyexttmyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wjyexttmyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wjyexttmyv.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
wjyexttmyv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wjyexttmyv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
wjyexttmyv.exetdoloqroighrmve.exeefpdhgnk.exejtjpfzsinfhos.exeefpdhgnk.exepid process 4456 wjyexttmyv.exe 2332 tdoloqroighrmve.exe 3404 efpdhgnk.exe 932 jtjpfzsinfhos.exe 2700 efpdhgnk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
wjyexttmyv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wjyexttmyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wjyexttmyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wjyexttmyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wjyexttmyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wjyexttmyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wjyexttmyv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
tdoloqroighrmve.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pzpvvmvf = "wjyexttmyv.exe" tdoloqroighrmve.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jeisjkve = "tdoloqroighrmve.exe" tdoloqroighrmve.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jtjpfzsinfhos.exe" tdoloqroighrmve.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
wjyexttmyv.exeefpdhgnk.exeefpdhgnk.exedescription ioc process File opened (read-only) \??\e: wjyexttmyv.exe File opened (read-only) \??\y: efpdhgnk.exe File opened (read-only) \??\z: efpdhgnk.exe File opened (read-only) \??\l: efpdhgnk.exe File opened (read-only) \??\y: wjyexttmyv.exe File opened (read-only) \??\n: efpdhgnk.exe File opened (read-only) \??\w: efpdhgnk.exe File opened (read-only) \??\e: efpdhgnk.exe File opened (read-only) \??\p: efpdhgnk.exe File opened (read-only) \??\t: efpdhgnk.exe File opened (read-only) \??\x: efpdhgnk.exe File opened (read-only) \??\q: wjyexttmyv.exe File opened (read-only) \??\t: wjyexttmyv.exe File opened (read-only) \??\x: wjyexttmyv.exe File opened (read-only) \??\o: efpdhgnk.exe File opened (read-only) \??\o: efpdhgnk.exe File opened (read-only) \??\v: efpdhgnk.exe File opened (read-only) \??\a: efpdhgnk.exe File opened (read-only) \??\b: efpdhgnk.exe File opened (read-only) \??\x: efpdhgnk.exe File opened (read-only) \??\z: efpdhgnk.exe File opened (read-only) \??\a: efpdhgnk.exe File opened (read-only) \??\p: wjyexttmyv.exe File opened (read-only) \??\u: wjyexttmyv.exe File opened (read-only) \??\m: efpdhgnk.exe File opened (read-only) \??\k: efpdhgnk.exe File opened (read-only) \??\n: efpdhgnk.exe File opened (read-only) \??\i: efpdhgnk.exe File opened (read-only) \??\h: efpdhgnk.exe File opened (read-only) \??\j: efpdhgnk.exe File opened (read-only) \??\v: efpdhgnk.exe File opened (read-only) \??\b: efpdhgnk.exe File opened (read-only) \??\m: wjyexttmyv.exe File opened (read-only) \??\q: efpdhgnk.exe File opened (read-only) \??\q: efpdhgnk.exe File opened (read-only) \??\j: efpdhgnk.exe File opened (read-only) \??\m: efpdhgnk.exe File opened (read-only) \??\r: efpdhgnk.exe File opened (read-only) \??\y: efpdhgnk.exe File opened (read-only) \??\g: wjyexttmyv.exe File opened (read-only) \??\o: wjyexttmyv.exe File opened (read-only) \??\e: efpdhgnk.exe File opened (read-only) \??\g: efpdhgnk.exe File opened (read-only) \??\l: efpdhgnk.exe File opened (read-only) \??\t: efpdhgnk.exe File opened (read-only) \??\u: efpdhgnk.exe File opened (read-only) \??\a: wjyexttmyv.exe File opened (read-only) \??\s: wjyexttmyv.exe File opened (read-only) \??\z: wjyexttmyv.exe File opened (read-only) \??\g: efpdhgnk.exe File opened (read-only) \??\s: efpdhgnk.exe File opened (read-only) \??\u: efpdhgnk.exe File opened (read-only) \??\h: efpdhgnk.exe File opened (read-only) \??\k: wjyexttmyv.exe File opened (read-only) \??\r: wjyexttmyv.exe File opened (read-only) \??\k: efpdhgnk.exe File opened (read-only) \??\p: efpdhgnk.exe File opened (read-only) \??\s: efpdhgnk.exe File opened (read-only) \??\h: wjyexttmyv.exe File opened (read-only) \??\i: wjyexttmyv.exe File opened (read-only) \??\j: wjyexttmyv.exe File opened (read-only) \??\l: wjyexttmyv.exe File opened (read-only) \??\v: wjyexttmyv.exe File opened (read-only) \??\i: efpdhgnk.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
wjyexttmyv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wjyexttmyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wjyexttmyv.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/752-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\tdoloqroighrmve.exe autoit_exe C:\Windows\SysWOW64\wjyexttmyv.exe autoit_exe C:\Windows\SysWOW64\efpdhgnk.exe autoit_exe C:\Windows\SysWOW64\jtjpfzsinfhos.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\WaitPop.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exewjyexttmyv.exeefpdhgnk.exeefpdhgnk.exedescription ioc process File created C:\Windows\SysWOW64\tdoloqroighrmve.exe 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wjyexttmyv.exe File opened for modification C:\Windows\SysWOW64\wjyexttmyv.exe 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe efpdhgnk.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe efpdhgnk.exe File created C:\Windows\SysWOW64\jtjpfzsinfhos.exe 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\efpdhgnk.exe 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jtjpfzsinfhos.exe 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe efpdhgnk.exe File created C:\Windows\SysWOW64\wjyexttmyv.exe 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe File created C:\Windows\SysWOW64\efpdhgnk.exe 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe efpdhgnk.exe File opened for modification C:\Windows\SysWOW64\tdoloqroighrmve.exe 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe -
Drops file in Program Files directory 18 IoCs
Processes:
efpdhgnk.exeefpdhgnk.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe efpdhgnk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe efpdhgnk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe efpdhgnk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe efpdhgnk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal efpdhgnk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe efpdhgnk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe efpdhgnk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal efpdhgnk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal efpdhgnk.exe File created \??\c:\Program Files\DismountFormat.doc.exe efpdhgnk.exe File opened for modification C:\Program Files\DismountFormat.doc.exe efpdhgnk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe efpdhgnk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe efpdhgnk.exe File opened for modification \??\c:\Program Files\DismountFormat.doc.exe efpdhgnk.exe File opened for modification C:\Program Files\DismountFormat.nal efpdhgnk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal efpdhgnk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe efpdhgnk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe efpdhgnk.exe -
Drops file in Windows directory 19 IoCs
Processes:
WINWORD.EXEefpdhgnk.exeefpdhgnk.exe6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exedescription ioc process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe efpdhgnk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe efpdhgnk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe efpdhgnk.exe File opened for modification C:\Windows\mydoc.rtf 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe efpdhgnk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe efpdhgnk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe efpdhgnk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe efpdhgnk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe efpdhgnk.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe efpdhgnk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe efpdhgnk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe efpdhgnk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe efpdhgnk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe efpdhgnk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe efpdhgnk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe efpdhgnk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe efpdhgnk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exewjyexttmyv.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFC83482A826A9145D62D7E96BDE4E13C5941674F6331D6EE" 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC6741590DBC3B8CE7C94ECE334CC" 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wjyexttmyv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" wjyexttmyv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh wjyexttmyv.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B12C44EE399F53BDBAD5329BD7CD" 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf wjyexttmyv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" wjyexttmyv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" wjyexttmyv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wjyexttmyv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F168C6FF1F22DED109D0A38B7F9117" 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wjyexttmyv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8FAB0F962F195837F3A40819939E5B0FD02884360023BE1BA45E608D6" 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wjyexttmyv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wjyexttmyv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" wjyexttmyv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442C0D9D2083236D3477D477222CAC7C8765DF" 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wjyexttmyv.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4784 WINWORD.EXE 4784 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exetdoloqroighrmve.exejtjpfzsinfhos.exewjyexttmyv.exeefpdhgnk.exeefpdhgnk.exepid process 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 2332 tdoloqroighrmve.exe 2332 tdoloqroighrmve.exe 2332 tdoloqroighrmve.exe 2332 tdoloqroighrmve.exe 2332 tdoloqroighrmve.exe 2332 tdoloqroighrmve.exe 2332 tdoloqroighrmve.exe 2332 tdoloqroighrmve.exe 2332 tdoloqroighrmve.exe 2332 tdoloqroighrmve.exe 932 jtjpfzsinfhos.exe 932 jtjpfzsinfhos.exe 932 jtjpfzsinfhos.exe 932 jtjpfzsinfhos.exe 932 jtjpfzsinfhos.exe 932 jtjpfzsinfhos.exe 932 jtjpfzsinfhos.exe 932 jtjpfzsinfhos.exe 932 jtjpfzsinfhos.exe 932 jtjpfzsinfhos.exe 932 jtjpfzsinfhos.exe 932 jtjpfzsinfhos.exe 4456 wjyexttmyv.exe 4456 wjyexttmyv.exe 4456 wjyexttmyv.exe 4456 wjyexttmyv.exe 4456 wjyexttmyv.exe 4456 wjyexttmyv.exe 4456 wjyexttmyv.exe 4456 wjyexttmyv.exe 4456 wjyexttmyv.exe 4456 wjyexttmyv.exe 3404 efpdhgnk.exe 3404 efpdhgnk.exe 3404 efpdhgnk.exe 3404 efpdhgnk.exe 3404 efpdhgnk.exe 3404 efpdhgnk.exe 3404 efpdhgnk.exe 3404 efpdhgnk.exe 2332 tdoloqroighrmve.exe 2332 tdoloqroighrmve.exe 2700 efpdhgnk.exe 2700 efpdhgnk.exe 2700 efpdhgnk.exe 2700 efpdhgnk.exe 2700 efpdhgnk.exe 2700 efpdhgnk.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exetdoloqroighrmve.exejtjpfzsinfhos.exewjyexttmyv.exeefpdhgnk.exeefpdhgnk.exepid process 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 2332 tdoloqroighrmve.exe 2332 tdoloqroighrmve.exe 2332 tdoloqroighrmve.exe 932 jtjpfzsinfhos.exe 4456 wjyexttmyv.exe 932 jtjpfzsinfhos.exe 4456 wjyexttmyv.exe 932 jtjpfzsinfhos.exe 4456 wjyexttmyv.exe 3404 efpdhgnk.exe 3404 efpdhgnk.exe 3404 efpdhgnk.exe 2700 efpdhgnk.exe 2700 efpdhgnk.exe 2700 efpdhgnk.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exetdoloqroighrmve.exejtjpfzsinfhos.exewjyexttmyv.exeefpdhgnk.exeefpdhgnk.exepid process 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe 2332 tdoloqroighrmve.exe 2332 tdoloqroighrmve.exe 2332 tdoloqroighrmve.exe 932 jtjpfzsinfhos.exe 4456 wjyexttmyv.exe 932 jtjpfzsinfhos.exe 4456 wjyexttmyv.exe 932 jtjpfzsinfhos.exe 4456 wjyexttmyv.exe 3404 efpdhgnk.exe 3404 efpdhgnk.exe 3404 efpdhgnk.exe 2700 efpdhgnk.exe 2700 efpdhgnk.exe 2700 efpdhgnk.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4784 WINWORD.EXE 4784 WINWORD.EXE 4784 WINWORD.EXE 4784 WINWORD.EXE 4784 WINWORD.EXE 4784 WINWORD.EXE 4784 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exewjyexttmyv.exedescription pid process target process PID 752 wrote to memory of 4456 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe wjyexttmyv.exe PID 752 wrote to memory of 4456 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe wjyexttmyv.exe PID 752 wrote to memory of 4456 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe wjyexttmyv.exe PID 752 wrote to memory of 2332 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe tdoloqroighrmve.exe PID 752 wrote to memory of 2332 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe tdoloqroighrmve.exe PID 752 wrote to memory of 2332 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe tdoloqroighrmve.exe PID 752 wrote to memory of 3404 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe efpdhgnk.exe PID 752 wrote to memory of 3404 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe efpdhgnk.exe PID 752 wrote to memory of 3404 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe efpdhgnk.exe PID 752 wrote to memory of 932 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe jtjpfzsinfhos.exe PID 752 wrote to memory of 932 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe jtjpfzsinfhos.exe PID 752 wrote to memory of 932 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe jtjpfzsinfhos.exe PID 752 wrote to memory of 4784 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe WINWORD.EXE PID 752 wrote to memory of 4784 752 6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe WINWORD.EXE PID 4456 wrote to memory of 2700 4456 wjyexttmyv.exe efpdhgnk.exe PID 4456 wrote to memory of 2700 4456 wjyexttmyv.exe efpdhgnk.exe PID 4456 wrote to memory of 2700 4456 wjyexttmyv.exe efpdhgnk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wjyexttmyv.exewjyexttmyv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\efpdhgnk.exeC:\Windows\system32\efpdhgnk.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\tdoloqroighrmve.exetdoloqroighrmve.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\efpdhgnk.exeefpdhgnk.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\jtjpfzsinfhos.exejtjpfzsinfhos.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5ae5f378319beba75d64d92bbd7b4502e
SHA17b69250d4fc43eed3f20b55d9c4a716043311bf7
SHA25650c65ab20c83c4a4a20a5f5adf6e62e6b44d4db6ae7a141e185b92b461fc929b
SHA5125676e2c9ef97d7fee3850912520d3a7c8b3fb67ee2606d88c61b2b18883b7b986eee6b1457d43c6ed87a43f8c0adb3ff325c33290eb2e3d825c43c9ed3dd2d58
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5f1447f2cbb687067d2bdef8e89aaa64c
SHA14304ac8afd3903d1d3925b25355d7465b76676ce
SHA256de8fe12c52b4b7377bb133a853d37b5052ebb927ba033453385d827cf81c7945
SHA512e928ae4c5ac9c4890164a9f7adf1f228f3d7f34fabb0bebef0307be29fb44bc65806054a786244c876ebdceeec3bc1764ee22d130878b1f8892f25216bad2d5b
-
C:\Users\Admin\AppData\Local\Temp\TCD90B7.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD5cb7a94d02c814d42e0d36752d23604ff
SHA1a3dc9b99402aad1776c01d4ac787c4fa6336ed20
SHA256fc3e2de613545cf33019b5dce9be49db46e0f38b61012c7b81fefc396501e537
SHA5124b808c4adbfb0a918850a0c1fe548ae9dec14b3b6fdb60f0215f5863d79e1d420b338cb171b74195bedc714dd3a0bd301f36b7cca8583491dea8fc57c26346a5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5c3aa6f643b139c1170f1d2bab37b3ca0
SHA19369b0090ccfb0397d1871be30161ca76f79dcdb
SHA2560f72a36ffeba076125ceaa73407542f6dcd8fdbe70ca73a559174981e90c1cc2
SHA5125a6ad60ff59e602c1960dd634614bed0033c0cc7afcb19770a05c7ee35b3af5cc9726eaa2aaceddcff8054847d4ee64645dcafbcd517ee337aca524e051e49fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD55ccfd42faa74afdc6c215790ff846990
SHA132e6cfc406ff1a63764bd9346ac14c9daa6f316b
SHA256bd8df1780c9d2e038edf19ffa38bf9609271fde9ccf8dbf06e689080f07e34fb
SHA512742847a1e23ddaeafaeea14070b8c89d99887043023d20d6d9f28a6e193628f7d004f1cd3c2567c53d9a9ded0683d77460e34d2e341f074029cdd190db9e84a6
-
C:\Users\Admin\Documents\WaitPop.doc.exeFilesize
512KB
MD567fd269cb8bbc027ff7a565fe281f7d6
SHA1519d7166c9b0687c95c443f03193f9e05e4820eb
SHA25603f1408222a147d8c3a9db27606afde744acd4f0bf255afb4b1ea3c9c14f8e5d
SHA5126795908c960d1e06a600412db94d5b522e085f3e3cd9b3fb4d21e390b4063601786a7d5fcaab0b994dbd45c59cd87d8a4eff2ab406b70dc73af84c2531889d12
-
C:\Windows\SysWOW64\efpdhgnk.exeFilesize
512KB
MD5d58415c7cbbaa4d9339eaf53caa78a8c
SHA1c8794cfe204f9bd83f631a4cb4909f8bdca43a6f
SHA25699b6982b9c0020af0a9838be3f60f8bdd772a1fd25cc0f828b832846190b61e1
SHA5126d5676741b385be30358c2d6f26ab49e96319074b50e6c0202f62f64b06db356db98627a1854ebc32ac64db06ae475c57db1dc7290257f784cb76a528e0cff4f
-
C:\Windows\SysWOW64\jtjpfzsinfhos.exeFilesize
512KB
MD5b1aa1822a6bf918b97ccd1f7dd3baedf
SHA18d040417e453d4c67e6fe823969a8d737d26869a
SHA2563976dab4a0745e22bba124eaa044dfa2ead0786794f5087ff09419c3033c8f5c
SHA51252fe1d9b983190abac4dc8020d4ecb42f3ee86389160a552b75d709dcacab0826847fec09316e5a7ae100c72562c5eacdd4dc8bebbc8bc0cf415341a516d6700
-
C:\Windows\SysWOW64\tdoloqroighrmve.exeFilesize
512KB
MD51fed91ae7a11137e048a36a120d43f80
SHA109f4d9d5dd9c257dfa5455627e7ba100f0f8bcb4
SHA256584defe9547e6c2f468527122be81289bf136345fea370e6f5b5210eaaf0791b
SHA5129e909acab7a8758ca43bf80523b9bdaa4d25a49329d2ac1ec583ae9d7b73c82a2d0b7b09fd281f192c7e34912d30da7e6cd6ef284a09d574cfd1d0cde18a6d44
-
C:\Windows\SysWOW64\wjyexttmyv.exeFilesize
512KB
MD5bb3b2b0e4ff59466248ab4aa40592351
SHA1b81d5f4a933853130ea11495e62f5030cb505a51
SHA25663808040390f3c4c7aceeff97cedabd717a7277967b12a0b0d3c5c97a36d4484
SHA5126028514431012c9814fe79974c547583d16af9bd046e4a8aac9651e2b174a5bd82d8af704eccac03ce185c08c84916f427c8d905dc45a705f7bc23ef8f275caa
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5b3471840c3952d34a283d628aebdab97
SHA1589b0666830219e2a77cbf03ee3d65f12deb6a6f
SHA25604f37c45ee8da3a806514e799cde3aa108b8f58ad20443261527ba0a2e3ebf89
SHA512af39feaf0b2f2078da491d6b6d36942476dbc3b7946a279f0d54980e153b08924cbcce7e381e06d0dc0e4b4e105f89eaa8795223099429fd5730546601200b45
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5b7822a3a024cd910204f609faab64dfa
SHA105b43db2db765adca55addb8e6ee5c585e2bb7ff
SHA2567c60d51862825d785a3970eb3f6b25327cbedf242698c0b3b6dd6bea42c99d04
SHA5128a902c01e43c4e8f9be5abb118ceb8a28821a0f07c007a0760dc1003875cbe1dfe5bf04cda8075ee8ce07e8dd21ff1268ee67646fdb7d3648b418023efaa9855
-
memory/752-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4784-39-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/4784-38-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/4784-36-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/4784-37-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/4784-40-0x00007FFEA7650000-0x00007FFEA7660000-memory.dmpFilesize
64KB
-
memory/4784-35-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/4784-43-0x00007FFEA7650000-0x00007FFEA7660000-memory.dmpFilesize
64KB
-
memory/4784-614-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/4784-613-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/4784-615-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/4784-616-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB