Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 17:32
Static task
static1
Behavioral task
behavioral1
Sample
6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe
-
Size
512KB
-
MD5
6f4ace3209e5b9fb06f752edb4d1d486
-
SHA1
cba0c3e04ad15dd54e84b101e9582468fe05a7d2
-
SHA256
b5dd5cea1ecc0a405ae86cfed890549b8a1a0f42bd30134bce119bac1744f964
-
SHA512
197f5efeabae9eeabe7b2212947890a987c157e76959b2b728c000de1384ce6b5cc2e3dd631f1a3370a343857f367cbdbe938bdee36a455a475f1095c5e37d18
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6e:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
jvwpqqjimy.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" jvwpqqjimy.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
jvwpqqjimy.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jvwpqqjimy.exe -
Processes:
jvwpqqjimy.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jvwpqqjimy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jvwpqqjimy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jvwpqqjimy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jvwpqqjimy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" jvwpqqjimy.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
jvwpqqjimy.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jvwpqqjimy.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
jvwpqqjimy.exedukgiyfnzublovd.exebfdtmxnc.exemqasnhweulxzc.exebfdtmxnc.exepid process 3668 jvwpqqjimy.exe 4684 dukgiyfnzublovd.exe 4164 bfdtmxnc.exe 4148 mqasnhweulxzc.exe 2740 bfdtmxnc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
jvwpqqjimy.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jvwpqqjimy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" jvwpqqjimy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jvwpqqjimy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" jvwpqqjimy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jvwpqqjimy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jvwpqqjimy.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
dukgiyfnzublovd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uihlbqpy = "jvwpqqjimy.exe" dukgiyfnzublovd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uqkfyinj = "dukgiyfnzublovd.exe" dukgiyfnzublovd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mqasnhweulxzc.exe" dukgiyfnzublovd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
bfdtmxnc.exejvwpqqjimy.exebfdtmxnc.exedescription ioc process File opened (read-only) \??\s: bfdtmxnc.exe File opened (read-only) \??\a: jvwpqqjimy.exe File opened (read-only) \??\p: jvwpqqjimy.exe File opened (read-only) \??\s: jvwpqqjimy.exe File opened (read-only) \??\v: jvwpqqjimy.exe File opened (read-only) \??\a: bfdtmxnc.exe File opened (read-only) \??\j: bfdtmxnc.exe File opened (read-only) \??\r: bfdtmxnc.exe File opened (read-only) \??\v: bfdtmxnc.exe File opened (read-only) \??\y: bfdtmxnc.exe File opened (read-only) \??\l: jvwpqqjimy.exe File opened (read-only) \??\n: bfdtmxnc.exe File opened (read-only) \??\p: bfdtmxnc.exe File opened (read-only) \??\t: bfdtmxnc.exe File opened (read-only) \??\y: bfdtmxnc.exe File opened (read-only) \??\m: bfdtmxnc.exe File opened (read-only) \??\e: jvwpqqjimy.exe File opened (read-only) \??\r: jvwpqqjimy.exe File opened (read-only) \??\b: bfdtmxnc.exe File opened (read-only) \??\q: bfdtmxnc.exe File opened (read-only) \??\t: jvwpqqjimy.exe File opened (read-only) \??\u: jvwpqqjimy.exe File opened (read-only) \??\j: bfdtmxnc.exe File opened (read-only) \??\o: bfdtmxnc.exe File opened (read-only) \??\s: bfdtmxnc.exe File opened (read-only) \??\x: bfdtmxnc.exe File opened (read-only) \??\o: bfdtmxnc.exe File opened (read-only) \??\m: jvwpqqjimy.exe File opened (read-only) \??\t: bfdtmxnc.exe File opened (read-only) \??\u: bfdtmxnc.exe File opened (read-only) \??\x: bfdtmxnc.exe File opened (read-only) \??\i: jvwpqqjimy.exe File opened (read-only) \??\m: bfdtmxnc.exe File opened (read-only) \??\g: bfdtmxnc.exe File opened (read-only) \??\i: bfdtmxnc.exe File opened (read-only) \??\e: bfdtmxnc.exe File opened (read-only) \??\k: bfdtmxnc.exe File opened (read-only) \??\v: bfdtmxnc.exe File opened (read-only) \??\h: bfdtmxnc.exe File opened (read-only) \??\b: bfdtmxnc.exe File opened (read-only) \??\e: bfdtmxnc.exe File opened (read-only) \??\k: bfdtmxnc.exe File opened (read-only) \??\n: bfdtmxnc.exe File opened (read-only) \??\n: jvwpqqjimy.exe File opened (read-only) \??\w: jvwpqqjimy.exe File opened (read-only) \??\q: bfdtmxnc.exe File opened (read-only) \??\r: bfdtmxnc.exe File opened (read-only) \??\u: bfdtmxnc.exe File opened (read-only) \??\l: bfdtmxnc.exe File opened (read-only) \??\w: bfdtmxnc.exe File opened (read-only) \??\o: jvwpqqjimy.exe File opened (read-only) \??\g: bfdtmxnc.exe File opened (read-only) \??\a: bfdtmxnc.exe File opened (read-only) \??\p: bfdtmxnc.exe File opened (read-only) \??\q: jvwpqqjimy.exe File opened (read-only) \??\h: jvwpqqjimy.exe File opened (read-only) \??\x: jvwpqqjimy.exe File opened (read-only) \??\y: jvwpqqjimy.exe File opened (read-only) \??\l: bfdtmxnc.exe File opened (read-only) \??\h: bfdtmxnc.exe File opened (read-only) \??\b: jvwpqqjimy.exe File opened (read-only) \??\z: jvwpqqjimy.exe File opened (read-only) \??\z: bfdtmxnc.exe File opened (read-only) \??\k: jvwpqqjimy.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
jvwpqqjimy.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" jvwpqqjimy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" jvwpqqjimy.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1472-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\dukgiyfnzublovd.exe autoit_exe C:\Windows\SysWOW64\jvwpqqjimy.exe autoit_exe C:\Windows\SysWOW64\bfdtmxnc.exe autoit_exe C:\Windows\SysWOW64\mqasnhweulxzc.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\AppData\Roaming\SendUninstall.doc.exe autoit_exe C:\Users\Admin\Documents\TraceInvoke.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
bfdtmxnc.exebfdtmxnc.exe6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exejvwpqqjimy.exedescription ioc process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bfdtmxnc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bfdtmxnc.exe File opened for modification C:\Windows\SysWOW64\jvwpqqjimy.exe 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe File created C:\Windows\SysWOW64\dukgiyfnzublovd.exe 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe File created C:\Windows\SysWOW64\jvwpqqjimy.exe 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bfdtmxnc.exe File opened for modification C:\Windows\SysWOW64\bfdtmxnc.exe 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe File created C:\Windows\SysWOW64\bfdtmxnc.exe 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe File created C:\Windows\SysWOW64\mqasnhweulxzc.exe 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mqasnhweulxzc.exe 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll jvwpqqjimy.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bfdtmxnc.exe File opened for modification C:\Windows\SysWOW64\dukgiyfnzublovd.exe 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
bfdtmxnc.exebfdtmxnc.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bfdtmxnc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bfdtmxnc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bfdtmxnc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bfdtmxnc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bfdtmxnc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bfdtmxnc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bfdtmxnc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bfdtmxnc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bfdtmxnc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bfdtmxnc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bfdtmxnc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bfdtmxnc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bfdtmxnc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bfdtmxnc.exe -
Drops file in Windows directory 19 IoCs
Processes:
bfdtmxnc.exebfdtmxnc.exeWINWORD.EXE6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exedescription ioc process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bfdtmxnc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bfdtmxnc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bfdtmxnc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bfdtmxnc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bfdtmxnc.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bfdtmxnc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bfdtmxnc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bfdtmxnc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bfdtmxnc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bfdtmxnc.exe File opened for modification C:\Windows\mydoc.rtf 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bfdtmxnc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bfdtmxnc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bfdtmxnc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bfdtmxnc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bfdtmxnc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bfdtmxnc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exejvwpqqjimy.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B12C4795389F53BAB9A1329BD7C5" 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat jvwpqqjimy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" jvwpqqjimy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" jvwpqqjimy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302D7E9D5582246D4677D170552CD77D8365AB" 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C7091596DAC4B9CD7C92ED9034BC" 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" jvwpqqjimy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh jvwpqqjimy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc jvwpqqjimy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" jvwpqqjimy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg jvwpqqjimy.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BC3FE6C21ABD272D1D68B799063" 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" jvwpqqjimy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf jvwpqqjimy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" jvwpqqjimy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs jvwpqqjimy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8F9B1F966F1E783793A31869D39E6B3FC03F14311034CE1B845E608D5" 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFCF9485882129136D72F7E92BD93E637594B664F6234D7EE" 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4660 WINWORD.EXE 4660 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exedukgiyfnzublovd.exebfdtmxnc.exejvwpqqjimy.exemqasnhweulxzc.exebfdtmxnc.exepid process 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 4684 dukgiyfnzublovd.exe 4684 dukgiyfnzublovd.exe 4684 dukgiyfnzublovd.exe 4684 dukgiyfnzublovd.exe 4684 dukgiyfnzublovd.exe 4684 dukgiyfnzublovd.exe 4684 dukgiyfnzublovd.exe 4684 dukgiyfnzublovd.exe 4684 dukgiyfnzublovd.exe 4684 dukgiyfnzublovd.exe 4164 bfdtmxnc.exe 4164 bfdtmxnc.exe 4164 bfdtmxnc.exe 4164 bfdtmxnc.exe 4164 bfdtmxnc.exe 4164 bfdtmxnc.exe 4164 bfdtmxnc.exe 4164 bfdtmxnc.exe 3668 jvwpqqjimy.exe 3668 jvwpqqjimy.exe 3668 jvwpqqjimy.exe 3668 jvwpqqjimy.exe 3668 jvwpqqjimy.exe 3668 jvwpqqjimy.exe 3668 jvwpqqjimy.exe 3668 jvwpqqjimy.exe 3668 jvwpqqjimy.exe 3668 jvwpqqjimy.exe 4148 mqasnhweulxzc.exe 4148 mqasnhweulxzc.exe 4148 mqasnhweulxzc.exe 4148 mqasnhweulxzc.exe 4148 mqasnhweulxzc.exe 4148 mqasnhweulxzc.exe 4148 mqasnhweulxzc.exe 4148 mqasnhweulxzc.exe 4148 mqasnhweulxzc.exe 4148 mqasnhweulxzc.exe 4148 mqasnhweulxzc.exe 4148 mqasnhweulxzc.exe 4684 dukgiyfnzublovd.exe 4684 dukgiyfnzublovd.exe 2740 bfdtmxnc.exe 2740 bfdtmxnc.exe 2740 bfdtmxnc.exe 2740 bfdtmxnc.exe 2740 bfdtmxnc.exe 2740 bfdtmxnc.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exedukgiyfnzublovd.exejvwpqqjimy.exebfdtmxnc.exemqasnhweulxzc.exebfdtmxnc.exepid process 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 4684 dukgiyfnzublovd.exe 4684 dukgiyfnzublovd.exe 4684 dukgiyfnzublovd.exe 3668 jvwpqqjimy.exe 3668 jvwpqqjimy.exe 3668 jvwpqqjimy.exe 4164 bfdtmxnc.exe 4148 mqasnhweulxzc.exe 4164 bfdtmxnc.exe 4148 mqasnhweulxzc.exe 4164 bfdtmxnc.exe 4148 mqasnhweulxzc.exe 2740 bfdtmxnc.exe 2740 bfdtmxnc.exe 2740 bfdtmxnc.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exedukgiyfnzublovd.exejvwpqqjimy.exebfdtmxnc.exemqasnhweulxzc.exebfdtmxnc.exepid process 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe 4684 dukgiyfnzublovd.exe 4684 dukgiyfnzublovd.exe 4684 dukgiyfnzublovd.exe 3668 jvwpqqjimy.exe 3668 jvwpqqjimy.exe 3668 jvwpqqjimy.exe 4164 bfdtmxnc.exe 4148 mqasnhweulxzc.exe 4164 bfdtmxnc.exe 4148 mqasnhweulxzc.exe 4164 bfdtmxnc.exe 4148 mqasnhweulxzc.exe 2740 bfdtmxnc.exe 2740 bfdtmxnc.exe 2740 bfdtmxnc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4660 WINWORD.EXE 4660 WINWORD.EXE 4660 WINWORD.EXE 4660 WINWORD.EXE 4660 WINWORD.EXE 4660 WINWORD.EXE 4660 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exejvwpqqjimy.exedescription pid process target process PID 1472 wrote to memory of 3668 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe jvwpqqjimy.exe PID 1472 wrote to memory of 3668 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe jvwpqqjimy.exe PID 1472 wrote to memory of 3668 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe jvwpqqjimy.exe PID 1472 wrote to memory of 4684 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe dukgiyfnzublovd.exe PID 1472 wrote to memory of 4684 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe dukgiyfnzublovd.exe PID 1472 wrote to memory of 4684 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe dukgiyfnzublovd.exe PID 1472 wrote to memory of 4164 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe bfdtmxnc.exe PID 1472 wrote to memory of 4164 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe bfdtmxnc.exe PID 1472 wrote to memory of 4164 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe bfdtmxnc.exe PID 1472 wrote to memory of 4148 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe mqasnhweulxzc.exe PID 1472 wrote to memory of 4148 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe mqasnhweulxzc.exe PID 1472 wrote to memory of 4148 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe mqasnhweulxzc.exe PID 1472 wrote to memory of 4660 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe WINWORD.EXE PID 1472 wrote to memory of 4660 1472 6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe WINWORD.EXE PID 3668 wrote to memory of 2740 3668 jvwpqqjimy.exe bfdtmxnc.exe PID 3668 wrote to memory of 2740 3668 jvwpqqjimy.exe bfdtmxnc.exe PID 3668 wrote to memory of 2740 3668 jvwpqqjimy.exe bfdtmxnc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f4ace3209e5b9fb06f752edb4d1d486_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\jvwpqqjimy.exejvwpqqjimy.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bfdtmxnc.exeC:\Windows\system32\bfdtmxnc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\dukgiyfnzublovd.exedukgiyfnzublovd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\bfdtmxnc.exebfdtmxnc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\mqasnhweulxzc.exemqasnhweulxzc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3836 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5b58fbc58596dbef76d05f3281c710dcb
SHA158e210e32d38895e4d4acfb5aa65f0c1f2cf275c
SHA256135570e85d7568f3988e40327b2421238f9fbe1206f694e351b3b9d5efe18e7b
SHA512c48449c8776c134a5ce951815f99bf6261a3b9e42f1e8241c8b8adbf6f2baff7e3e599d397c8aa69d28760f799119fb282cf08815ffbaafd16e6dad0ac381b11
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5764e8c0b2c5b385398a7fe2b6da7088b
SHA16e38c5c879d882cf2af3c3da4719ebf78aa4b6eb
SHA2562fc38d5462e0e6b625fa8da12e9897443e161509194c06a5d624f3c81e0fff3f
SHA5121b4fbf7e71d341625c3e4a0539ba3094160bbccc0e9675800cfbc2089301d1f2a7baa7724e1ea872b4663eed27b029c9a90b4295b8afab2145dc70042578f41b
-
C:\Users\Admin\AppData\Local\Temp\TCD2726.tmp\iso690.xslFilesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
247B
MD51b529425a37b1334b8b33ebd890269a4
SHA184768e6475b45e3431d5dd62968dde9b92bcb799
SHA256774609fb895e024729e533b8420e732453a0f7ad9cc4599a871157b4f2ca0440
SHA5128d82cb100fb6e979061a2a86aedf2f77de9bb5abf4431ed7add5c75d04988a3cd747119ade26856e8c2fdf7fe75e6aedf0025f2015e525b6835c80cfa2eff295
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD50eb51e35e626f172065b9d9741a9f014
SHA1aa859fb0e1bb767b34a42b70cfc25517166a8ac4
SHA25647934e62d47f8246bc9c5eed11bdf2096b8f1e3d47b569c1c9c17de7b8827c5d
SHA5125d2f207861c989189d6557005fd4c365c2955c9a8aaec0adaa865133a909f0bb496459acc30099f1000432df47a84d2099d719007081cbe2b099a97c768e4fca
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD59d0c8750b5adbd4a32dc611a6c6b4e52
SHA197dab5eb9ecda879f2a54ccada7cc9d313c95f46
SHA256235e9517965eb4abc809ce8c7661542f4277fa9b8a23f799de87e342369e9153
SHA5125a078fe58ea41b3dd0480642b255bd51964c7f523006580702cdad95d23c4a76e7ad515cfc2e7a760f413347130edd5603cb7a6b26daa8fbc006a61451fd2238
-
C:\Users\Admin\AppData\Roaming\SendUninstall.doc.exeFilesize
512KB
MD5af7f685f0901967070627a3ae8da280e
SHA10b32634f4f1d0a0a9b07b686b8d3f9b6df24ac96
SHA256b33d71668817e14549b1d23ed124426b12a5f10957bf5ac800bb2593c54c61fb
SHA5125c09cd811c62fbcd986ffe57dcd60120e403ef7931ce0a8ed92e14f25082f5b72d08dbe578249d9d3afb4afeb2e0fef63ed72527dc2f9250771431f598946a55
-
C:\Users\Admin\Documents\TraceInvoke.doc.exeFilesize
512KB
MD56b28b7d7e3450deeb02333b2d0a4a2ef
SHA171642784e0ebeaa9dd86ea077b861bf3cf38f977
SHA256fd79c2873115c3e43dde496037da7b9683bac0d7eae3d4f472a3c53c0975c5cd
SHA512adbe4d08659ddb5bc642fdc83dbff6e3df659d2bfebcbf8fbaace36db402aa7e3801bc28c7040b7dc0b1f6a56977dc8b215e94802ff7e06a5085b1b66419b51a
-
C:\Windows\SysWOW64\bfdtmxnc.exeFilesize
512KB
MD53768a86f8e2e136b4d0279951ac106b9
SHA14975ad84d58ab0ce3a98f67e12475ea598c755b2
SHA25692e7fdf8cb5596ea140f5968ea6c7bed4708010e5f2c55c27162af8fd1b32a67
SHA5128dd56c8403f370a7e9c9cf40110d95d4898b685db9fefe5dd570c2a4360a93fed551c6044c67c761553da72fe83c2a4f865ec3c3cdbe52be0bf1db6dfd8fbe94
-
C:\Windows\SysWOW64\dukgiyfnzublovd.exeFilesize
512KB
MD51dcb3fe537274336c91c065f6eedadd4
SHA12fd9acbc0b7dcf817eb3086795bfb18d16861c48
SHA2565e5885375ba7354577af2a3a705480c04a7f127004814b43f8d037312f91c7b6
SHA512f34f607de6c256f8c66077e5c490a7d7d78f01399690acb66b71e6f13610c40201692947cb7d2d120065c2da315c5c0301fcd51cd2d3a1305df33789764248c9
-
C:\Windows\SysWOW64\jvwpqqjimy.exeFilesize
512KB
MD573b5447aa60a80dffbfaebbbcb7e0f75
SHA1a8d2aed7b79952d0635a49b246ba4667493c33fe
SHA2568b8c68167f15b099049cdb5abef886ce887b1e31011add5deaf4ec406a65c45d
SHA512d7a8d194644c7ca0a82f176a3033e1e883d74555feef79e6dd1cc462ab482abfa39cb03b225c6e5125353174f10491db2898e20d44845d34b61eeb2968a418d4
-
C:\Windows\SysWOW64\mqasnhweulxzc.exeFilesize
512KB
MD566d0e8813dbc49235a5fac2f2c65e483
SHA197573c3d9a1253f8b1bad4aa259798b2b7708721
SHA25661e31766ec87e3d12837a574ed809134c2be1115ef797384cc97f3fbf1bff5b9
SHA5121990690b3b072de5471f8a1f3732424b9f4d5fc2c958005729a7be7ab52d1416d5de21fafed322cb427dcd7850c5279308576cd3bc68533c11457a677f70120f
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5ac4d66845ce54810a96d4725eea2d838
SHA1bc2c2b0744f4295a4aa12a6b91aaa8b3d72c1fab
SHA256b0f6a69db05f4c4fe80c87e500113055be7015409d83f29d50d74c2e4bb707bd
SHA5128c18e11248bee62dda6ce5e6af4feca1edf0b96824b0c8b37920e8931573d3a298f44f71f1bd7eb1e78edd9ce79d336e9f02a0f363828188a8a4fcf09808caec
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD509699e113aab0bc16674c4cadafd1b76
SHA13507bd9dd85213f61367606984c63a39ca113353
SHA2564a9c0d764c37e4b18f4a738e35ebed24456e807944ebcd6034eea2293c8bbf25
SHA5127d614ab7391c665390b3b4629997e41ec99e48b88d2edd620d88375cb4e592ad19feb24f873ffde80abf25acdaea581343962c09da0a99216214e59a2c9ed5a6
-
memory/1472-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4660-39-0x00007FFBE4FF0000-0x00007FFBE5000000-memory.dmpFilesize
64KB
-
memory/4660-38-0x00007FFBE4FF0000-0x00007FFBE5000000-memory.dmpFilesize
64KB
-
memory/4660-36-0x00007FFBE4FF0000-0x00007FFBE5000000-memory.dmpFilesize
64KB
-
memory/4660-37-0x00007FFBE4FF0000-0x00007FFBE5000000-memory.dmpFilesize
64KB
-
memory/4660-40-0x00007FFBE2B50000-0x00007FFBE2B60000-memory.dmpFilesize
64KB
-
memory/4660-35-0x00007FFBE4FF0000-0x00007FFBE5000000-memory.dmpFilesize
64KB
-
memory/4660-41-0x00007FFBE2B50000-0x00007FFBE2B60000-memory.dmpFilesize
64KB
-
memory/4660-612-0x00007FFBE4FF0000-0x00007FFBE5000000-memory.dmpFilesize
64KB
-
memory/4660-613-0x00007FFBE4FF0000-0x00007FFBE5000000-memory.dmpFilesize
64KB
-
memory/4660-611-0x00007FFBE4FF0000-0x00007FFBE5000000-memory.dmpFilesize
64KB
-
memory/4660-614-0x00007FFBE4FF0000-0x00007FFBE5000000-memory.dmpFilesize
64KB