Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 14:28
Static task
static1
Behavioral task
behavioral1
Sample
6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe
-
Size
512KB
-
MD5
6ed598a9f1ddf1f7c13c941791dc1421
-
SHA1
0d88b3f9bdca3e658bdbcb7f81c6b7734fa265ff
-
SHA256
d0ae482ab119e30b2029dc3361e8b9388f1fe96d7944311309e8aa7c4264a926
-
SHA512
677418ad1fd659ccebed44085a2ba1be90989373fb52d41deb0c0767009a46a977bb9aa9bae0ff1c16308452fcef34dd3cf9c4c301e19f5c13b7ee257277c51f
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5b
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
ggkwuwglqf.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ggkwuwglqf.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
ggkwuwglqf.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ggkwuwglqf.exe -
Processes:
ggkwuwglqf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ggkwuwglqf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ggkwuwglqf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ggkwuwglqf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ggkwuwglqf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ggkwuwglqf.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ggkwuwglqf.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ggkwuwglqf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
ggkwuwglqf.exehfbltevousvdvpe.exelekteuia.exetcvggfbxjoefe.exelekteuia.exepid process 3208 ggkwuwglqf.exe 4008 hfbltevousvdvpe.exe 4332 lekteuia.exe 4148 tcvggfbxjoefe.exe 3280 lekteuia.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ggkwuwglqf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ggkwuwglqf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ggkwuwglqf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ggkwuwglqf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ggkwuwglqf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ggkwuwglqf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ggkwuwglqf.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
hfbltevousvdvpe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zblgpdlo = "ggkwuwglqf.exe" hfbltevousvdvpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdhtaneh = "hfbltevousvdvpe.exe" hfbltevousvdvpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tcvggfbxjoefe.exe" hfbltevousvdvpe.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ggkwuwglqf.exelekteuia.exelekteuia.exedescription ioc process File opened (read-only) \??\k: ggkwuwglqf.exe File opened (read-only) \??\q: lekteuia.exe File opened (read-only) \??\z: lekteuia.exe File opened (read-only) \??\o: lekteuia.exe File opened (read-only) \??\h: ggkwuwglqf.exe File opened (read-only) \??\t: ggkwuwglqf.exe File opened (read-only) \??\v: ggkwuwglqf.exe File opened (read-only) \??\i: lekteuia.exe File opened (read-only) \??\y: lekteuia.exe File opened (read-only) \??\s: ggkwuwglqf.exe File opened (read-only) \??\n: ggkwuwglqf.exe File opened (read-only) \??\n: lekteuia.exe File opened (read-only) \??\g: lekteuia.exe File opened (read-only) \??\q: lekteuia.exe File opened (read-only) \??\l: ggkwuwglqf.exe File opened (read-only) \??\r: lekteuia.exe File opened (read-only) \??\j: lekteuia.exe File opened (read-only) \??\l: lekteuia.exe File opened (read-only) \??\o: lekteuia.exe File opened (read-only) \??\a: lekteuia.exe File opened (read-only) \??\k: lekteuia.exe File opened (read-only) \??\a: ggkwuwglqf.exe File opened (read-only) \??\w: ggkwuwglqf.exe File opened (read-only) \??\x: ggkwuwglqf.exe File opened (read-only) \??\p: lekteuia.exe File opened (read-only) \??\g: ggkwuwglqf.exe File opened (read-only) \??\j: ggkwuwglqf.exe File opened (read-only) \??\u: ggkwuwglqf.exe File opened (read-only) \??\k: lekteuia.exe File opened (read-only) \??\w: lekteuia.exe File opened (read-only) \??\b: ggkwuwglqf.exe File opened (read-only) \??\q: ggkwuwglqf.exe File opened (read-only) \??\y: ggkwuwglqf.exe File opened (read-only) \??\e: lekteuia.exe File opened (read-only) \??\s: lekteuia.exe File opened (read-only) \??\m: lekteuia.exe File opened (read-only) \??\m: ggkwuwglqf.exe File opened (read-only) \??\b: lekteuia.exe File opened (read-only) \??\j: lekteuia.exe File opened (read-only) \??\b: lekteuia.exe File opened (read-only) \??\h: lekteuia.exe File opened (read-only) \??\t: lekteuia.exe File opened (read-only) \??\v: lekteuia.exe File opened (read-only) \??\y: lekteuia.exe File opened (read-only) \??\o: ggkwuwglqf.exe File opened (read-only) \??\z: lekteuia.exe File opened (read-only) \??\h: lekteuia.exe File opened (read-only) \??\m: lekteuia.exe File opened (read-only) \??\t: lekteuia.exe File opened (read-only) \??\u: lekteuia.exe File opened (read-only) \??\r: lekteuia.exe File opened (read-only) \??\i: ggkwuwglqf.exe File opened (read-only) \??\e: lekteuia.exe File opened (read-only) \??\i: lekteuia.exe File opened (read-only) \??\g: lekteuia.exe File opened (read-only) \??\u: lekteuia.exe File opened (read-only) \??\x: lekteuia.exe File opened (read-only) \??\s: lekteuia.exe File opened (read-only) \??\w: lekteuia.exe File opened (read-only) \??\x: lekteuia.exe File opened (read-only) \??\p: lekteuia.exe File opened (read-only) \??\a: lekteuia.exe File opened (read-only) \??\z: ggkwuwglqf.exe File opened (read-only) \??\p: ggkwuwglqf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ggkwuwglqf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ggkwuwglqf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ggkwuwglqf.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3828-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\hfbltevousvdvpe.exe autoit_exe C:\Windows\SysWOW64\ggkwuwglqf.exe autoit_exe C:\Windows\SysWOW64\lekteuia.exe autoit_exe C:\Windows\SysWOW64\tcvggfbxjoefe.exe autoit_exe \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
lekteuia.exelekteuia.exe6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exeggkwuwglqf.exedescription ioc process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lekteuia.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lekteuia.exe File opened for modification C:\Windows\SysWOW64\ggkwuwglqf.exe 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hfbltevousvdvpe.exe 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe File created C:\Windows\SysWOW64\lekteuia.exe 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe File created C:\Windows\SysWOW64\tcvggfbxjoefe.exe 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ggkwuwglqf.exe File created C:\Windows\SysWOW64\ggkwuwglqf.exe 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe File created C:\Windows\SysWOW64\hfbltevousvdvpe.exe 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lekteuia.exe 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tcvggfbxjoefe.exe 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lekteuia.exe -
Drops file in Program Files directory 14 IoCs
Processes:
lekteuia.exelekteuia.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lekteuia.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lekteuia.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lekteuia.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lekteuia.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lekteuia.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lekteuia.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lekteuia.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lekteuia.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lekteuia.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lekteuia.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lekteuia.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lekteuia.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lekteuia.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lekteuia.exe -
Drops file in Windows directory 19 IoCs
Processes:
6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exeWINWORD.EXElekteuia.exelekteuia.exedescription ioc process File opened for modification C:\Windows\mydoc.rtf 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lekteuia.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lekteuia.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lekteuia.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lekteuia.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lekteuia.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lekteuia.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lekteuia.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lekteuia.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lekteuia.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lekteuia.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lekteuia.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lekteuia.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lekteuia.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lekteuia.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lekteuia.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lekteuia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exeggkwuwglqf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FFFF4F26856F9146D7217D97BCE5E141593167426341D791" 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ggkwuwglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ggkwuwglqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ggkwuwglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ggkwuwglqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ggkwuwglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDFAC9F916F19584743B44819D39E5B38A038C4215033DE2C8459908D6" 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B12F47E5389F53CBB9D7329CD7BC" 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0806BB7FE6821DFD10BD0D18A759165" 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ggkwuwglqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ggkwuwglqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ggkwuwglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ggkwuwglqf.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ggkwuwglqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ggkwuwglqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ggkwuwglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442C7F9C2282586D4277D770212CAB7C8F64DF" 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C6751593DBBFB8BC7C93EDE234BA" 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4352 WINWORD.EXE 4352 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exeggkwuwglqf.exehfbltevousvdvpe.exelekteuia.exetcvggfbxjoefe.exelekteuia.exepid process 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3208 ggkwuwglqf.exe 3208 ggkwuwglqf.exe 3208 ggkwuwglqf.exe 3208 ggkwuwglqf.exe 3208 ggkwuwglqf.exe 3208 ggkwuwglqf.exe 3208 ggkwuwglqf.exe 3208 ggkwuwglqf.exe 3208 ggkwuwglqf.exe 3208 ggkwuwglqf.exe 4008 hfbltevousvdvpe.exe 4008 hfbltevousvdvpe.exe 4008 hfbltevousvdvpe.exe 4008 hfbltevousvdvpe.exe 4008 hfbltevousvdvpe.exe 4008 hfbltevousvdvpe.exe 4008 hfbltevousvdvpe.exe 4008 hfbltevousvdvpe.exe 4008 hfbltevousvdvpe.exe 4008 hfbltevousvdvpe.exe 4332 lekteuia.exe 4332 lekteuia.exe 4332 lekteuia.exe 4332 lekteuia.exe 4332 lekteuia.exe 4332 lekteuia.exe 4332 lekteuia.exe 4332 lekteuia.exe 4148 tcvggfbxjoefe.exe 4148 tcvggfbxjoefe.exe 4148 tcvggfbxjoefe.exe 4148 tcvggfbxjoefe.exe 4148 tcvggfbxjoefe.exe 4148 tcvggfbxjoefe.exe 4148 tcvggfbxjoefe.exe 4148 tcvggfbxjoefe.exe 4148 tcvggfbxjoefe.exe 4148 tcvggfbxjoefe.exe 4148 tcvggfbxjoefe.exe 4148 tcvggfbxjoefe.exe 4008 hfbltevousvdvpe.exe 4008 hfbltevousvdvpe.exe 3280 lekteuia.exe 3280 lekteuia.exe 3280 lekteuia.exe 3280 lekteuia.exe 3280 lekteuia.exe 3280 lekteuia.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exeggkwuwglqf.exehfbltevousvdvpe.exelekteuia.exetcvggfbxjoefe.exelekteuia.exepid process 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3208 ggkwuwglqf.exe 3208 ggkwuwglqf.exe 3208 ggkwuwglqf.exe 4008 hfbltevousvdvpe.exe 4008 hfbltevousvdvpe.exe 4008 hfbltevousvdvpe.exe 4332 lekteuia.exe 4332 lekteuia.exe 4332 lekteuia.exe 4148 tcvggfbxjoefe.exe 4148 tcvggfbxjoefe.exe 4148 tcvggfbxjoefe.exe 3280 lekteuia.exe 3280 lekteuia.exe 3280 lekteuia.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exeggkwuwglqf.exehfbltevousvdvpe.exelekteuia.exetcvggfbxjoefe.exelekteuia.exepid process 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe 3208 ggkwuwglqf.exe 3208 ggkwuwglqf.exe 3208 ggkwuwglqf.exe 4008 hfbltevousvdvpe.exe 4008 hfbltevousvdvpe.exe 4008 hfbltevousvdvpe.exe 4332 lekteuia.exe 4332 lekteuia.exe 4332 lekteuia.exe 4148 tcvggfbxjoefe.exe 4148 tcvggfbxjoefe.exe 4148 tcvggfbxjoefe.exe 3280 lekteuia.exe 3280 lekteuia.exe 3280 lekteuia.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4352 WINWORD.EXE 4352 WINWORD.EXE 4352 WINWORD.EXE 4352 WINWORD.EXE 4352 WINWORD.EXE 4352 WINWORD.EXE 4352 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exeggkwuwglqf.exedescription pid process target process PID 3828 wrote to memory of 3208 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe ggkwuwglqf.exe PID 3828 wrote to memory of 3208 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe ggkwuwglqf.exe PID 3828 wrote to memory of 3208 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe ggkwuwglqf.exe PID 3828 wrote to memory of 4008 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe hfbltevousvdvpe.exe PID 3828 wrote to memory of 4008 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe hfbltevousvdvpe.exe PID 3828 wrote to memory of 4008 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe hfbltevousvdvpe.exe PID 3828 wrote to memory of 4332 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe lekteuia.exe PID 3828 wrote to memory of 4332 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe lekteuia.exe PID 3828 wrote to memory of 4332 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe lekteuia.exe PID 3828 wrote to memory of 4148 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe tcvggfbxjoefe.exe PID 3828 wrote to memory of 4148 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe tcvggfbxjoefe.exe PID 3828 wrote to memory of 4148 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe tcvggfbxjoefe.exe PID 3828 wrote to memory of 4352 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe WINWORD.EXE PID 3828 wrote to memory of 4352 3828 6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe WINWORD.EXE PID 3208 wrote to memory of 3280 3208 ggkwuwglqf.exe lekteuia.exe PID 3208 wrote to memory of 3280 3208 ggkwuwglqf.exe lekteuia.exe PID 3208 wrote to memory of 3280 3208 ggkwuwglqf.exe lekteuia.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ggkwuwglqf.exeggkwuwglqf.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lekteuia.exeC:\Windows\system32\lekteuia.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\hfbltevousvdvpe.exehfbltevousvdvpe.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\lekteuia.exelekteuia.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\tcvggfbxjoefe.exetcvggfbxjoefe.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xslFilesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5a6c80548476a2895ae0b7445de23b0aa
SHA1702824442a26822e769bb1bb93e8018dd847d409
SHA256abf2ed598ebfae6c724179edc0b3c3aa1a91be7d93ef35488051ea3d60aae7c1
SHA5121825b86345cfb9cc41c375b967c8c501053a86c05a0eebf26ec2ac175913128855a9a942830c29e387a214b29dba0d8c6873520c7468291deef853d7d6b00215
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD54b4184bb3860b1b1cf40923b6e9002df
SHA1c808d9ff85ae24978ba7d849b27339cb3de59d6a
SHA256a5940c642840a415e27240f4e15004428375e89fb6b9a735bc5848974c94e5cb
SHA51243d263a0af7448020d11c74cd9f1dca0411dbd5db963b345974065c2a7dbd7bc6fda5f182c76b4d81d66cda14771dfd3b9ddebfa28f1be156d2dac1cc82af2d6
-
C:\Windows\SysWOW64\ggkwuwglqf.exeFilesize
512KB
MD58c7b157eb3b45097d75d92f27f1dd657
SHA18f943391987e1b59e46d29d375768d56db6625c3
SHA256d88f92910baa9542307c1094dd25fbbdba642aa2b5543342849e1dbb72eb2487
SHA512e1c26ac0a6babfad64b56bc3aa9417599211dc039f79fb6d5808ef7204cce08d5f1857c6edf97c21846e29a30dba98e313a56a92cc317de792f19c9dbc40d16a
-
C:\Windows\SysWOW64\hfbltevousvdvpe.exeFilesize
512KB
MD5bcd9f3b73c0e1fd9fb6cb4dd08a45a09
SHA1cc7d0ad1ab546c2ff6f925b1c96d0760595713f9
SHA256732b0135039323bfdb9e0395cb2683badb5522130c7ca95d372102359c6925c3
SHA512b95a9705eda31bdacb4ad834b5c05201ce579310ff116f6964a270c42c8358809296edb0d8c19ac434b382b50bf97b0603c773296ba7f8d0c433960434b682b8
-
C:\Windows\SysWOW64\lekteuia.exeFilesize
512KB
MD551752915806424b0edf171a8d5491bf4
SHA1c1e476a9318c10770647ae7bd4c186fbf42394a3
SHA25657b13791330c5dd9410458d5262350c3db5d82fdb66fbdb480f719bd7e50619a
SHA51255ebddeda69d272cd245d2a2df2e826fc3139dd1168c2672fba579074cb21d803197522c0458a72319483c29afbc78016b70d1491c494f72bcba0c8fb897270e
-
C:\Windows\SysWOW64\tcvggfbxjoefe.exeFilesize
512KB
MD547b4fc9f80c89a2a3cbb5ea2d1688f3d
SHA1f71682bb25a4967b6030e296d262ac11b5c00f8d
SHA2561942bdfbe6645ea47ac2faf0ba63c953249bf45b99b03d777595f9772a62bc98
SHA512e765ed4b2c0676e987a91c0a853ffefc6a821ef35dfa808baec099c33e6d047df7137825b503a3b6ec34baf62edf585effc75462f1a6591ea5e0d65c1106f115
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD59a49ee87ee128b5e9eff6e353be6b332
SHA153f961031d771a540f7a8dcc5db7e4ca4e63144f
SHA256e90f8c774e31a46bf9bb8be3954e058e5e4c0f2a28eedc119d80d0362d83d9f5
SHA512921182800b10b9891d451204e4ae78a28fcc1eaeed3385ec29d2e9077225b77b54df98681bec7c3f70636136a3c3e2e2770cdb795443864d47ab16a95bf4c6af
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5b3ba7b4f110d250bcfc2ba7a4cdeca3e
SHA198da73fc0820c7fc6984057a00c86d4b3a348ddc
SHA256cb48f31c6c06bf4af3c55c58b23b417e2437e777c3c4d1a7c780aac5ad9a8494
SHA512ee92babe5148c62fae419b31cf633c3774e4198e92b0c228bf9ebf619a914e5e0d6b961a2606ce4f208b22632eee800df9ceb8e2eabf2fe32cb7e3c7d1dedf65
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD50bd3539991ce763f4a6313e0b5dd12bb
SHA1b1cbd56d933eaa0f11c480dff4dacb3aca5dee2f
SHA256bd10ee3f9025185183f19ae8d8b03da94f45328c60b2fb862933cc4c7bddf9fc
SHA51269f3564e9cb25be0fd5b7409b7265acb2f7451ff866c4ebbac531497e12c9997dee9523e7037f164020606f5050678017d98a90c7360e1064663b999b68095f2
-
memory/3828-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4352-35-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmpFilesize
64KB
-
memory/4352-38-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmpFilesize
64KB
-
memory/4352-37-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmpFilesize
64KB
-
memory/4352-36-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmpFilesize
64KB
-
memory/4352-43-0x00007FFA45EB0000-0x00007FFA45EC0000-memory.dmpFilesize
64KB
-
memory/4352-39-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmpFilesize
64KB
-
memory/4352-40-0x00007FFA45EB0000-0x00007FFA45EC0000-memory.dmpFilesize
64KB
-
memory/4352-600-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmpFilesize
64KB
-
memory/4352-602-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmpFilesize
64KB
-
memory/4352-603-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmpFilesize
64KB
-
memory/4352-601-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmpFilesize
64KB