Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 13:22
Static task
static1
Behavioral task
behavioral1
Sample
6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe
-
Size
512KB
-
MD5
6ea7489aa08bee41cef6386d5a73435e
-
SHA1
0644d2bbad493521b8122cb7c7942f00d3de7828
-
SHA256
521a832c8004a78a7577237e9b82a558793e0f5ce759a2456b3345430213c0d8
-
SHA512
4fa5049bc4a1eff9d221af11fb7e7a1ecef53c058548df930e9c890ebd66efaa931a0025f7d64a4396ebb77a2627bf37c9753e148a066e055a5dd8ca70f32142
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
hfhqhumoig.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hfhqhumoig.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
hfhqhumoig.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hfhqhumoig.exe -
Processes:
hfhqhumoig.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hfhqhumoig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hfhqhumoig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hfhqhumoig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hfhqhumoig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hfhqhumoig.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
hfhqhumoig.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hfhqhumoig.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
hfhqhumoig.exekhfiqdyeukvaukt.exettaardcn.exepwvyogfgwhviy.exettaardcn.exepid process 2016 hfhqhumoig.exe 1368 khfiqdyeukvaukt.exe 5092 ttaardcn.exe 4192 pwvyogfgwhviy.exe 4184 ttaardcn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
hfhqhumoig.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hfhqhumoig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hfhqhumoig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hfhqhumoig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hfhqhumoig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" hfhqhumoig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hfhqhumoig.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
khfiqdyeukvaukt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzyeraok = "hfhqhumoig.exe" khfiqdyeukvaukt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rnkpmoxs = "khfiqdyeukvaukt.exe" khfiqdyeukvaukt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pwvyogfgwhviy.exe" khfiqdyeukvaukt.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ttaardcn.exehfhqhumoig.exettaardcn.exedescription ioc process File opened (read-only) \??\l: ttaardcn.exe File opened (read-only) \??\u: hfhqhumoig.exe File opened (read-only) \??\y: hfhqhumoig.exe File opened (read-only) \??\z: hfhqhumoig.exe File opened (read-only) \??\m: ttaardcn.exe File opened (read-only) \??\v: ttaardcn.exe File opened (read-only) \??\a: ttaardcn.exe File opened (read-only) \??\y: ttaardcn.exe File opened (read-only) \??\h: hfhqhumoig.exe File opened (read-only) \??\q: hfhqhumoig.exe File opened (read-only) \??\s: hfhqhumoig.exe File opened (read-only) \??\t: ttaardcn.exe File opened (read-only) \??\u: ttaardcn.exe File opened (read-only) \??\t: ttaardcn.exe File opened (read-only) \??\b: hfhqhumoig.exe File opened (read-only) \??\g: ttaardcn.exe File opened (read-only) \??\g: ttaardcn.exe File opened (read-only) \??\q: ttaardcn.exe File opened (read-only) \??\u: ttaardcn.exe File opened (read-only) \??\i: hfhqhumoig.exe File opened (read-only) \??\k: ttaardcn.exe File opened (read-only) \??\p: ttaardcn.exe File opened (read-only) \??\x: ttaardcn.exe File opened (read-only) \??\h: ttaardcn.exe File opened (read-only) \??\m: ttaardcn.exe File opened (read-only) \??\o: ttaardcn.exe File opened (read-only) \??\i: ttaardcn.exe File opened (read-only) \??\i: ttaardcn.exe File opened (read-only) \??\z: ttaardcn.exe File opened (read-only) \??\e: hfhqhumoig.exe File opened (read-only) \??\j: hfhqhumoig.exe File opened (read-only) \??\l: ttaardcn.exe File opened (read-only) \??\k: ttaardcn.exe File opened (read-only) \??\j: ttaardcn.exe File opened (read-only) \??\g: hfhqhumoig.exe File opened (read-only) \??\r: hfhqhumoig.exe File opened (read-only) \??\x: hfhqhumoig.exe File opened (read-only) \??\p: ttaardcn.exe File opened (read-only) \??\x: ttaardcn.exe File opened (read-only) \??\b: ttaardcn.exe File opened (read-only) \??\n: ttaardcn.exe File opened (read-only) \??\s: ttaardcn.exe File opened (read-only) \??\e: ttaardcn.exe File opened (read-only) \??\n: hfhqhumoig.exe File opened (read-only) \??\p: hfhqhumoig.exe File opened (read-only) \??\v: hfhqhumoig.exe File opened (read-only) \??\z: ttaardcn.exe File opened (read-only) \??\e: ttaardcn.exe File opened (read-only) \??\w: ttaardcn.exe File opened (read-only) \??\s: ttaardcn.exe File opened (read-only) \??\w: ttaardcn.exe File opened (read-only) \??\a: hfhqhumoig.exe File opened (read-only) \??\j: ttaardcn.exe File opened (read-only) \??\q: ttaardcn.exe File opened (read-only) \??\n: ttaardcn.exe File opened (read-only) \??\v: ttaardcn.exe File opened (read-only) \??\m: hfhqhumoig.exe File opened (read-only) \??\w: hfhqhumoig.exe File opened (read-only) \??\h: ttaardcn.exe File opened (read-only) \??\y: ttaardcn.exe File opened (read-only) \??\r: ttaardcn.exe File opened (read-only) \??\k: hfhqhumoig.exe File opened (read-only) \??\t: hfhqhumoig.exe File opened (read-only) \??\a: ttaardcn.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
hfhqhumoig.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" hfhqhumoig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" hfhqhumoig.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1764-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\khfiqdyeukvaukt.exe autoit_exe C:\Windows\SysWOW64\hfhqhumoig.exe autoit_exe C:\Windows\SysWOW64\ttaardcn.exe autoit_exe C:\Windows\SysWOW64\pwvyogfgwhviy.exe autoit_exe C:\Program Files\InitializeRead.doc.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\ShowFind.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exettaardcn.exettaardcn.exehfhqhumoig.exedescription ioc process File opened for modification C:\Windows\SysWOW64\pwvyogfgwhviy.exe 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ttaardcn.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ttaardcn.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ttaardcn.exe File opened for modification C:\Windows\SysWOW64\khfiqdyeukvaukt.exe 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe File created C:\Windows\SysWOW64\pwvyogfgwhviy.exe 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe File created C:\Windows\SysWOW64\khfiqdyeukvaukt.exe 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe File created C:\Windows\SysWOW64\ttaardcn.exe 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ttaardcn.exe 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll hfhqhumoig.exe File created C:\Windows\SysWOW64\hfhqhumoig.exe 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hfhqhumoig.exe 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe -
Drops file in Program Files directory 21 IoCs
Processes:
ttaardcn.exettaardcn.exedescription ioc process File opened for modification C:\Program Files\InitializeRead.doc.exe ttaardcn.exe File opened for modification \??\c:\Program Files\InitializeRead.doc.exe ttaardcn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ttaardcn.exe File created \??\c:\Program Files\InitializeRead.doc.exe ttaardcn.exe File opened for modification C:\Program Files\InitializeRead.nal ttaardcn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ttaardcn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ttaardcn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ttaardcn.exe File opened for modification \??\c:\Program Files\InitializeRead.doc.exe ttaardcn.exe File opened for modification C:\Program Files\InitializeRead.nal ttaardcn.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ttaardcn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ttaardcn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ttaardcn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ttaardcn.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ttaardcn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ttaardcn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ttaardcn.exe File opened for modification C:\Program Files\InitializeRead.doc.exe ttaardcn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ttaardcn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ttaardcn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ttaardcn.exe -
Drops file in Windows directory 19 IoCs
Processes:
ttaardcn.exettaardcn.exeWINWORD.EXE6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exedescription ioc process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ttaardcn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ttaardcn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ttaardcn.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ttaardcn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ttaardcn.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ttaardcn.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ttaardcn.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ttaardcn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ttaardcn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ttaardcn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ttaardcn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ttaardcn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ttaardcn.exe File opened for modification C:\Windows\mydoc.rtf 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ttaardcn.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ttaardcn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ttaardcn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
hfhqhumoig.exe6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc hfhqhumoig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg hfhqhumoig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" hfhqhumoig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEFABCF96BF190840E3B4581EB3994B38A02FF42150338E2CB42EB09D5" 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B02E47EF39E352CCBAD632EFD7C8" 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C67F1596DBC2B8C97C90EC9637CA" 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" hfhqhumoig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh hfhqhumoig.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" hfhqhumoig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs hfhqhumoig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" hfhqhumoig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C7E9C2182276A3477D570542CAA7D8764DE" 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFCFB4F2682189137D7207D93BD95E635593066416337D69D" 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F568C6FF6D21DDD172D0D68A0F9161" 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat hfhqhumoig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf hfhqhumoig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" hfhqhumoig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" hfhqhumoig.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4516 WINWORD.EXE 4516 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exekhfiqdyeukvaukt.exehfhqhumoig.exettaardcn.exepwvyogfgwhviy.exettaardcn.exepid process 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1368 khfiqdyeukvaukt.exe 1368 khfiqdyeukvaukt.exe 1368 khfiqdyeukvaukt.exe 1368 khfiqdyeukvaukt.exe 1368 khfiqdyeukvaukt.exe 1368 khfiqdyeukvaukt.exe 1368 khfiqdyeukvaukt.exe 1368 khfiqdyeukvaukt.exe 1368 khfiqdyeukvaukt.exe 1368 khfiqdyeukvaukt.exe 2016 hfhqhumoig.exe 2016 hfhqhumoig.exe 2016 hfhqhumoig.exe 2016 hfhqhumoig.exe 2016 hfhqhumoig.exe 2016 hfhqhumoig.exe 2016 hfhqhumoig.exe 2016 hfhqhumoig.exe 2016 hfhqhumoig.exe 2016 hfhqhumoig.exe 5092 ttaardcn.exe 5092 ttaardcn.exe 5092 ttaardcn.exe 5092 ttaardcn.exe 5092 ttaardcn.exe 5092 ttaardcn.exe 5092 ttaardcn.exe 5092 ttaardcn.exe 4192 pwvyogfgwhviy.exe 4192 pwvyogfgwhviy.exe 4192 pwvyogfgwhviy.exe 4192 pwvyogfgwhviy.exe 4192 pwvyogfgwhviy.exe 4192 pwvyogfgwhviy.exe 4192 pwvyogfgwhviy.exe 4192 pwvyogfgwhviy.exe 4192 pwvyogfgwhviy.exe 4192 pwvyogfgwhviy.exe 4192 pwvyogfgwhviy.exe 4192 pwvyogfgwhviy.exe 1368 khfiqdyeukvaukt.exe 1368 khfiqdyeukvaukt.exe 4184 ttaardcn.exe 4184 ttaardcn.exe 4184 ttaardcn.exe 4184 ttaardcn.exe 4184 ttaardcn.exe 4184 ttaardcn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exehfhqhumoig.exekhfiqdyeukvaukt.exettaardcn.exepwvyogfgwhviy.exettaardcn.exepid process 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 2016 hfhqhumoig.exe 1368 khfiqdyeukvaukt.exe 2016 hfhqhumoig.exe 2016 hfhqhumoig.exe 1368 khfiqdyeukvaukt.exe 1368 khfiqdyeukvaukt.exe 5092 ttaardcn.exe 5092 ttaardcn.exe 5092 ttaardcn.exe 4192 pwvyogfgwhviy.exe 4192 pwvyogfgwhviy.exe 4192 pwvyogfgwhviy.exe 4184 ttaardcn.exe 4184 ttaardcn.exe 4184 ttaardcn.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exehfhqhumoig.exekhfiqdyeukvaukt.exettaardcn.exepwvyogfgwhviy.exettaardcn.exepid process 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe 2016 hfhqhumoig.exe 2016 hfhqhumoig.exe 1368 khfiqdyeukvaukt.exe 2016 hfhqhumoig.exe 1368 khfiqdyeukvaukt.exe 1368 khfiqdyeukvaukt.exe 5092 ttaardcn.exe 5092 ttaardcn.exe 5092 ttaardcn.exe 4192 pwvyogfgwhviy.exe 4192 pwvyogfgwhviy.exe 4192 pwvyogfgwhviy.exe 4184 ttaardcn.exe 4184 ttaardcn.exe 4184 ttaardcn.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4516 WINWORD.EXE 4516 WINWORD.EXE 4516 WINWORD.EXE 4516 WINWORD.EXE 4516 WINWORD.EXE 4516 WINWORD.EXE 4516 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exehfhqhumoig.exedescription pid process target process PID 1764 wrote to memory of 2016 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe hfhqhumoig.exe PID 1764 wrote to memory of 2016 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe hfhqhumoig.exe PID 1764 wrote to memory of 2016 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe hfhqhumoig.exe PID 1764 wrote to memory of 1368 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe khfiqdyeukvaukt.exe PID 1764 wrote to memory of 1368 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe khfiqdyeukvaukt.exe PID 1764 wrote to memory of 1368 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe khfiqdyeukvaukt.exe PID 1764 wrote to memory of 5092 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe ttaardcn.exe PID 1764 wrote to memory of 5092 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe ttaardcn.exe PID 1764 wrote to memory of 5092 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe ttaardcn.exe PID 1764 wrote to memory of 4192 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe pwvyogfgwhviy.exe PID 1764 wrote to memory of 4192 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe pwvyogfgwhviy.exe PID 1764 wrote to memory of 4192 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe pwvyogfgwhviy.exe PID 1764 wrote to memory of 4516 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe WINWORD.EXE PID 1764 wrote to memory of 4516 1764 6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe WINWORD.EXE PID 2016 wrote to memory of 4184 2016 hfhqhumoig.exe ttaardcn.exe PID 2016 wrote to memory of 4184 2016 hfhqhumoig.exe ttaardcn.exe PID 2016 wrote to memory of 4184 2016 hfhqhumoig.exe ttaardcn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\hfhqhumoig.exehfhqhumoig.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ttaardcn.exeC:\Windows\system32\ttaardcn.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\khfiqdyeukvaukt.exekhfiqdyeukvaukt.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ttaardcn.exettaardcn.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\pwvyogfgwhviy.exepwvyogfgwhviy.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\InitializeRead.doc.exeFilesize
512KB
MD5e75d68511764c9b07f9ac92d2549058a
SHA160241a66dc82808e5a8fb8ceff41dd93273fc4c4
SHA25677da9c85914cd3a0cd54b3f782c649500e6d906651eb1dd7afb8b01b93263c24
SHA5122f607dbeb60e0f079fdb28b9daa81a28d39ea5d81c93f5bdbe91f6fadf7f12ac19428514def32bb98e5c8e84feb553cdc2af98b96f02cffcac9227c4239a95db
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD52b581185fb2d58b24a5018cd4a586772
SHA1ff8cd4ef5adc55eb88f2a9c00655cdf94740947d
SHA2566f4a3c7b5c1a56f29b33c00fd1c601a9bb041768961a65401310d89ae08a0d69
SHA512f90021ff2613e211d62bf5533c7043c5a957b292d7532797337675e3dd5e64c19b1066788985622ce7f95da48ef4d56e672ccba2a967391d88257ec7cbb816d8
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD514caf79cdbe8bc95a3ef5cff5876f7ea
SHA127fba3e2a335c1b0cf975921785dd84b6417bc28
SHA256174f78c1a83f1e3767ce215528362e7b12d9b7737219e840343a79d4141d569a
SHA512bf65ee430da40b5ee700f4fc4157a6f3c131f90a0d8f33f47695d5c7cdc98a66ee0c3175637925f95e1252d66d5d65b7a147a53fa37ceeb4731fe19c00d11805
-
C:\Users\Admin\AppData\Local\Temp\TCDC531.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD5a2f476fb970ff4f078a53f0164f2b959
SHA1531f3f100f11ff07c32df8d88038f4d5da7a58c3
SHA256f35b49bd36bf81dbce2df6540b03155ca43ef30609b3ae1d947a62eaf289d2c9
SHA512f3187e9e0465b004e3eb6320dfd1b75b37b79ff0240d989bd15cacc547a97d0a38a3b73deba81a824e71a2ae3306aab32cb692bde594dca3c2328eda16defe79
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5af51ac86b8365a4729611b6a17784558
SHA15ef9b162ef9245db87f262fee2c61e2d6c5fc68c
SHA256e16e4507b297f1fe192b4324c67bc8c3d7bcef038c773a67a5a2fd848293a795
SHA512b82d0803571d2863901ea1a4be1ce4415275db3c21b5e3b017b3f8e260081be1f92aa035203bac63cd251ac9340889dab83fad0d4299c4faedc3dc473e18af78
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD57e5e436654b1b4c745eac326c22a484f
SHA1eb7f3ba655883d475affea53bc074eb6c45637df
SHA25602cbf8dfeeeefea228792d3624b84f500399890abd2e3ac0b9cfa8b159651929
SHA512b3ec57e51f4407dae235f66e100742a506de838df4d0c1cc3b0117d5def076578dedef059f12790d4480b4e7a7806191f61bec401ee87d8aab38dc97e9e180b0
-
C:\Users\Admin\Documents\ShowFind.doc.exeFilesize
512KB
MD5bc9ee746c90809d55e7262db4bf7fb8e
SHA13bbebb66188bbfbf663a4d8b86a01f0f468f9a53
SHA2563cde44bcdef84df6c63f0221d64d64c1989b6c36a4ff7b90673f2d7d02d2511d
SHA51202e95b0a80749a5ac084b96ec3d1657ba8046cd9ae68aa6af05a7337fc4464cd605b3443f00beb9f3aa11e52024da1815610ffa984b5468c56ca155d079a3f14
-
C:\Windows\SysWOW64\hfhqhumoig.exeFilesize
512KB
MD599fb0c515cfa58624dbd37ad9a4423a9
SHA1621f492cf9838ecefe12abbf0dcf408e87e33c28
SHA256b9088d8929caf37d66f315b10fad65d7030e7c441671d0f5f6fdb6f68955a2c0
SHA5126c8aea09a152f7430ceb1b9713dc4ced31ba8387a9a6ddb62b4f84fb69a90d29dcc6288d627d155f3e2629c825e58ea80aa8dcb89f067cb15301b99d9ee49043
-
C:\Windows\SysWOW64\khfiqdyeukvaukt.exeFilesize
512KB
MD5a30445174110e4fa45e79b802db1db83
SHA1f9e9474b0ad9a5a2344b0eba118272cd980903d6
SHA256d4257563b092982b5fc221839b83ae3dd4be0ef8ba4cb2fea066ce45ce5f7a0c
SHA5121e8856ee38f4ed5ba51299b6c30fc9c480744d690f877ad7eeee47db24ddf594aeff47da4afe9e9e6db64bd6972da124f6ab68b1bbd7b2cb86fe96fd401ebcc5
-
C:\Windows\SysWOW64\pwvyogfgwhviy.exeFilesize
512KB
MD529f7148f4a8fe5d898f78d92724a32a9
SHA17c44a7eeb8095399160b79a9f02954b3abf00956
SHA256781a58a90d4f9f0e24e7753dedce71478a0bd35b01bfdae8c02aee6fda9ec1e5
SHA512809c232019236a115e3066c11d0788b5184ece03985e46ebbc264583ab685c01888ca0b049acbe7aa000f0761a9e2df1dc0073cababf91d69927fffc4d0ec4b2
-
C:\Windows\SysWOW64\ttaardcn.exeFilesize
512KB
MD5fb0e157d88b878eab1c9063d0de1b0d0
SHA1402603a7db74350e67f1bedff636b3586c223738
SHA2560b8c1bcff9c949ab3b0750c8e0ff1581867966b3362f06ca0bbbe77fbabfe6a7
SHA5127e67fe68fcd9bf5efa3cb96d2900e1cbc72e05d10f7da5672453f49eb57fcdc0545545d6a67b3bdd9fb1949b7e7dc483a791803ffea4165d49b4bbb8b1229560
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5660ccb065ca8826a22da494b85e8738e
SHA1f4d086f7c8fa3f57dc33dde843c70ea8695ef6dd
SHA256bc6e6f2eb19f8162ad855e977ed961c3be266c7adf5f40a3a39e569d4ee9e489
SHA5121a6eaa9c4f4d8cc00c59dae70343f65efb65bfb38f8c3b951eaa426c0209f0d566e1edc9f9b9f84962b032aae6d2d98bae1b6fb2465b325c764f83b65e8073db
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5e375d8da4ba792bf2d81bbd931fc3241
SHA1ae6143d5bda36d033db9521e3933b824bf562df0
SHA2566540e018c7f5c8fcdd078b468843697667062445a324980fabd7f29f8778a3a3
SHA512f7c1f08088082216732ef86ac5ab6e520efa7a4ffe32942064c635483a925ee847311446802d8dcc05cd515db8cea4a1649a2ef7be7d5118ed2d0e8e78542cf2
-
memory/1764-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4516-39-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB
-
memory/4516-38-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB
-
memory/4516-36-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB
-
memory/4516-37-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB
-
memory/4516-41-0x00007FFBDD4E0000-0x00007FFBDD4F0000-memory.dmpFilesize
64KB
-
memory/4516-35-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB
-
memory/4516-43-0x00007FFBDD4E0000-0x00007FFBDD4F0000-memory.dmpFilesize
64KB
-
memory/4516-606-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB
-
memory/4516-608-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB
-
memory/4516-609-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB
-
memory/4516-607-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB