Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 16:39
Static task
static1
Behavioral task
behavioral1
Sample
6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe
-
Size
512KB
-
MD5
6f26c293efbae4ef647aa7953ff8e2ff
-
SHA1
1b11a84804c9edb52c4960eaad0c8c94e0138770
-
SHA256
ab674e0aa02a2bda117ab0a323531c7f1c55cb4c194fda58968abb76abe827e3
-
SHA512
9078f1eeceffa2b29e6bd7fb7be3bac60a1aee3336e92f087d14882b212d80605af3065c26475866aee9210f89bf9a78de5d20da0edd7147c2490aa790ae9983
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6s:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
oribqxwahg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" oribqxwahg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
oribqxwahg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" oribqxwahg.exe -
Processes:
oribqxwahg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" oribqxwahg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" oribqxwahg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" oribqxwahg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" oribqxwahg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" oribqxwahg.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
oribqxwahg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oribqxwahg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
oribqxwahg.exeoijgcokhxoxxmoq.exejfhqhscl.exeeetluxpdcmxmo.exejfhqhscl.exepid process 3468 oribqxwahg.exe 4752 oijgcokhxoxxmoq.exe 4100 jfhqhscl.exe 1140 eetluxpdcmxmo.exe 4896 jfhqhscl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
oribqxwahg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" oribqxwahg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" oribqxwahg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" oribqxwahg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" oribqxwahg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" oribqxwahg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" oribqxwahg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
oijgcokhxoxxmoq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "eetluxpdcmxmo.exe" oijgcokhxoxxmoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owonwsag = "oribqxwahg.exe" oijgcokhxoxxmoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nlvncddy = "oijgcokhxoxxmoq.exe" oijgcokhxoxxmoq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
jfhqhscl.exeoribqxwahg.exejfhqhscl.exedescription ioc process File opened (read-only) \??\j: jfhqhscl.exe File opened (read-only) \??\l: jfhqhscl.exe File opened (read-only) \??\n: oribqxwahg.exe File opened (read-only) \??\v: oribqxwahg.exe File opened (read-only) \??\j: jfhqhscl.exe File opened (read-only) \??\k: jfhqhscl.exe File opened (read-only) \??\a: jfhqhscl.exe File opened (read-only) \??\l: jfhqhscl.exe File opened (read-only) \??\g: jfhqhscl.exe File opened (read-only) \??\n: jfhqhscl.exe File opened (read-only) \??\v: jfhqhscl.exe File opened (read-only) \??\m: oribqxwahg.exe File opened (read-only) \??\s: oribqxwahg.exe File opened (read-only) \??\z: jfhqhscl.exe File opened (read-only) \??\b: oribqxwahg.exe File opened (read-only) \??\e: oribqxwahg.exe File opened (read-only) \??\e: jfhqhscl.exe File opened (read-only) \??\w: jfhqhscl.exe File opened (read-only) \??\p: jfhqhscl.exe File opened (read-only) \??\l: oribqxwahg.exe File opened (read-only) \??\t: oribqxwahg.exe File opened (read-only) \??\y: oribqxwahg.exe File opened (read-only) \??\p: jfhqhscl.exe File opened (read-only) \??\b: jfhqhscl.exe File opened (read-only) \??\i: jfhqhscl.exe File opened (read-only) \??\a: oribqxwahg.exe File opened (read-only) \??\o: jfhqhscl.exe File opened (read-only) \??\v: jfhqhscl.exe File opened (read-only) \??\e: jfhqhscl.exe File opened (read-only) \??\z: jfhqhscl.exe File opened (read-only) \??\r: jfhqhscl.exe File opened (read-only) \??\g: oribqxwahg.exe File opened (read-only) \??\z: oribqxwahg.exe File opened (read-only) \??\k: jfhqhscl.exe File opened (read-only) \??\h: jfhqhscl.exe File opened (read-only) \??\w: jfhqhscl.exe File opened (read-only) \??\x: jfhqhscl.exe File opened (read-only) \??\m: jfhqhscl.exe File opened (read-only) \??\q: jfhqhscl.exe File opened (read-only) \??\t: jfhqhscl.exe File opened (read-only) \??\a: jfhqhscl.exe File opened (read-only) \??\q: jfhqhscl.exe File opened (read-only) \??\w: oribqxwahg.exe File opened (read-only) \??\x: oribqxwahg.exe File opened (read-only) \??\i: jfhqhscl.exe File opened (read-only) \??\u: jfhqhscl.exe File opened (read-only) \??\x: jfhqhscl.exe File opened (read-only) \??\g: jfhqhscl.exe File opened (read-only) \??\y: jfhqhscl.exe File opened (read-only) \??\o: jfhqhscl.exe File opened (read-only) \??\y: jfhqhscl.exe File opened (read-only) \??\h: oribqxwahg.exe File opened (read-only) \??\p: oribqxwahg.exe File opened (read-only) \??\r: oribqxwahg.exe File opened (read-only) \??\u: jfhqhscl.exe File opened (read-only) \??\i: oribqxwahg.exe File opened (read-only) \??\j: oribqxwahg.exe File opened (read-only) \??\q: oribqxwahg.exe File opened (read-only) \??\b: jfhqhscl.exe File opened (read-only) \??\n: jfhqhscl.exe File opened (read-only) \??\s: jfhqhscl.exe File opened (read-only) \??\s: jfhqhscl.exe File opened (read-only) \??\t: jfhqhscl.exe File opened (read-only) \??\o: oribqxwahg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
oribqxwahg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" oribqxwahg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" oribqxwahg.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3668-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\oijgcokhxoxxmoq.exe autoit_exe C:\Windows\SysWOW64\oribqxwahg.exe autoit_exe C:\Windows\SysWOW64\eetluxpdcmxmo.exe autoit_exe C:\Windows\SysWOW64\jfhqhscl.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exejfhqhscl.exeoribqxwahg.exejfhqhscl.exedescription ioc process File created C:\Windows\SysWOW64\oribqxwahg.exe 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\oribqxwahg.exe 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe File created C:\Windows\SysWOW64\eetluxpdcmxmo.exe 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\eetluxpdcmxmo.exe 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jfhqhscl.exe File created C:\Windows\SysWOW64\oijgcokhxoxxmoq.exe 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\oijgcokhxoxxmoq.exe 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe File created C:\Windows\SysWOW64\jfhqhscl.exe 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jfhqhscl.exe 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll oribqxwahg.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jfhqhscl.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jfhqhscl.exe -
Drops file in Program Files directory 15 IoCs
Processes:
jfhqhscl.exejfhqhscl.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jfhqhscl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jfhqhscl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jfhqhscl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jfhqhscl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jfhqhscl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jfhqhscl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jfhqhscl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jfhqhscl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jfhqhscl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jfhqhscl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jfhqhscl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jfhqhscl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jfhqhscl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jfhqhscl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jfhqhscl.exe -
Drops file in Windows directory 19 IoCs
Processes:
jfhqhscl.exejfhqhscl.exe6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exeWINWORD.EXEdescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jfhqhscl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jfhqhscl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jfhqhscl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jfhqhscl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jfhqhscl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jfhqhscl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jfhqhscl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jfhqhscl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jfhqhscl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jfhqhscl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jfhqhscl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jfhqhscl.exe File opened for modification C:\Windows\mydoc.rtf 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jfhqhscl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jfhqhscl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jfhqhscl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jfhqhscl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
oribqxwahg.exe6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" oribqxwahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC67D14E4DAB5B8BE7CE0EDE537B9" 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat oribqxwahg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh oribqxwahg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc oribqxwahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" oribqxwahg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs oribqxwahg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg oribqxwahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768B2FE6B21ADD10ED1D48A789114" 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" oribqxwahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B12C47E638E353BDB9D132EFD7CA" 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf oribqxwahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" oribqxwahg.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33372D7A9C2083226D4677A777212CDF7D8664DE" 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFABDF967F1E783083B3786E93999B3FE02FB42600248E1BA42EF09D2" 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FF824F5F851D903DD62F7E95BD90E131594A664F6333D79B" 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" oribqxwahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" oribqxwahg.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1556 WINWORD.EXE 1556 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exeoijgcokhxoxxmoq.exeoribqxwahg.exejfhqhscl.exeeetluxpdcmxmo.exejfhqhscl.exepid process 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 4752 oijgcokhxoxxmoq.exe 4752 oijgcokhxoxxmoq.exe 4752 oijgcokhxoxxmoq.exe 4752 oijgcokhxoxxmoq.exe 4752 oijgcokhxoxxmoq.exe 4752 oijgcokhxoxxmoq.exe 4752 oijgcokhxoxxmoq.exe 4752 oijgcokhxoxxmoq.exe 3468 oribqxwahg.exe 3468 oribqxwahg.exe 3468 oribqxwahg.exe 3468 oribqxwahg.exe 3468 oribqxwahg.exe 3468 oribqxwahg.exe 3468 oribqxwahg.exe 3468 oribqxwahg.exe 3468 oribqxwahg.exe 3468 oribqxwahg.exe 4100 jfhqhscl.exe 4100 jfhqhscl.exe 4100 jfhqhscl.exe 4100 jfhqhscl.exe 4100 jfhqhscl.exe 4100 jfhqhscl.exe 4100 jfhqhscl.exe 4100 jfhqhscl.exe 4752 oijgcokhxoxxmoq.exe 4752 oijgcokhxoxxmoq.exe 1140 eetluxpdcmxmo.exe 1140 eetluxpdcmxmo.exe 1140 eetluxpdcmxmo.exe 1140 eetluxpdcmxmo.exe 1140 eetluxpdcmxmo.exe 1140 eetluxpdcmxmo.exe 1140 eetluxpdcmxmo.exe 1140 eetluxpdcmxmo.exe 1140 eetluxpdcmxmo.exe 1140 eetluxpdcmxmo.exe 1140 eetluxpdcmxmo.exe 1140 eetluxpdcmxmo.exe 4752 oijgcokhxoxxmoq.exe 4752 oijgcokhxoxxmoq.exe 4896 jfhqhscl.exe 4896 jfhqhscl.exe 4896 jfhqhscl.exe 4896 jfhqhscl.exe 4896 jfhqhscl.exe 4896 jfhqhscl.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exeoribqxwahg.exeoijgcokhxoxxmoq.exejfhqhscl.exeeetluxpdcmxmo.exejfhqhscl.exepid process 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3468 oribqxwahg.exe 3468 oribqxwahg.exe 3468 oribqxwahg.exe 4752 oijgcokhxoxxmoq.exe 4752 oijgcokhxoxxmoq.exe 4752 oijgcokhxoxxmoq.exe 4100 jfhqhscl.exe 4100 jfhqhscl.exe 4100 jfhqhscl.exe 1140 eetluxpdcmxmo.exe 1140 eetluxpdcmxmo.exe 1140 eetluxpdcmxmo.exe 4896 jfhqhscl.exe 4896 jfhqhscl.exe 4896 jfhqhscl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exeoribqxwahg.exeoijgcokhxoxxmoq.exejfhqhscl.exeeetluxpdcmxmo.exejfhqhscl.exepid process 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe 3468 oribqxwahg.exe 3468 oribqxwahg.exe 3468 oribqxwahg.exe 4752 oijgcokhxoxxmoq.exe 4752 oijgcokhxoxxmoq.exe 4752 oijgcokhxoxxmoq.exe 4100 jfhqhscl.exe 4100 jfhqhscl.exe 4100 jfhqhscl.exe 1140 eetluxpdcmxmo.exe 1140 eetluxpdcmxmo.exe 1140 eetluxpdcmxmo.exe 4896 jfhqhscl.exe 4896 jfhqhscl.exe 4896 jfhqhscl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1556 WINWORD.EXE 1556 WINWORD.EXE 1556 WINWORD.EXE 1556 WINWORD.EXE 1556 WINWORD.EXE 1556 WINWORD.EXE 1556 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exeoribqxwahg.exedescription pid process target process PID 3668 wrote to memory of 3468 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe oribqxwahg.exe PID 3668 wrote to memory of 3468 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe oribqxwahg.exe PID 3668 wrote to memory of 3468 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe oribqxwahg.exe PID 3668 wrote to memory of 4752 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe oijgcokhxoxxmoq.exe PID 3668 wrote to memory of 4752 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe oijgcokhxoxxmoq.exe PID 3668 wrote to memory of 4752 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe oijgcokhxoxxmoq.exe PID 3668 wrote to memory of 4100 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe jfhqhscl.exe PID 3668 wrote to memory of 4100 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe jfhqhscl.exe PID 3668 wrote to memory of 4100 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe jfhqhscl.exe PID 3668 wrote to memory of 1140 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe eetluxpdcmxmo.exe PID 3668 wrote to memory of 1140 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe eetluxpdcmxmo.exe PID 3668 wrote to memory of 1140 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe eetluxpdcmxmo.exe PID 3668 wrote to memory of 1556 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe WINWORD.EXE PID 3668 wrote to memory of 1556 3668 6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe WINWORD.EXE PID 3468 wrote to memory of 4896 3468 oribqxwahg.exe jfhqhscl.exe PID 3468 wrote to memory of 4896 3468 oribqxwahg.exe jfhqhscl.exe PID 3468 wrote to memory of 4896 3468 oribqxwahg.exe jfhqhscl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f26c293efbae4ef647aa7953ff8e2ff_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\oribqxwahg.exeoribqxwahg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\jfhqhscl.exeC:\Windows\system32\jfhqhscl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\oijgcokhxoxxmoq.exeoijgcokhxoxxmoq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\jfhqhscl.exejfhqhscl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\eetluxpdcmxmo.exeeetluxpdcmxmo.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD598d1d042a53721eb7da397e7f0d0c872
SHA16fe5d678b83c07c3cba39a1418c1d55d8c68f88c
SHA2561b4c67c0239528fb7a0f3038c1cc4e26249f9a4576fecc8b38254de8932955b4
SHA512bc668b75d3d776f4f50a1a66cfea3837dbb2f77bc1c77c56437950fc026d0c53ccf95dd5ebf6a96322a8f78af87d3628376523424c25af65145d70405ff2e49f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5d51aa1759e564cf12b2e9fd4d83ecb4e
SHA1ee07b6242c6ff0a07af4c9f4d7036e1ee12e86d1
SHA2569f3b7acfdd64db1bf085ac27e46c8bbfabfb6992cdeb7cb34c6578a24d2407d0
SHA5128982fff6adacf42d63cb3401931b9c548b92d70da1e42f4f67b2ce51c499472b0d0f2cc37a009b0f7beedf49a251f8c5e7cf843459f042e95212ca2e8e45eb1d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5da1c14bcafac5959b156554981505b68
SHA1c714fe0852bac1c61accc02b8cef0abf55f5034b
SHA256b9b3b143ec9f5be6f374533f7f9487e387bc392c4b5727a17cf438fae9d8b50d
SHA512397d4bbd0df6466e382658ce30db46b6ab73da2b7c730c9a425b75a011c744c452526f7a29b017ffe9c5636533bc2648596a52e755906d9341bb61e2615c5c83
-
C:\Windows\SysWOW64\eetluxpdcmxmo.exeFilesize
512KB
MD55ed3c2161f0e90ceeb75409db8d19dae
SHA1db4e188f148acb422889a21037961a343c763ec0
SHA2561eed5fdc5d276c57dbf0295240b961c066c30acd2f0faadcccd0afbcf6771cd3
SHA512a1227100a259fef2d05e175fcd9d2d383d6082a87b5655f2379ddd0ed5d745fe497693e8f76cf774eddb523912429c4b851fa26f1772c4e3be9d9dfdaca89aaf
-
C:\Windows\SysWOW64\jfhqhscl.exeFilesize
512KB
MD578821b2a07756f1197b46e98362f8030
SHA163e3a0aeb3b5521970c3095977852e07679ebe0f
SHA256dda38a604ca04a3260c7d82e2c0be89900b0f6f34efd8e1a66e8caa11fb51b13
SHA51214cf30511af898fad37de2fa5031ee219597d0e233461e995960e1a94265ab63d45ba3e2b94e5b6ae7dcd543555982569560d3f39d846166ddf808ffaaadad93
-
C:\Windows\SysWOW64\oijgcokhxoxxmoq.exeFilesize
512KB
MD5c6e8d30c99ba8bda00de7a0e498c142e
SHA127c6f0d02c1a5e65b4a29de814832c65ab81f2f7
SHA256d82c72c3c63144da0d88f9bfb0ff4ce9d8aa3b313560458b2348f1b23cb1e935
SHA5120cee44446111c10dcf628ef18ef8b9b66cb6eb8d41346ae7d856c1b30056fa375ea39e86e3e9f0f3d53e82516be2f88800893295f6c3c43354a0b79870c8f29c
-
C:\Windows\SysWOW64\oribqxwahg.exeFilesize
512KB
MD52c78a5097aa2b73e6dc841c9f9a68d12
SHA1579302d27aab5d17c6428526ba93425c935dbf56
SHA256f178b1f19f57f1968ecbb88eab98268e66897a6179ebc8088ac06634daced17c
SHA5120136102ab4386932adac8b6ab097579a2abfca54659bef0cc676ad9ec84edf1d4d784f559ba1d0b7fbfe896a654295b2ebbc5019cf68d6b34786b926ef8e39d5
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD50e16a5d319df29a17b35550fa1889976
SHA1365c88c8dd5fa6e46a8b283bfb67eb6a770bd43d
SHA256ceb3ffb43a9abb1b0118bccb9b7bb814f1beb031f045aa0c0e1eb3eb96e27092
SHA512eb9c0431509e5bf51f96753b2cf90531df2b13b760666ac53c99e590785fd4dd7299f0de7b0ab6e23b261548b70b6a1c46cf0ff6dd2af5c599ab2dbc4412507a
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD553fd0b482efa7d858e96e84ba8cf2d90
SHA1272d490229df5cde71c33754bb826160f605d0c0
SHA256e8be4d9b7dc63977e959f2d827e6de894f1de487306f6faf95a3ff7ea89ce6a2
SHA512d2b887462ec4791b65ab79b44ccd34ff497b171bba424b2fac72113d0a6a3896818ecc701885799a600331b0d486f773161a9ee820604040bda8f5af36d35146
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD56850871f24d79ef14fcbe423bc1c72b5
SHA17f743e97d881badf54b42b9a87f875ec28fc4db2
SHA2561a2e8ba264a5097382dcb3ad52c3b86120fea3370f687ed0c0a4cfd4520971f0
SHA512d9654f6707a494f9961dd461f262bde00f204353f60586358e85073086109479b7ae296267a6d8e62539c2a30304860583f252aa07a3643efb2154b4ad78b12e
-
memory/1556-38-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/1556-39-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/1556-40-0x00007FF8C0600000-0x00007FF8C0610000-memory.dmpFilesize
64KB
-
memory/1556-37-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/1556-36-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/1556-35-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/1556-41-0x00007FF8C0600000-0x00007FF8C0610000-memory.dmpFilesize
64KB
-
memory/1556-600-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/1556-599-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/1556-598-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/1556-597-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmpFilesize
64KB
-
memory/3668-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB