Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 03:35
Static task
static1
Behavioral task
behavioral1
Sample
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe
-
Size
512KB
-
MD5
6d36a2d556802fde6ac418942073e3f8
-
SHA1
c4783854bb3d66bbbda9ccf74ae8f031d81a8763
-
SHA256
aab8019800b261ed759734dc7ea823e7bdc7e8ebe3396854114f3bd07f888d94
-
SHA512
7a394480492c6d0bfbcd8da780c42327fbe9f41ab2f2b5d73548aba9954c5eb24d23cd95d7310baf3adfc902ac0527cc65f0d5fdccb397623f2e5bb6cb59ac18
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6H:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5O
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
fkipmrrxcv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fkipmrrxcv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
fkipmrrxcv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fkipmrrxcv.exe -
Processes:
fkipmrrxcv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fkipmrrxcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fkipmrrxcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fkipmrrxcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fkipmrrxcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fkipmrrxcv.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
fkipmrrxcv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fkipmrrxcv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
fkipmrrxcv.exeonsgklkcswujdln.exesqnakcjo.exepttwipeqnwcoy.exesqnakcjo.exepid process 4752 fkipmrrxcv.exe 2728 onsgklkcswujdln.exe 1140 sqnakcjo.exe 3552 pttwipeqnwcoy.exe 3676 sqnakcjo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
fkipmrrxcv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fkipmrrxcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fkipmrrxcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fkipmrrxcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fkipmrrxcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" fkipmrrxcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fkipmrrxcv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
onsgklkcswujdln.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ykrqqvle = "fkipmrrxcv.exe" onsgklkcswujdln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elpgsqoe = "onsgklkcswujdln.exe" onsgklkcswujdln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pttwipeqnwcoy.exe" onsgklkcswujdln.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
fkipmrrxcv.exesqnakcjo.exesqnakcjo.exedescription ioc process File opened (read-only) \??\h: fkipmrrxcv.exe File opened (read-only) \??\r: fkipmrrxcv.exe File opened (read-only) \??\e: sqnakcjo.exe File opened (read-only) \??\n: sqnakcjo.exe File opened (read-only) \??\p: sqnakcjo.exe File opened (read-only) \??\n: fkipmrrxcv.exe File opened (read-only) \??\a: sqnakcjo.exe File opened (read-only) \??\e: sqnakcjo.exe File opened (read-only) \??\p: sqnakcjo.exe File opened (read-only) \??\e: fkipmrrxcv.exe File opened (read-only) \??\g: fkipmrrxcv.exe File opened (read-only) \??\p: fkipmrrxcv.exe File opened (read-only) \??\z: fkipmrrxcv.exe File opened (read-only) \??\h: sqnakcjo.exe File opened (read-only) \??\o: sqnakcjo.exe File opened (read-only) \??\a: fkipmrrxcv.exe File opened (read-only) \??\i: sqnakcjo.exe File opened (read-only) \??\w: sqnakcjo.exe File opened (read-only) \??\m: fkipmrrxcv.exe File opened (read-only) \??\j: sqnakcjo.exe File opened (read-only) \??\h: sqnakcjo.exe File opened (read-only) \??\k: sqnakcjo.exe File opened (read-only) \??\s: sqnakcjo.exe File opened (read-only) \??\y: fkipmrrxcv.exe File opened (read-only) \??\z: sqnakcjo.exe File opened (read-only) \??\i: sqnakcjo.exe File opened (read-only) \??\o: fkipmrrxcv.exe File opened (read-only) \??\k: sqnakcjo.exe File opened (read-only) \??\a: sqnakcjo.exe File opened (read-only) \??\l: sqnakcjo.exe File opened (read-only) \??\t: sqnakcjo.exe File opened (read-only) \??\u: sqnakcjo.exe File opened (read-only) \??\r: sqnakcjo.exe File opened (read-only) \??\j: fkipmrrxcv.exe File opened (read-only) \??\v: fkipmrrxcv.exe File opened (read-only) \??\g: sqnakcjo.exe File opened (read-only) \??\n: sqnakcjo.exe File opened (read-only) \??\t: sqnakcjo.exe File opened (read-only) \??\y: sqnakcjo.exe File opened (read-only) \??\l: fkipmrrxcv.exe File opened (read-only) \??\l: sqnakcjo.exe File opened (read-only) \??\q: sqnakcjo.exe File opened (read-only) \??\y: sqnakcjo.exe File opened (read-only) \??\b: sqnakcjo.exe File opened (read-only) \??\w: sqnakcjo.exe File opened (read-only) \??\x: sqnakcjo.exe File opened (read-only) \??\q: fkipmrrxcv.exe File opened (read-only) \??\s: fkipmrrxcv.exe File opened (read-only) \??\b: sqnakcjo.exe File opened (read-only) \??\s: sqnakcjo.exe File opened (read-only) \??\x: sqnakcjo.exe File opened (read-only) \??\j: sqnakcjo.exe File opened (read-only) \??\u: sqnakcjo.exe File opened (read-only) \??\i: fkipmrrxcv.exe File opened (read-only) \??\k: fkipmrrxcv.exe File opened (read-only) \??\t: fkipmrrxcv.exe File opened (read-only) \??\u: fkipmrrxcv.exe File opened (read-only) \??\x: fkipmrrxcv.exe File opened (read-only) \??\b: fkipmrrxcv.exe File opened (read-only) \??\w: fkipmrrxcv.exe File opened (read-only) \??\g: sqnakcjo.exe File opened (read-only) \??\z: sqnakcjo.exe File opened (read-only) \??\m: sqnakcjo.exe File opened (read-only) \??\o: sqnakcjo.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
fkipmrrxcv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" fkipmrrxcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" fkipmrrxcv.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2228-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\onsgklkcswujdln.exe autoit_exe C:\Windows\SysWOW64\fkipmrrxcv.exe autoit_exe C:\Windows\SysWOW64\sqnakcjo.exe autoit_exe C:\Windows\SysWOW64\pttwipeqnwcoy.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exesqnakcjo.exesqnakcjo.exefkipmrrxcv.exedescription ioc process File opened for modification C:\Windows\SysWOW64\onsgklkcswujdln.exe 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pttwipeqnwcoy.exe 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sqnakcjo.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sqnakcjo.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sqnakcjo.exe File created C:\Windows\SysWOW64\fkipmrrxcv.exe 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fkipmrrxcv.exe 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File created C:\Windows\SysWOW64\onsgklkcswujdln.exe 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File created C:\Windows\SysWOW64\sqnakcjo.exe 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sqnakcjo.exe 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File created C:\Windows\SysWOW64\pttwipeqnwcoy.exe 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll fkipmrrxcv.exe -
Drops file in Program Files directory 15 IoCs
Processes:
sqnakcjo.exesqnakcjo.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sqnakcjo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal sqnakcjo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sqnakcjo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sqnakcjo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sqnakcjo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sqnakcjo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sqnakcjo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sqnakcjo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal sqnakcjo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal sqnakcjo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sqnakcjo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal sqnakcjo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sqnakcjo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sqnakcjo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sqnakcjo.exe -
Drops file in Windows directory 19 IoCs
Processes:
sqnakcjo.exesqnakcjo.exeWINWORD.EXE6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exedescription ioc process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sqnakcjo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sqnakcjo.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sqnakcjo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sqnakcjo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sqnakcjo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sqnakcjo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sqnakcjo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sqnakcjo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sqnakcjo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sqnakcjo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sqnakcjo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sqnakcjo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sqnakcjo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sqnakcjo.exe File opened for modification C:\Windows\mydoc.rtf 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sqnakcjo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sqnakcjo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
fkipmrrxcv.exe6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg fkipmrrxcv.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C67D14E2DAC7B9BE7FE5ED9134CC" 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh fkipmrrxcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" fkipmrrxcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFC834F5F826F9131D65C7D90BC97E13C584067446331D69D" 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0816BC5FF6622D9D108D1A88A759116" 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" fkipmrrxcv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf fkipmrrxcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" fkipmrrxcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" fkipmrrxcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFABAFE11F1E7837B3B3686E93992B38C038842140333E1CA42EC08A4" 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452C0A9C2082246A3177D277242DD67DF665DF" 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B02B47E039E353C5BAD1329FD7C9" 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat fkipmrrxcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" fkipmrrxcv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc fkipmrrxcv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs fkipmrrxcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" fkipmrrxcv.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2720 WINWORD.EXE 2720 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exefkipmrrxcv.exeonsgklkcswujdln.exepttwipeqnwcoy.exesqnakcjo.exesqnakcjo.exepid process 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 4752 fkipmrrxcv.exe 4752 fkipmrrxcv.exe 4752 fkipmrrxcv.exe 4752 fkipmrrxcv.exe 4752 fkipmrrxcv.exe 4752 fkipmrrxcv.exe 4752 fkipmrrxcv.exe 4752 fkipmrrxcv.exe 4752 fkipmrrxcv.exe 4752 fkipmrrxcv.exe 2728 onsgklkcswujdln.exe 2728 onsgklkcswujdln.exe 2728 onsgklkcswujdln.exe 2728 onsgklkcswujdln.exe 2728 onsgklkcswujdln.exe 2728 onsgklkcswujdln.exe 2728 onsgklkcswujdln.exe 2728 onsgklkcswujdln.exe 2728 onsgklkcswujdln.exe 2728 onsgklkcswujdln.exe 3552 pttwipeqnwcoy.exe 3552 pttwipeqnwcoy.exe 3552 pttwipeqnwcoy.exe 3552 pttwipeqnwcoy.exe 3552 pttwipeqnwcoy.exe 3552 pttwipeqnwcoy.exe 3552 pttwipeqnwcoy.exe 3552 pttwipeqnwcoy.exe 3552 pttwipeqnwcoy.exe 3552 pttwipeqnwcoy.exe 3552 pttwipeqnwcoy.exe 3552 pttwipeqnwcoy.exe 1140 sqnakcjo.exe 1140 sqnakcjo.exe 1140 sqnakcjo.exe 1140 sqnakcjo.exe 1140 sqnakcjo.exe 1140 sqnakcjo.exe 1140 sqnakcjo.exe 1140 sqnakcjo.exe 3676 sqnakcjo.exe 3676 sqnakcjo.exe 3676 sqnakcjo.exe 3676 sqnakcjo.exe 3676 sqnakcjo.exe 3676 sqnakcjo.exe 3676 sqnakcjo.exe 3676 sqnakcjo.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exefkipmrrxcv.exeonsgklkcswujdln.exepttwipeqnwcoy.exesqnakcjo.exesqnakcjo.exepid process 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 4752 fkipmrrxcv.exe 2728 onsgklkcswujdln.exe 4752 fkipmrrxcv.exe 2728 onsgklkcswujdln.exe 4752 fkipmrrxcv.exe 2728 onsgklkcswujdln.exe 3552 pttwipeqnwcoy.exe 1140 sqnakcjo.exe 3552 pttwipeqnwcoy.exe 1140 sqnakcjo.exe 3552 pttwipeqnwcoy.exe 1140 sqnakcjo.exe 3676 sqnakcjo.exe 3676 sqnakcjo.exe 3676 sqnakcjo.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exefkipmrrxcv.exeonsgklkcswujdln.exepttwipeqnwcoy.exesqnakcjo.exesqnakcjo.exepid process 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe 4752 fkipmrrxcv.exe 2728 onsgklkcswujdln.exe 4752 fkipmrrxcv.exe 2728 onsgklkcswujdln.exe 4752 fkipmrrxcv.exe 2728 onsgklkcswujdln.exe 3552 pttwipeqnwcoy.exe 1140 sqnakcjo.exe 3552 pttwipeqnwcoy.exe 1140 sqnakcjo.exe 3552 pttwipeqnwcoy.exe 1140 sqnakcjo.exe 3676 sqnakcjo.exe 3676 sqnakcjo.exe 3676 sqnakcjo.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2720 WINWORD.EXE 2720 WINWORD.EXE 2720 WINWORD.EXE 2720 WINWORD.EXE 2720 WINWORD.EXE 2720 WINWORD.EXE 2720 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exefkipmrrxcv.exedescription pid process target process PID 2228 wrote to memory of 4752 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe fkipmrrxcv.exe PID 2228 wrote to memory of 4752 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe fkipmrrxcv.exe PID 2228 wrote to memory of 4752 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe fkipmrrxcv.exe PID 2228 wrote to memory of 2728 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe onsgklkcswujdln.exe PID 2228 wrote to memory of 2728 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe onsgklkcswujdln.exe PID 2228 wrote to memory of 2728 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe onsgklkcswujdln.exe PID 2228 wrote to memory of 1140 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe sqnakcjo.exe PID 2228 wrote to memory of 1140 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe sqnakcjo.exe PID 2228 wrote to memory of 1140 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe sqnakcjo.exe PID 2228 wrote to memory of 3552 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe pttwipeqnwcoy.exe PID 2228 wrote to memory of 3552 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe pttwipeqnwcoy.exe PID 2228 wrote to memory of 3552 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe pttwipeqnwcoy.exe PID 4752 wrote to memory of 3676 4752 fkipmrrxcv.exe sqnakcjo.exe PID 4752 wrote to memory of 3676 4752 fkipmrrxcv.exe sqnakcjo.exe PID 4752 wrote to memory of 3676 4752 fkipmrrxcv.exe sqnakcjo.exe PID 2228 wrote to memory of 2720 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe WINWORD.EXE PID 2228 wrote to memory of 2720 2228 6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6d36a2d556802fde6ac418942073e3f8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fkipmrrxcv.exefkipmrrxcv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sqnakcjo.exeC:\Windows\system32\sqnakcjo.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\onsgklkcswujdln.exeonsgklkcswujdln.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\sqnakcjo.exesqnakcjo.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\pttwipeqnwcoy.exepttwipeqnwcoy.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD55a11e887c1ffb0f47e4014168b4f22c0
SHA1e8ed110bc8aae925f9ee778d8401615661d08054
SHA25686bfb0b2c3f963cb493b4ac2492ef397092d6817a5ded435ae6227a4d0832b1d
SHA5129b6f470b1bd810cc4d891da4de519a9d2caad39aad6f60734a3f3fe3f97e7d1d81dbd05627cc486ecab9c553010b25960297f4afd34d3a25dc80bd2e0e2a48bb
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD52bc42b3471d8f7c1d2c579964661b523
SHA11fadbab0be92b0805c3ab893a7b558f7f813d3c3
SHA256d1cf203db3ac9135dc1fd51820fbe7f541626d1c896b5506ff2d3873a689d9b5
SHA5128eae90da9c4cd3af7688caabf945215124968376aad8c27440c8f12d83dba80ed1f07928dc76a3bab72e4c39b786bcc393056a0ae2eb824f8197717a460284ac
-
C:\Users\Admin\AppData\Local\Temp\TCD94F6.tmp\gb.xslFilesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD523c9eabd2971eacb88577426fe8cfc12
SHA103054a57d3677239ec518910ab0e3f30f31bbfe6
SHA256a5f12211dba74c73a63363fee798190acc6cd694009de55b5296c5de76f0ed36
SHA512f720af2df75ed505d6b80da3e31501787a575a60fa59fdff52a6b96629296a0a382b79ae512fdf4eaf19542abced5c68adcb5287e3e60e3a55880e667bc7ba28
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD56ddc763a50792db9e048d21a22e1445f
SHA1cab010f809766d47294bf281f0d5660a3e465f90
SHA256cf2add00ca9065faec68d3f80558fcdf2350e9db81a8549b23a242a49b1774bd
SHA512a41e1646c569239492df7a2fc80171ce6ab9e9553a58b642b939707d296aa8c726bdb3325a8159a833bcb9d8f07eecb66340d3df9a18475ebbebdfe3f455328f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD59d886526dd250398938df6e3cf5e9512
SHA17e77c1931fbf6f62ad1bb7953cd90560a6a8c90b
SHA2565d21f3c454c49c238c0adbea7ffe76a4c0d05d598b609e5b2cfca7cd6c82b2e0
SHA512aa7b42f8234d79346a2dec839ae35aad19020872c57b99d7061dea1e0358af42b3339c739c38282062082a608b9379151cb9b213738e818e924904b63b5f8da9
-
C:\Windows\SysWOW64\fkipmrrxcv.exeFilesize
512KB
MD56af7acdf56bec917d27fb69df128ae6a
SHA198440c65ea40a1a8ee0e3e40fea75368f2109221
SHA25620c1bfff8e6b44e7c0f0a40b12564cf3bf4faa94f32558ac67ac08c04fb27b47
SHA5125a6b7bf641248c581a626f356cacd0505429220ce8b82d888cd1ce9901e026df4e2857da68bbd01b5ee39a1d052c415f5c5de1dc555aa7dc66ab82e458b8c900
-
C:\Windows\SysWOW64\onsgklkcswujdln.exeFilesize
512KB
MD561e57aad95ccb2c0434a0f444bc2f901
SHA17e9d5801f3f8f4dbd69d0dc3238175e5ce1fc7f9
SHA256c9ff6bc34273b138886229da3c62559e3e1b094bb4c6162e0b6af8875f387121
SHA51236ac91332c1970160376753c4baa5358de4cbee858e4897c7fcf12adc092b5c993d23beacadaabe87363f8d08824430aca289286a0baf1b02b0400fe635c510e
-
C:\Windows\SysWOW64\pttwipeqnwcoy.exeFilesize
512KB
MD5f406eba5319dd00c4b4a8aaae1656963
SHA1eb7cc3297a1350baef21e74f83c606eb02ba283f
SHA2564c41d2130c72de01abef3b648ec0af64e2a023e49bfdeb665abc4e12e978de9c
SHA512f3c6f57d3364baaf5156c1f7dbfd2311ff80575a6859645c891e0cb83a5af90dc39480d4b61c95fdcea7f8bf26a1846c3c9479d7f13fbc65129655242299969c
-
C:\Windows\SysWOW64\sqnakcjo.exeFilesize
512KB
MD541252cd5f1e5aec52321dcd973059e23
SHA1896d0eec9edc4fc3fd4edeef42df861198d48601
SHA2566b6535f1b7e1245328fa947b1b92399314446c73ba799ae4e59fcc715391537a
SHA51201c573fd3f9de862a3a00258270c1c311f1f18ba203405a778239361dfb2ffe766a33f14f6cbb489608ec7a7b0040fa2c66079a8b3967ceba52593a4281c031c
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD535c43194d68814672829fff4325c2c8f
SHA1a2c6c2e1addb6efbd506cafa57062bcd77dc5736
SHA25629a8dc3c4532d15abac97fe7da3df6ebbddb418c72ef0cd25f3874ff8de149ca
SHA512ab850e02475f7176e1b0e478091c0349f603520e4471d8cbc5311cb944190857e2743df1034f03c014eaa87e2fcfa739f302a1ec5478a52fbc2dd3aec983987e
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5879185ef9af1410695dde3b0e5d6586d
SHA12533c5a02dfdb630d79905868a2e06af3ea184d9
SHA256f79dcef04a0d11cf76454df1060f639bdfad69289c152a4c662596067d6ae0ea
SHA51231f2d2d1bafd42baf54b0880efddf7e6d6ebe62597b2b976b09867e98f822a8ecc0cc4d4d0bb937d0c658c9e704b95780f027e1e4c523d7e264fad5eb4deb660
-
memory/2228-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2720-41-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/2720-40-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/2720-38-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/2720-39-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/2720-37-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/2720-43-0x00007FF8C0600000-0x00007FF8C0610000-memory.dmpFilesize
64KB
-
memory/2720-42-0x00007FF8C0600000-0x00007FF8C0610000-memory.dmpFilesize
64KB
-
memory/2720-601-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/2720-602-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/2720-600-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/2720-603-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB