Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/05/2024, 16:18
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe
-
Size
512KB
-
MD5
6f1a2acfee122ee9d7192abe758ab193
-
SHA1
74ecfa4a93cdf9a34d57c6fcaa8f062311e3f93e
-
SHA256
94969e46f59c8a97e3e09a836aec0718aaff91d39d495e7d0f34e88eb02ab88f
-
SHA512
a800411e7842aa3496c330a6df66362d6749fc550092fe150b2e294d53038fca878384bce6d7f8c1129b1c1ca4d6ea1e21152dabb433fa53f8e0ea2d9e2aeaed
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6w:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5V
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" eyqzgoncnq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" eyqzgoncnq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" eyqzgoncnq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" eyqzgoncnq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" eyqzgoncnq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" eyqzgoncnq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" eyqzgoncnq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eyqzgoncnq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4028 eyqzgoncnq.exe 2404 pxzftfkuafplqef.exe 2396 rbrqmrdg.exe 3928 okdbwtdzarxwu.exe 3672 rbrqmrdg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" eyqzgoncnq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" eyqzgoncnq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" eyqzgoncnq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" eyqzgoncnq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" eyqzgoncnq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" eyqzgoncnq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vxxqbqwi = "eyqzgoncnq.exe" pxzftfkuafplqef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uoityppy = "pxzftfkuafplqef.exe" pxzftfkuafplqef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "okdbwtdzarxwu.exe" pxzftfkuafplqef.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: rbrqmrdg.exe File opened (read-only) \??\n: eyqzgoncnq.exe File opened (read-only) \??\v: eyqzgoncnq.exe File opened (read-only) \??\a: rbrqmrdg.exe File opened (read-only) \??\r: rbrqmrdg.exe File opened (read-only) \??\u: rbrqmrdg.exe File opened (read-only) \??\q: rbrqmrdg.exe File opened (read-only) \??\t: rbrqmrdg.exe File opened (read-only) \??\g: eyqzgoncnq.exe File opened (read-only) \??\w: eyqzgoncnq.exe File opened (read-only) \??\a: rbrqmrdg.exe File opened (read-only) \??\o: eyqzgoncnq.exe File opened (read-only) \??\q: eyqzgoncnq.exe File opened (read-only) \??\t: eyqzgoncnq.exe File opened (read-only) \??\h: rbrqmrdg.exe File opened (read-only) \??\q: rbrqmrdg.exe File opened (read-only) \??\w: rbrqmrdg.exe File opened (read-only) \??\u: rbrqmrdg.exe File opened (read-only) \??\s: eyqzgoncnq.exe File opened (read-only) \??\z: rbrqmrdg.exe File opened (read-only) \??\m: eyqzgoncnq.exe File opened (read-only) \??\e: rbrqmrdg.exe File opened (read-only) \??\b: rbrqmrdg.exe File opened (read-only) \??\j: rbrqmrdg.exe File opened (read-only) \??\p: rbrqmrdg.exe File opened (read-only) \??\i: rbrqmrdg.exe File opened (read-only) \??\n: rbrqmrdg.exe File opened (read-only) \??\b: eyqzgoncnq.exe File opened (read-only) \??\p: eyqzgoncnq.exe File opened (read-only) \??\u: eyqzgoncnq.exe File opened (read-only) \??\n: rbrqmrdg.exe File opened (read-only) \??\b: rbrqmrdg.exe File opened (read-only) \??\k: rbrqmrdg.exe File opened (read-only) \??\a: eyqzgoncnq.exe File opened (read-only) \??\j: eyqzgoncnq.exe File opened (read-only) \??\k: eyqzgoncnq.exe File opened (read-only) \??\y: eyqzgoncnq.exe File opened (read-only) \??\o: rbrqmrdg.exe File opened (read-only) \??\y: rbrqmrdg.exe File opened (read-only) \??\z: rbrqmrdg.exe File opened (read-only) \??\i: eyqzgoncnq.exe File opened (read-only) \??\l: eyqzgoncnq.exe File opened (read-only) \??\i: rbrqmrdg.exe File opened (read-only) \??\x: rbrqmrdg.exe File opened (read-only) \??\l: rbrqmrdg.exe File opened (read-only) \??\w: rbrqmrdg.exe File opened (read-only) \??\x: rbrqmrdg.exe File opened (read-only) \??\y: rbrqmrdg.exe File opened (read-only) \??\g: rbrqmrdg.exe File opened (read-only) \??\p: rbrqmrdg.exe File opened (read-only) \??\v: rbrqmrdg.exe File opened (read-only) \??\g: rbrqmrdg.exe File opened (read-only) \??\k: rbrqmrdg.exe File opened (read-only) \??\m: rbrqmrdg.exe File opened (read-only) \??\r: rbrqmrdg.exe File opened (read-only) \??\h: eyqzgoncnq.exe File opened (read-only) \??\r: eyqzgoncnq.exe File opened (read-only) \??\s: rbrqmrdg.exe File opened (read-only) \??\t: rbrqmrdg.exe File opened (read-only) \??\h: rbrqmrdg.exe File opened (read-only) \??\j: rbrqmrdg.exe File opened (read-only) \??\s: rbrqmrdg.exe File opened (read-only) \??\x: eyqzgoncnq.exe File opened (read-only) \??\l: rbrqmrdg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" eyqzgoncnq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" eyqzgoncnq.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4892-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002343b-5.dat autoit_exe behavioral2/files/0x0008000000023437-18.dat autoit_exe behavioral2/files/0x000700000002343c-26.dat autoit_exe behavioral2/files/0x000700000002343d-31.dat autoit_exe behavioral2/files/0x000800000002341d-66.dat autoit_exe behavioral2/files/0x000700000002344b-69.dat autoit_exe behavioral2/files/0x000a000000023474-313.dat autoit_exe behavioral2/files/0x000a000000023474-560.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rbrqmrdg.exe File opened for modification C:\Windows\SysWOW64\rbrqmrdg.exe 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\okdbwtdzarxwu.exe 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll eyqzgoncnq.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rbrqmrdg.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rbrqmrdg.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rbrqmrdg.exe File created C:\Windows\SysWOW64\pxzftfkuafplqef.exe 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe File created C:\Windows\SysWOW64\rbrqmrdg.exe 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe File created C:\Windows\SysWOW64\eyqzgoncnq.exe 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\eyqzgoncnq.exe 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pxzftfkuafplqef.exe 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe File created C:\Windows\SysWOW64\okdbwtdzarxwu.exe 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rbrqmrdg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rbrqmrdg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rbrqmrdg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rbrqmrdg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rbrqmrdg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rbrqmrdg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rbrqmrdg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rbrqmrdg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rbrqmrdg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rbrqmrdg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rbrqmrdg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rbrqmrdg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rbrqmrdg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rbrqmrdg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rbrqmrdg.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rbrqmrdg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rbrqmrdg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rbrqmrdg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rbrqmrdg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rbrqmrdg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rbrqmrdg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rbrqmrdg.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rbrqmrdg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rbrqmrdg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rbrqmrdg.exe File opened for modification C:\Windows\mydoc.rtf 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rbrqmrdg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rbrqmrdg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rbrqmrdg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rbrqmrdg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rbrqmrdg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rbrqmrdg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" eyqzgoncnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" eyqzgoncnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" eyqzgoncnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh eyqzgoncnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc eyqzgoncnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf eyqzgoncnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat eyqzgoncnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C67E1590DBBFB9CD7FE4EC9E37B9" 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" eyqzgoncnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" eyqzgoncnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs eyqzgoncnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFF8C485F85139046D6587D91BCE7E1335845664F6242D691" 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768C4FF6C22D9D272D1D68B7E9163" 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" eyqzgoncnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg eyqzgoncnq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462D089D5782556A4476A670512CDD7D8065D8" 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5F9BCFE67F1E484743B4786E93E94B08E028B4268034CE2CF429E08D3" 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B128449738E353BAB9D032EAD7BE" 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4260 WINWORD.EXE 4260 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4028 eyqzgoncnq.exe 4028 eyqzgoncnq.exe 4028 eyqzgoncnq.exe 4028 eyqzgoncnq.exe 4028 eyqzgoncnq.exe 4028 eyqzgoncnq.exe 4028 eyqzgoncnq.exe 4028 eyqzgoncnq.exe 4028 eyqzgoncnq.exe 4028 eyqzgoncnq.exe 2404 pxzftfkuafplqef.exe 2404 pxzftfkuafplqef.exe 2404 pxzftfkuafplqef.exe 2404 pxzftfkuafplqef.exe 2404 pxzftfkuafplqef.exe 2404 pxzftfkuafplqef.exe 2404 pxzftfkuafplqef.exe 2404 pxzftfkuafplqef.exe 2404 pxzftfkuafplqef.exe 2404 pxzftfkuafplqef.exe 2396 rbrqmrdg.exe 2396 rbrqmrdg.exe 2396 rbrqmrdg.exe 2396 rbrqmrdg.exe 2396 rbrqmrdg.exe 2396 rbrqmrdg.exe 2396 rbrqmrdg.exe 2396 rbrqmrdg.exe 3928 okdbwtdzarxwu.exe 3928 okdbwtdzarxwu.exe 3928 okdbwtdzarxwu.exe 3928 okdbwtdzarxwu.exe 3928 okdbwtdzarxwu.exe 3928 okdbwtdzarxwu.exe 3928 okdbwtdzarxwu.exe 3928 okdbwtdzarxwu.exe 3928 okdbwtdzarxwu.exe 3928 okdbwtdzarxwu.exe 3928 okdbwtdzarxwu.exe 3928 okdbwtdzarxwu.exe 2404 pxzftfkuafplqef.exe 2404 pxzftfkuafplqef.exe 3672 rbrqmrdg.exe 3672 rbrqmrdg.exe 3672 rbrqmrdg.exe 3672 rbrqmrdg.exe 3672 rbrqmrdg.exe 3672 rbrqmrdg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 2404 pxzftfkuafplqef.exe 4028 eyqzgoncnq.exe 2404 pxzftfkuafplqef.exe 2404 pxzftfkuafplqef.exe 4028 eyqzgoncnq.exe 4028 eyqzgoncnq.exe 2396 rbrqmrdg.exe 2396 rbrqmrdg.exe 2396 rbrqmrdg.exe 3928 okdbwtdzarxwu.exe 3928 okdbwtdzarxwu.exe 3928 okdbwtdzarxwu.exe 3672 rbrqmrdg.exe 3672 rbrqmrdg.exe 3672 rbrqmrdg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 2404 pxzftfkuafplqef.exe 2404 pxzftfkuafplqef.exe 4028 eyqzgoncnq.exe 2404 pxzftfkuafplqef.exe 4028 eyqzgoncnq.exe 4028 eyqzgoncnq.exe 2396 rbrqmrdg.exe 2396 rbrqmrdg.exe 2396 rbrqmrdg.exe 3928 okdbwtdzarxwu.exe 3928 okdbwtdzarxwu.exe 3928 okdbwtdzarxwu.exe 3672 rbrqmrdg.exe 3672 rbrqmrdg.exe 3672 rbrqmrdg.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4260 WINWORD.EXE 4260 WINWORD.EXE 4260 WINWORD.EXE 4260 WINWORD.EXE 4260 WINWORD.EXE 4260 WINWORD.EXE 4260 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4892 wrote to memory of 4028 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 83 PID 4892 wrote to memory of 4028 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 83 PID 4892 wrote to memory of 4028 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 83 PID 4892 wrote to memory of 2404 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 84 PID 4892 wrote to memory of 2404 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 84 PID 4892 wrote to memory of 2404 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 84 PID 4892 wrote to memory of 2396 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 85 PID 4892 wrote to memory of 2396 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 85 PID 4892 wrote to memory of 2396 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 85 PID 4892 wrote to memory of 3928 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 86 PID 4892 wrote to memory of 3928 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 86 PID 4892 wrote to memory of 3928 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 86 PID 4892 wrote to memory of 4260 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 87 PID 4892 wrote to memory of 4260 4892 6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe 87 PID 4028 wrote to memory of 3672 4028 eyqzgoncnq.exe 89 PID 4028 wrote to memory of 3672 4028 eyqzgoncnq.exe 89 PID 4028 wrote to memory of 3672 4028 eyqzgoncnq.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f1a2acfee122ee9d7192abe758ab193_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\eyqzgoncnq.exeeyqzgoncnq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\rbrqmrdg.exeC:\Windows\system32\rbrqmrdg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3672
-
-
-
C:\Windows\SysWOW64\pxzftfkuafplqef.exepxzftfkuafplqef.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2404
-
-
C:\Windows\SysWOW64\rbrqmrdg.exerbrqmrdg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2396
-
-
C:\Windows\SysWOW64\okdbwtdzarxwu.exeokdbwtdzarxwu.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3928
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4260
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD50ad967946f080aedf0be0100693d4bc5
SHA10adb49d0ae850c332224aaa03c1af419d36159d3
SHA256d811fc644b266a829313f5a742d017e60f33e2e592731cfad6fff111ada9eb0e
SHA512b7d1e5540ed2a0e3091f002a80573ca0c995a08af2f69c1f154cde9741b754ab443517975a9de8e2e681a5d35882f12ed0e338e2485f9e932b2c8d829ac7633b
-
Filesize
512KB
MD5b19d45f1f4a90bebfea136a6441d850c
SHA10dad55aed7cf6f8dd0628d594996132e6e243fc3
SHA2565cb626e4328f3c02b0549feca2cd9d735b4d9d585cdeca9bc44e159d5dfe1a97
SHA51211ac278e2d1e9d0a3a78aa6fddad15835394aaf116fd1cd030ffc3e522c64fe88957aff174c9b9e627d856b9e4e44ea00b79d8eecc56b578d9d9ce0e495074da
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5cd76822f5287c7c867150d59f1264624
SHA1bd1749bcfe3c0c1296d82b4c491be7e5ab7bc0f5
SHA25612a24b26b881a888b917735b62fb4377efdf37b1d2460495175afd57cdb206cd
SHA51265fbdd80b96b47a9aedab3fadb1f8d58cc47dfb5f112af7264ee43bdc38749353bfdb7ffd85d341f19a2617d3d81d8e4a47eeee4f899720c16b250885af50e29
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5150ff15647ac6a9dea0a955c2210f35d
SHA1b45499b8b415d277654f04153854f89b0318cb0a
SHA256af9f7c2ec23c8c13043e4dd9a1317c829241e292c0dd3fe33240f6ff8d23b88f
SHA5120287357d707d9dfcb811b950930c2320cff68c98cc2ca1e4fc1deacb9363288f9dfb87ba2ca14acb3ec0ce6e0834cb7b72af7d287c72498c9e93b48131edd189
-
Filesize
512KB
MD5adcef817fac7be8ee228da08a6a29e75
SHA15cc6f80ef1b576f38be2077df112c47c82e18944
SHA256178488024e1aebf52e5a05580289b845443fe9a235140fbdd8af68cf4cdcfe70
SHA51250686df7103e5593bc4846f60ad215aa3c6c47f512bd1f479f01c3ba419290de530358f2d46222901efa0b46c0466547bc7c3416637436919e039444ede59903
-
Filesize
512KB
MD5e2e0bd271ce99a132a384383ba6de44d
SHA10afdbb15ead36095e12b52825bb2793abff68773
SHA256ae10bdc685b58fba464eec2832fd9c91f4af55b43ed5f1bb1902ba2a8fe1712f
SHA5129fbd69003a3c31ca8805f10786cd28dfee3330d1feaf554a6749e58e0d0edd71e224ce59ded13b289acfcedd574cdcd97771bb499d8228352a57f2818cc150b8
-
Filesize
512KB
MD5e00208847d6c44e75a87782c4e672777
SHA1061e263eb34cdaacc141e64fba6caa25c45d1e22
SHA256e3fd8ae53a6a84f62abd7fb1a4080eb152b1ceef540f27222ed80b8159c7bce3
SHA512b21004d91985c877cd1631143a14b62ac9ed4114f284717825e03f0e974b9b1a286406a8522cb1ff248eca5bc9867509b22dfeac3fce6be55f6b6e87551b096b
-
Filesize
512KB
MD5d09efdb8fc12b2eceaabab9561bb6406
SHA12bda86833d942893f7fba16294ed7959d5f4911a
SHA256b6c50b357d6f1dab282f81e1281ec801ffa8bfc423d0fd025d0139b14244a7bb
SHA512c41a535515a1fcd46034d9479a0bb84d75950b3133e16624ccdd32c4258944c5aae041e61347c32bf63b0b226fedfc2e7a14fa9ed4ef8b152bd5dd64e2990b7e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5483cb8fe2456f593e26c8ed9a2ebfef6
SHA12356ea2bdd78ebe4c3e7e8e3f6627602c09c3467
SHA256413d92df1d02f2ec6ff3dfb6933c9ba7133cc14eddca3373d337eebc01d572f6
SHA512fc3dafcc58ed8a852899f26a6d15771210e44e5a6ce1d1913ce3b25949cf9afc7eafaa072d4dd216145e6d5d377b3f40dad9b4302a2e44b8f3cc0a6ed9e5da89
-
Filesize
512KB
MD5e1f7037edab01ea0b3cfecbaa3f9b034
SHA104c5bdeabe4e083972e741e9b5608857087ebd1a
SHA2562f2b12212f901d1e96dac48cbafb34340ed09fe505c6845410bb56ae8e14b820
SHA5127628940b3ef8e7de9f5a9bda13b16ddb0e30de9734b0ca7fcdcbe342f5bd195544b9497ca6aeb7186e9004525831bdfae985492c56a3019efc36538876a993a1