Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 15:12
Static task
static1
Behavioral task
behavioral1
Sample
6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe
-
Size
512KB
-
MD5
6ef08a64caec6f6e5b75c06f27c51799
-
SHA1
8cbbe6f6f9e07ebc1b4dbd2bad90076ff3c954a9
-
SHA256
62e9ee7a83ab0bf5110ea657a9474417d69bfa53849bceb72dde0254e215e324
-
SHA512
8273c351e0095b802f6021a0191209b21471c22150b3a2dc99e0db2518244afdb9dfeaf711cefdf99d72b82955233bef1c012c7c5e7d5b6534ca7c276de0cbcc
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6t:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5A
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
ccbilxnbzb.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ccbilxnbzb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
ccbilxnbzb.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ccbilxnbzb.exe -
Processes:
ccbilxnbzb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ccbilxnbzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ccbilxnbzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ccbilxnbzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ccbilxnbzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ccbilxnbzb.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ccbilxnbzb.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ccbilxnbzb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
ccbilxnbzb.exelasytxvtufgbdoe.exehvnjzuwc.exeswdzwumklmsla.exehvnjzuwc.exepid process 2728 ccbilxnbzb.exe 5028 lasytxvtufgbdoe.exe 2608 hvnjzuwc.exe 2876 swdzwumklmsla.exe 1684 hvnjzuwc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ccbilxnbzb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ccbilxnbzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ccbilxnbzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ccbilxnbzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ccbilxnbzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ccbilxnbzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ccbilxnbzb.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
lasytxvtufgbdoe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "swdzwumklmsla.exe" lasytxvtufgbdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uaszjpsn = "ccbilxnbzb.exe" lasytxvtufgbdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqdzyjsf = "lasytxvtufgbdoe.exe" lasytxvtufgbdoe.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
hvnjzuwc.execcbilxnbzb.exehvnjzuwc.exedescription ioc process File opened (read-only) \??\t: hvnjzuwc.exe File opened (read-only) \??\j: ccbilxnbzb.exe File opened (read-only) \??\n: ccbilxnbzb.exe File opened (read-only) \??\i: hvnjzuwc.exe File opened (read-only) \??\k: hvnjzuwc.exe File opened (read-only) \??\y: hvnjzuwc.exe File opened (read-only) \??\o: ccbilxnbzb.exe File opened (read-only) \??\z: ccbilxnbzb.exe File opened (read-only) \??\i: hvnjzuwc.exe File opened (read-only) \??\q: hvnjzuwc.exe File opened (read-only) \??\s: hvnjzuwc.exe File opened (read-only) \??\w: hvnjzuwc.exe File opened (read-only) \??\z: hvnjzuwc.exe File opened (read-only) \??\k: hvnjzuwc.exe File opened (read-only) \??\m: hvnjzuwc.exe File opened (read-only) \??\y: hvnjzuwc.exe File opened (read-only) \??\y: ccbilxnbzb.exe File opened (read-only) \??\a: hvnjzuwc.exe File opened (read-only) \??\h: hvnjzuwc.exe File opened (read-only) \??\a: hvnjzuwc.exe File opened (read-only) \??\v: hvnjzuwc.exe File opened (read-only) \??\z: hvnjzuwc.exe File opened (read-only) \??\q: ccbilxnbzb.exe File opened (read-only) \??\x: hvnjzuwc.exe File opened (read-only) \??\u: hvnjzuwc.exe File opened (read-only) \??\s: hvnjzuwc.exe File opened (read-only) \??\e: ccbilxnbzb.exe File opened (read-only) \??\i: ccbilxnbzb.exe File opened (read-only) \??\p: ccbilxnbzb.exe File opened (read-only) \??\s: ccbilxnbzb.exe File opened (read-only) \??\g: hvnjzuwc.exe File opened (read-only) \??\x: hvnjzuwc.exe File opened (read-only) \??\a: ccbilxnbzb.exe File opened (read-only) \??\b: ccbilxnbzb.exe File opened (read-only) \??\k: ccbilxnbzb.exe File opened (read-only) \??\b: hvnjzuwc.exe File opened (read-only) \??\x: ccbilxnbzb.exe File opened (read-only) \??\e: hvnjzuwc.exe File opened (read-only) \??\v: hvnjzuwc.exe File opened (read-only) \??\r: hvnjzuwc.exe File opened (read-only) \??\g: hvnjzuwc.exe File opened (read-only) \??\l: hvnjzuwc.exe File opened (read-only) \??\o: hvnjzuwc.exe File opened (read-only) \??\w: hvnjzuwc.exe File opened (read-only) \??\g: ccbilxnbzb.exe File opened (read-only) \??\l: ccbilxnbzb.exe File opened (read-only) \??\b: hvnjzuwc.exe File opened (read-only) \??\r: ccbilxnbzb.exe File opened (read-only) \??\q: hvnjzuwc.exe File opened (read-only) \??\l: hvnjzuwc.exe File opened (read-only) \??\n: hvnjzuwc.exe File opened (read-only) \??\r: hvnjzuwc.exe File opened (read-only) \??\u: ccbilxnbzb.exe File opened (read-only) \??\w: ccbilxnbzb.exe File opened (read-only) \??\j: hvnjzuwc.exe File opened (read-only) \??\m: hvnjzuwc.exe File opened (read-only) \??\p: hvnjzuwc.exe File opened (read-only) \??\p: hvnjzuwc.exe File opened (read-only) \??\m: ccbilxnbzb.exe File opened (read-only) \??\t: ccbilxnbzb.exe File opened (read-only) \??\h: ccbilxnbzb.exe File opened (read-only) \??\v: ccbilxnbzb.exe File opened (read-only) \??\n: hvnjzuwc.exe File opened (read-only) \??\o: hvnjzuwc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ccbilxnbzb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ccbilxnbzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ccbilxnbzb.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/600-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\lasytxvtufgbdoe.exe autoit_exe C:\Windows\SysWOW64\ccbilxnbzb.exe autoit_exe C:\Windows\SysWOW64\hvnjzuwc.exe autoit_exe C:\Windows\SysWOW64\swdzwumklmsla.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exehvnjzuwc.exehvnjzuwc.execcbilxnbzb.exedescription ioc process File created C:\Windows\SysWOW64\lasytxvtufgbdoe.exe 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lasytxvtufgbdoe.exe 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hvnjzuwc.exe 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe File created C:\Windows\SysWOW64\swdzwumklmsla.exe 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hvnjzuwc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hvnjzuwc.exe File created C:\Windows\SysWOW64\ccbilxnbzb.exe 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ccbilxnbzb.exe 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ccbilxnbzb.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hvnjzuwc.exe File created C:\Windows\SysWOW64\hvnjzuwc.exe 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\swdzwumklmsla.exe 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
Processes:
hvnjzuwc.exehvnjzuwc.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hvnjzuwc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hvnjzuwc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hvnjzuwc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hvnjzuwc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hvnjzuwc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hvnjzuwc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hvnjzuwc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hvnjzuwc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hvnjzuwc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hvnjzuwc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hvnjzuwc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hvnjzuwc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hvnjzuwc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hvnjzuwc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hvnjzuwc.exe -
Drops file in Windows directory 19 IoCs
Processes:
hvnjzuwc.exeWINWORD.EXEhvnjzuwc.exe6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exedescription ioc process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hvnjzuwc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hvnjzuwc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hvnjzuwc.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hvnjzuwc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hvnjzuwc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hvnjzuwc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hvnjzuwc.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hvnjzuwc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hvnjzuwc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hvnjzuwc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hvnjzuwc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hvnjzuwc.exe File opened for modification C:\Windows\mydoc.rtf 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hvnjzuwc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hvnjzuwc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hvnjzuwc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hvnjzuwc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
ccbilxnbzb.exe6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ccbilxnbzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ccbilxnbzb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ccbilxnbzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ccbilxnbzb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ccbilxnbzb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ccbilxnbzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B02C47E039E852C4B9D73392D7C5" 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB4FF6722A9D27AD1D58B7A9164" 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ccbilxnbzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FACCFE11F29084743A32819D3E95B38A028B4316033BE1CA42EF08D6" 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFCFB485F821B9046D65B7DE7BDE6E147594A66446332D7EC" 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ccbilxnbzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ccbilxnbzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ccbilxnbzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402C7B9C5283566A3077A770512CDC7C8464DB" 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ccbilxnbzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ccbilxnbzb.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C70915E6DBB1B9CD7C97ECE434CF" 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 8 WINWORD.EXE 8 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exehvnjzuwc.exeswdzwumklmsla.exelasytxvtufgbdoe.execcbilxnbzb.exehvnjzuwc.exepid process 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 2608 hvnjzuwc.exe 2608 hvnjzuwc.exe 2608 hvnjzuwc.exe 2608 hvnjzuwc.exe 2608 hvnjzuwc.exe 2608 hvnjzuwc.exe 2608 hvnjzuwc.exe 2608 hvnjzuwc.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 5028 lasytxvtufgbdoe.exe 5028 lasytxvtufgbdoe.exe 5028 lasytxvtufgbdoe.exe 5028 lasytxvtufgbdoe.exe 5028 lasytxvtufgbdoe.exe 5028 lasytxvtufgbdoe.exe 5028 lasytxvtufgbdoe.exe 5028 lasytxvtufgbdoe.exe 2728 ccbilxnbzb.exe 2728 ccbilxnbzb.exe 2728 ccbilxnbzb.exe 2728 ccbilxnbzb.exe 2728 ccbilxnbzb.exe 2728 ccbilxnbzb.exe 2728 ccbilxnbzb.exe 2728 ccbilxnbzb.exe 2728 ccbilxnbzb.exe 2728 ccbilxnbzb.exe 5028 lasytxvtufgbdoe.exe 5028 lasytxvtufgbdoe.exe 5028 lasytxvtufgbdoe.exe 5028 lasytxvtufgbdoe.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 1684 hvnjzuwc.exe 1684 hvnjzuwc.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exehvnjzuwc.exeswdzwumklmsla.exelasytxvtufgbdoe.execcbilxnbzb.exehvnjzuwc.exepid process 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 2608 hvnjzuwc.exe 2608 hvnjzuwc.exe 2608 hvnjzuwc.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 5028 lasytxvtufgbdoe.exe 2728 ccbilxnbzb.exe 5028 lasytxvtufgbdoe.exe 2728 ccbilxnbzb.exe 5028 lasytxvtufgbdoe.exe 2728 ccbilxnbzb.exe 1684 hvnjzuwc.exe 1684 hvnjzuwc.exe 1684 hvnjzuwc.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exehvnjzuwc.exeswdzwumklmsla.exelasytxvtufgbdoe.execcbilxnbzb.exehvnjzuwc.exepid process 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe 2608 hvnjzuwc.exe 2608 hvnjzuwc.exe 2608 hvnjzuwc.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 2876 swdzwumklmsla.exe 5028 lasytxvtufgbdoe.exe 2728 ccbilxnbzb.exe 5028 lasytxvtufgbdoe.exe 2728 ccbilxnbzb.exe 5028 lasytxvtufgbdoe.exe 2728 ccbilxnbzb.exe 1684 hvnjzuwc.exe 1684 hvnjzuwc.exe 1684 hvnjzuwc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 8 WINWORD.EXE 8 WINWORD.EXE 8 WINWORD.EXE 8 WINWORD.EXE 8 WINWORD.EXE 8 WINWORD.EXE 8 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.execcbilxnbzb.exedescription pid process target process PID 600 wrote to memory of 2728 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe ccbilxnbzb.exe PID 600 wrote to memory of 2728 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe ccbilxnbzb.exe PID 600 wrote to memory of 2728 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe ccbilxnbzb.exe PID 600 wrote to memory of 5028 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe lasytxvtufgbdoe.exe PID 600 wrote to memory of 5028 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe lasytxvtufgbdoe.exe PID 600 wrote to memory of 5028 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe lasytxvtufgbdoe.exe PID 600 wrote to memory of 2608 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe hvnjzuwc.exe PID 600 wrote to memory of 2608 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe hvnjzuwc.exe PID 600 wrote to memory of 2608 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe hvnjzuwc.exe PID 600 wrote to memory of 2876 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe swdzwumklmsla.exe PID 600 wrote to memory of 2876 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe swdzwumklmsla.exe PID 600 wrote to memory of 2876 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe swdzwumklmsla.exe PID 600 wrote to memory of 8 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe WINWORD.EXE PID 600 wrote to memory of 8 600 6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe WINWORD.EXE PID 2728 wrote to memory of 1684 2728 ccbilxnbzb.exe hvnjzuwc.exe PID 2728 wrote to memory of 1684 2728 ccbilxnbzb.exe hvnjzuwc.exe PID 2728 wrote to memory of 1684 2728 ccbilxnbzb.exe hvnjzuwc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\ccbilxnbzb.execcbilxnbzb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\hvnjzuwc.exeC:\Windows\system32\hvnjzuwc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1684 -
C:\Windows\SysWOW64\lasytxvtufgbdoe.exelasytxvtufgbdoe.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5028 -
C:\Windows\SysWOW64\hvnjzuwc.exehvnjzuwc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2608 -
C:\Windows\SysWOW64\swdzwumklmsla.exeswdzwumklmsla.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2876 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:8
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5fc01ce995effa22a50e4b1519dd183e8
SHA19362e8716c9047a257cc6415c41d0b63cf2325c4
SHA256b4bd9cd0d72616661fd90bb7c2f8291c5768a8277911a837704352c44f464ecf
SHA512bf1f4587deab99c5738810728c9bc1186377778fbb5a94668680bb178b8d56628521bc8c36e3a6fe29ab9a89c6c45a4055b743485ae2f13a76e277930dd365de
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5ec7e98093fafd5da5296fe15cffe05b5
SHA1e1cf95e84261227cc63f4bbc127f098b3410fca6
SHA256ce969aed0d7721b29e4200d826197a0fe5865637a06fe0df9c1dd80506c153fe
SHA512cc880515957d712a7f3cdc8a8431b5132138fdd9f5b1b7145859df1638a5014760e8ac95c7c15075869561c731538a21a752420f66a67076798c97796a517a92
-
C:\Users\Admin\AppData\Local\Temp\TCD8D0A.tmp\iso690.xslFilesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
247B
MD51b529425a37b1334b8b33ebd890269a4
SHA184768e6475b45e3431d5dd62968dde9b92bcb799
SHA256774609fb895e024729e533b8420e732453a0f7ad9cc4599a871157b4f2ca0440
SHA5128d82cb100fb6e979061a2a86aedf2f77de9bb5abf4431ed7add5c75d04988a3cd747119ade26856e8c2fdf7fe75e6aedf0025f2015e525b6835c80cfa2eff295
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD58799685a5cc0d2d90e3a5a8e3adc24fc
SHA1379e18cc361e56dbb867d6fd0082e09dd70a3920
SHA256cfde9400f4721fb05a746de5d24a55fa3f4c67fc2137f6c68cff51be03ba4151
SHA5129eed221c689562e4e3b91a7ec409630c4d96cf46505ac5e3136ebc861d6b0d27f69cc0ef9d993e3646728b278ffc13f78cd3d62ab765e6bdd2b4153ff45f8c52
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RFe57701f.TMPFilesize
3KB
MD5f1a08f4dd1ab30ae07d4ca77c41a5e85
SHA1f87d704be38fda4f1be5793ed8693f00275fdc0f
SHA256dc4e8a8436db18b2916ce72ed1778fdbb6831aef7e2f268ab980b1ae4f38f0ea
SHA512246fb8750056c41447f8b21f52c1f77bb733e800fda859a573d7d40ab49f5b9f9072bb3a2fa37416f622c609d7afedb73b5b2b142bf2e31963ed4e39ffec19e2
-
C:\Windows\SysWOW64\ccbilxnbzb.exeFilesize
512KB
MD5a6ca248edbd8b1ee659d993a5137119f
SHA1514dea12b93e290930b5998eabe1ba715e6e6821
SHA256a5fa611e4d0eaabd9b2922b8bc201cc85f4f2633db644fb7c6ba2c9604e26e79
SHA512e701289b50d7c73ba812270e0568284d3f124577aac28685dca2dcdb88036dd51de403819182bd77428c3605b0556dbdf726dd9c0179ee95d2e69eaa754b2261
-
C:\Windows\SysWOW64\hvnjzuwc.exeFilesize
512KB
MD5cac303e3098de0510d89bb48143d9ff9
SHA141206aa0af10d1a78f77c015754cd238fbfaf3aa
SHA25600fd58efbbe91e0e15a94bf0e9600a62abc9df9ffb8749b2f98a7d0ac6e7c389
SHA51223a284235722081899adb50d534b421d3665e15a57621507782cf80ada2e0cf7fa04fe87d5eb2dc5eef773c42af321c93afb63c65d115671f3c5a39318457dd5
-
C:\Windows\SysWOW64\lasytxvtufgbdoe.exeFilesize
512KB
MD51bbdeaa4792f49994e57efaacfa1803a
SHA17a469abe4355c10dffba81772316b5c586334bc1
SHA256ace2acf813d4c97610a4e44a041be5b9e9ba39327bf2b75e4881d8062e78fc22
SHA5123ff8441ea39dcb578488eec99d70c23a1d9f2a7dab9570d7253bf800b35585e48a466605a83504198d5fbb7fb1e608ea7b62024653a0c2650023a3fed506dbc4
-
C:\Windows\SysWOW64\swdzwumklmsla.exeFilesize
512KB
MD5f76b006b534d0f45ee0ad72da6eda83e
SHA1e9684aa08b8a9ddf63d4bfb4fe616e7fd07f34f5
SHA256b6f1152a20d9d692a13fc67875d23862ef29be6ac5f0fafbba6c36b69713b701
SHA512bf62a3056bc0fe959f61ec383d41b9f187684d42fcbe67c5e746e8872e632bc218d07f29c0d321eeb9e4e134e718e285af8068ee3ad8a058622c353fb28a5482
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5230a7dc29ce52e7e0b66d31e0cb2d80d
SHA1a1add7958019fec759c81839737659ed2b45941e
SHA256d70a0abcdfaa3c92d472a003dc31d7a4e06bfc2e92428444d6b84fb6fd83c0b3
SHA512c138d6eea2373f11ea639dba27396f2faf9c7c7af2c5e483b1ecc0f70724a8a346391918877d75a1de198136ba80c8220ec76bfac15a02f10deb576e0a2901c8
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5d8f5119f9b1fd05fae3bf074d017425a
SHA1c92ea4b62ccf3161c7f114b6336f7552e15d064b
SHA256067dee163168dce1b6edc25596b57e115f1b4c72f34349dc97e254067722ba29
SHA512d9aa91db15fbc641b98ccac74cc19a1855613c38084ec74476e1ae004359ea844acd7c34c1e5b18ab064fdd35ddd293280417803acaa5f215c7b51ff06a19feb
-
memory/8-41-0x00007FF879D30000-0x00007FF879D40000-memory.dmpFilesize
64KB
-
memory/8-40-0x00007FF879D30000-0x00007FF879D40000-memory.dmpFilesize
64KB
-
memory/8-39-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmpFilesize
64KB
-
memory/8-38-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmpFilesize
64KB
-
memory/8-37-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmpFilesize
64KB
-
memory/8-36-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmpFilesize
64KB
-
memory/8-35-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmpFilesize
64KB
-
memory/8-598-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmpFilesize
64KB
-
memory/8-599-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmpFilesize
64KB
-
memory/8-597-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmpFilesize
64KB
-
memory/8-600-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmpFilesize
64KB
-
memory/600-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB