Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 18:33
Static task
static1
Behavioral task
behavioral1
Sample
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe
-
Size
512KB
-
MD5
6f73e343387eeedc27f087584c17d4af
-
SHA1
46d842363f7000691c5764fcc538f843d373262e
-
SHA256
4bd934558dd6db79cbfa70506f1ed70184dddc9ff7d7fe6a176ec7d466285307
-
SHA512
bc5f4d2c2c7980202eecdc0eab3e7ac39191bacc117968c9461395f308298193dca224ec40a41bc7b9452231ece65d69c9fa9cb62ec30d10a822cf9fc5988542
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm52
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
qqjfutpakl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qqjfutpakl.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
qqjfutpakl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qqjfutpakl.exe -
Processes:
qqjfutpakl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qqjfutpakl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qqjfutpakl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qqjfutpakl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qqjfutpakl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qqjfutpakl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
qqjfutpakl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qqjfutpakl.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
qqjfutpakl.exeypsoujuwvhnoter.exehdfyidys.exevveaodvvaxcyi.exehdfyidys.exepid process 4884 qqjfutpakl.exe 1804 ypsoujuwvhnoter.exe 4624 hdfyidys.exe 688 vveaodvvaxcyi.exe 3256 hdfyidys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
qqjfutpakl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qqjfutpakl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qqjfutpakl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qqjfutpakl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qqjfutpakl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qqjfutpakl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qqjfutpakl.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ypsoujuwvhnoter.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hruaycke = "qqjfutpakl.exe" ypsoujuwvhnoter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qlokzdpt = "ypsoujuwvhnoter.exe" ypsoujuwvhnoter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vveaodvvaxcyi.exe" ypsoujuwvhnoter.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
qqjfutpakl.exehdfyidys.exehdfyidys.exedescription ioc process File opened (read-only) \??\a: qqjfutpakl.exe File opened (read-only) \??\x: qqjfutpakl.exe File opened (read-only) \??\q: hdfyidys.exe File opened (read-only) \??\b: hdfyidys.exe File opened (read-only) \??\u: hdfyidys.exe File opened (read-only) \??\v: hdfyidys.exe File opened (read-only) \??\x: hdfyidys.exe File opened (read-only) \??\z: hdfyidys.exe File opened (read-only) \??\s: hdfyidys.exe File opened (read-only) \??\y: hdfyidys.exe File opened (read-only) \??\p: hdfyidys.exe File opened (read-only) \??\s: hdfyidys.exe File opened (read-only) \??\j: hdfyidys.exe File opened (read-only) \??\g: qqjfutpakl.exe File opened (read-only) \??\k: hdfyidys.exe File opened (read-only) \??\l: hdfyidys.exe File opened (read-only) \??\o: hdfyidys.exe File opened (read-only) \??\h: hdfyidys.exe File opened (read-only) \??\e: qqjfutpakl.exe File opened (read-only) \??\r: qqjfutpakl.exe File opened (read-only) \??\t: qqjfutpakl.exe File opened (read-only) \??\y: qqjfutpakl.exe File opened (read-only) \??\e: hdfyidys.exe File opened (read-only) \??\i: hdfyidys.exe File opened (read-only) \??\n: hdfyidys.exe File opened (read-only) \??\t: hdfyidys.exe File opened (read-only) \??\h: hdfyidys.exe File opened (read-only) \??\v: hdfyidys.exe File opened (read-only) \??\b: hdfyidys.exe File opened (read-only) \??\h: qqjfutpakl.exe File opened (read-only) \??\j: qqjfutpakl.exe File opened (read-only) \??\o: qqjfutpakl.exe File opened (read-only) \??\s: qqjfutpakl.exe File opened (read-only) \??\n: qqjfutpakl.exe File opened (read-only) \??\w: hdfyidys.exe File opened (read-only) \??\g: hdfyidys.exe File opened (read-only) \??\y: hdfyidys.exe File opened (read-only) \??\p: hdfyidys.exe File opened (read-only) \??\u: hdfyidys.exe File opened (read-only) \??\a: hdfyidys.exe File opened (read-only) \??\r: hdfyidys.exe File opened (read-only) \??\w: hdfyidys.exe File opened (read-only) \??\b: qqjfutpakl.exe File opened (read-only) \??\i: qqjfutpakl.exe File opened (read-only) \??\g: hdfyidys.exe File opened (read-only) \??\x: hdfyidys.exe File opened (read-only) \??\k: qqjfutpakl.exe File opened (read-only) \??\z: qqjfutpakl.exe File opened (read-only) \??\a: hdfyidys.exe File opened (read-only) \??\n: hdfyidys.exe File opened (read-only) \??\u: qqjfutpakl.exe File opened (read-only) \??\z: hdfyidys.exe File opened (read-only) \??\k: hdfyidys.exe File opened (read-only) \??\l: hdfyidys.exe File opened (read-only) \??\t: hdfyidys.exe File opened (read-only) \??\l: qqjfutpakl.exe File opened (read-only) \??\m: qqjfutpakl.exe File opened (read-only) \??\r: hdfyidys.exe File opened (read-only) \??\m: hdfyidys.exe File opened (read-only) \??\i: hdfyidys.exe File opened (read-only) \??\o: hdfyidys.exe File opened (read-only) \??\p: qqjfutpakl.exe File opened (read-only) \??\v: qqjfutpakl.exe File opened (read-only) \??\j: hdfyidys.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
qqjfutpakl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qqjfutpakl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qqjfutpakl.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3668-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\ypsoujuwvhnoter.exe autoit_exe C:\Windows\SysWOW64\qqjfutpakl.exe autoit_exe C:\Windows\SysWOW64\hdfyidys.exe autoit_exe C:\Windows\SysWOW64\vveaodvvaxcyi.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\ReceiveDisable.doc.exe autoit_exe C:\Users\Admin\Documents\SkipGroup.doc.exe autoit_exe \??\c:\Users\Admin\Downloads\EnterExport.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
qqjfutpakl.exehdfyidys.exehdfyidys.exe6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qqjfutpakl.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hdfyidys.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hdfyidys.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hdfyidys.exe File created C:\Windows\SysWOW64\ypsoujuwvhnoter.exe 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ypsoujuwvhnoter.exe 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe File created C:\Windows\SysWOW64\hdfyidys.exe 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hdfyidys.exe 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe File created C:\Windows\SysWOW64\vveaodvvaxcyi.exe 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vveaodvvaxcyi.exe 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe File created C:\Windows\SysWOW64\qqjfutpakl.exe 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qqjfutpakl.exe 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
hdfyidys.exehdfyidys.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hdfyidys.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hdfyidys.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hdfyidys.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hdfyidys.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hdfyidys.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hdfyidys.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hdfyidys.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hdfyidys.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hdfyidys.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hdfyidys.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hdfyidys.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hdfyidys.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hdfyidys.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hdfyidys.exe -
Drops file in Windows directory 19 IoCs
Processes:
hdfyidys.exehdfyidys.exe6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exeWINWORD.EXEdescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hdfyidys.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hdfyidys.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hdfyidys.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hdfyidys.exe File opened for modification C:\Windows\mydoc.rtf 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hdfyidys.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hdfyidys.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hdfyidys.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hdfyidys.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hdfyidys.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hdfyidys.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hdfyidys.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hdfyidys.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hdfyidys.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hdfyidys.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hdfyidys.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hdfyidys.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exeqqjfutpakl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFCF8485C85699137D7587E93BC92E133583067446237D79D" 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qqjfutpakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qqjfutpakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qqjfutpakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B12E479338EB53BEBAD6339CD4C5" 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78668B7FF1821D9D179D0D48A0B9116" 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qqjfutpakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qqjfutpakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qqjfutpakl.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCF9CBFE11F19684753B4B819E3E96B38902FC43660349E2CA429E09A8" 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qqjfutpakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422D799C2383596D4277D477262CDF7D8564AC" 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qqjfutpakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qqjfutpakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qqjfutpakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qqjfutpakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qqjfutpakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C67D15EDDAB0B9CE7CE0EC9E37CD" 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3448 WINWORD.EXE 3448 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exeqqjfutpakl.exeypsoujuwvhnoter.exehdfyidys.exevveaodvvaxcyi.exehdfyidys.exepid process 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 4884 qqjfutpakl.exe 4884 qqjfutpakl.exe 4884 qqjfutpakl.exe 4884 qqjfutpakl.exe 4884 qqjfutpakl.exe 4884 qqjfutpakl.exe 4884 qqjfutpakl.exe 4884 qqjfutpakl.exe 4884 qqjfutpakl.exe 4884 qqjfutpakl.exe 1804 ypsoujuwvhnoter.exe 1804 ypsoujuwvhnoter.exe 1804 ypsoujuwvhnoter.exe 1804 ypsoujuwvhnoter.exe 1804 ypsoujuwvhnoter.exe 1804 ypsoujuwvhnoter.exe 1804 ypsoujuwvhnoter.exe 1804 ypsoujuwvhnoter.exe 1804 ypsoujuwvhnoter.exe 1804 ypsoujuwvhnoter.exe 4624 hdfyidys.exe 4624 hdfyidys.exe 4624 hdfyidys.exe 4624 hdfyidys.exe 4624 hdfyidys.exe 4624 hdfyidys.exe 4624 hdfyidys.exe 4624 hdfyidys.exe 688 vveaodvvaxcyi.exe 688 vveaodvvaxcyi.exe 688 vveaodvvaxcyi.exe 688 vveaodvvaxcyi.exe 688 vveaodvvaxcyi.exe 688 vveaodvvaxcyi.exe 688 vveaodvvaxcyi.exe 688 vveaodvvaxcyi.exe 688 vveaodvvaxcyi.exe 688 vveaodvvaxcyi.exe 688 vveaodvvaxcyi.exe 688 vveaodvvaxcyi.exe 3256 hdfyidys.exe 3256 hdfyidys.exe 3256 hdfyidys.exe 3256 hdfyidys.exe 3256 hdfyidys.exe 3256 hdfyidys.exe 3256 hdfyidys.exe 3256 hdfyidys.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exeqqjfutpakl.exeypsoujuwvhnoter.exehdfyidys.exevveaodvvaxcyi.exehdfyidys.exepid process 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 4884 qqjfutpakl.exe 4884 qqjfutpakl.exe 4884 qqjfutpakl.exe 1804 ypsoujuwvhnoter.exe 4624 hdfyidys.exe 688 vveaodvvaxcyi.exe 1804 ypsoujuwvhnoter.exe 4624 hdfyidys.exe 688 vveaodvvaxcyi.exe 1804 ypsoujuwvhnoter.exe 4624 hdfyidys.exe 688 vveaodvvaxcyi.exe 3256 hdfyidys.exe 3256 hdfyidys.exe 3256 hdfyidys.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exeqqjfutpakl.exeypsoujuwvhnoter.exehdfyidys.exevveaodvvaxcyi.exehdfyidys.exepid process 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe 4884 qqjfutpakl.exe 4884 qqjfutpakl.exe 4884 qqjfutpakl.exe 1804 ypsoujuwvhnoter.exe 4624 hdfyidys.exe 688 vveaodvvaxcyi.exe 1804 ypsoujuwvhnoter.exe 4624 hdfyidys.exe 688 vveaodvvaxcyi.exe 1804 ypsoujuwvhnoter.exe 4624 hdfyidys.exe 688 vveaodvvaxcyi.exe 3256 hdfyidys.exe 3256 hdfyidys.exe 3256 hdfyidys.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3448 WINWORD.EXE 3448 WINWORD.EXE 3448 WINWORD.EXE 3448 WINWORD.EXE 3448 WINWORD.EXE 3448 WINWORD.EXE 3448 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exeqqjfutpakl.exedescription pid process target process PID 3668 wrote to memory of 4884 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe qqjfutpakl.exe PID 3668 wrote to memory of 4884 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe qqjfutpakl.exe PID 3668 wrote to memory of 4884 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe qqjfutpakl.exe PID 3668 wrote to memory of 1804 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe ypsoujuwvhnoter.exe PID 3668 wrote to memory of 1804 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe ypsoujuwvhnoter.exe PID 3668 wrote to memory of 1804 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe ypsoujuwvhnoter.exe PID 3668 wrote to memory of 4624 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe hdfyidys.exe PID 3668 wrote to memory of 4624 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe hdfyidys.exe PID 3668 wrote to memory of 4624 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe hdfyidys.exe PID 3668 wrote to memory of 688 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe vveaodvvaxcyi.exe PID 3668 wrote to memory of 688 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe vveaodvvaxcyi.exe PID 3668 wrote to memory of 688 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe vveaodvvaxcyi.exe PID 3668 wrote to memory of 3448 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe WINWORD.EXE PID 3668 wrote to memory of 3448 3668 6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe WINWORD.EXE PID 4884 wrote to memory of 3256 4884 qqjfutpakl.exe hdfyidys.exe PID 4884 wrote to memory of 3256 4884 qqjfutpakl.exe hdfyidys.exe PID 4884 wrote to memory of 3256 4884 qqjfutpakl.exe hdfyidys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\qqjfutpakl.exeqqjfutpakl.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\hdfyidys.exeC:\Windows\system32\hdfyidys.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3256 -
C:\Windows\SysWOW64\ypsoujuwvhnoter.exeypsoujuwvhnoter.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1804 -
C:\Windows\SysWOW64\hdfyidys.exehdfyidys.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4624 -
C:\Windows\SysWOW64\vveaodvvaxcyi.exevveaodvvaxcyi.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:688 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3448
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD567572fe13ffba5a75b03ebec784392be
SHA13d9f09670ad5246647ef2939533ab0e0da1804eb
SHA2568640f92ff3e03b96414693af7d127f9fb38470544e6b6f4f2a40f46a2f787efe
SHA51299109154d83941fb770f8b20fafe23e10148d6fe63d12cd92ca0b75408903f07f56e34dcb09c2851af5162ddbc92eab751bde7c262c5c851c85be8aca9cbc5ec
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD56bc3a7ed0a0d8a98d655427159b31fdc
SHA1222146db9d8958684aef081e94a82acc20549844
SHA256b9eb8a55ff99ba9178adbb0f3c28f17bcbe0f20d40b8fc9ebfb8a20d25f64c23
SHA512f7250630622df693cf2ba857ece8235e81a36cfc3c04b53aebed047c63cf6b1b26d3f649f18ec8223eb97111abd9b1d2056c05c4cff3d51dfa22de6ae04b9699
-
C:\Users\Admin\AppData\Local\Temp\TCDACD1.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5d7cc71bfa8a5eee9a3c4515fd5d05588
SHA1479e92d473b9a973c5b5e9853425601b3fb002e5
SHA256ca3bed5cf0718cc40ec6e24c82e276472a3d27293291bbbe4c2626893c04fe21
SHA512f901bc2721b9937b7eda1dacd634f0479e192319b67b47c7704d693d6ed8d35b7132748babc300ae8410565e7456108cb2ad1dc5602d57e12f3ac5414c6e80cb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5e3ec651920798bdecf51af8821aaeaac
SHA1498a50d4916e7a385e3523a4bbb9d8e2e60a4639
SHA256e1ce68e41dd8d9a32e0b0dede914f4081536d44eda73bf9ef520a00c175c5c21
SHA51249f6fe7a9878bb249d0970a3e5572c5288df9babc458939367e7e5fb2f611652ad21d7bceef72031832d3588446d1da88a9795ace8119524aa69783b8f30057f
-
C:\Users\Admin\Documents\ReceiveDisable.doc.exeFilesize
512KB
MD5c7ec070aa27131f0d7c125ef486abeaa
SHA1be5ae5f13c28f42a269a55330848426b9a98efb5
SHA256eeadc1e42b010d8e75254c4aa6cfd4bf57b438284d66aa547e0f7d7c9ef561fc
SHA5126db355f4348acaa202544cb13f39f7b8ac7608113d249b0446c9307748ad3f19d8aab46e6796a94268a114f5feb7b2b0417fb15a9f84f48ee6d8a69971188a79
-
C:\Users\Admin\Documents\SkipGroup.doc.exeFilesize
512KB
MD55cb47686ec97545bbf43ad0a205c16d5
SHA11538b042dfb2590bc6e6877b054221f8299ff85e
SHA2563985facafcc00ff7f49cb245ed38972c732f92a9d53e004f5376c00f1dc1bb60
SHA512388b04867a1342b45b5c3d4607fc50654838da0f92fbfaf32bf8a02041c17e710bd809c5fc8a09490c1335a4911910a2cd2237b0d3092ece28052faa1a3700e7
-
C:\Windows\SysWOW64\hdfyidys.exeFilesize
512KB
MD5133c9c3df9a5d2e9ad715bf2534715e3
SHA19f579d338286c50ba33c968586cdf08dc29b6883
SHA2569d18544b63c02325532bdd0f9be3a513f9bec22f8372ef14e1e95becad601e32
SHA512d8ebcb34718cbcfacf9ca1c5ec381d93f5402254ee1f45061025017bef0a864e6d9cec64ce8b63973943a78b01841a32bc4b8685a237a305aba4892e189e4392
-
C:\Windows\SysWOW64\qqjfutpakl.exeFilesize
512KB
MD5b9dc276330d7ca9a567c4cfacf1d8281
SHA1955dc57b38e0fe082a34af043e0fd7a7842139ce
SHA256e21b6a6ac2d0416d80f6157962148b8e95f6c325f4bd09d76da4a5be47838d48
SHA512f5c0998d843296fbe7ec6e0b66b1c4b12bbcf1811ad83a1bd02f1ebc9b7fb912aa1fdf8b37c94132589871c349ecc6fb5fe69e45e3fd83ea86b8be6537c7108b
-
C:\Windows\SysWOW64\vveaodvvaxcyi.exeFilesize
512KB
MD5b11885f10f7b091785141c8db79a97be
SHA1cf2bef329b8be3b6d2c27dbb00ecbaaca511d68e
SHA2564c025ecc6ae54b2860cb3c82a44e2b83d0668586d1be5ab54c386574c20a7ba1
SHA512acb4e871d3d87de25bfa44186dc67ef02e3065a7fb574ec65294d5c5e361eb60385b3cb1ae0ffab1d5195b584e195d66c13090ddc901073cf04c663ea820b502
-
C:\Windows\SysWOW64\ypsoujuwvhnoter.exeFilesize
512KB
MD5a8a65b59e1142a07f090f9772fcc8847
SHA1a57150eb310d31dad2336e756ad4771eb15dd34f
SHA25600215d733bb6f619def3d2293bf6fe05090d7388ef6f1625f9142009e5503073
SHA5129cbbed127cf9888a13fe2d2ffb039cc23ded22257c3f13ed0d74f39041df1c956996cf722010d451a78bd21f6cde1d1fa1f4aef97640ac9efcd83ff2bd093b02
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Users\Admin\Downloads\EnterExport.doc.exeFilesize
512KB
MD510b546f605fdb4d4b18f01e974abff0d
SHA18f79c84b1c0286e3510ea161dd43ead749ec7f5e
SHA256b7e6aa448ce23b4411a4a3212c9eb2ca5605c5361e5d7426df62b6fd7e302857
SHA512e7c3104b137646cfb2d0af1e8770457ca543a1de38d420b9e8f38fdb22eef56117718fa669d90e172b7e20cded3f2c1761e8191a2a57ed114e528192d3acb42a
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5e9dd257dedeed7459b5c2b158a52b05a
SHA16fbb296916fe22a1b275edbf638f9dbf390a5c06
SHA2563e7ff985542e89c36ee2ec7e5065decfddecc35dfd44a3ca0da5e10592752d26
SHA5129ba3067900a49ca9f346f45d58392346d8b851d340ff8959f252a16c13bef0a441ae245ec1083601ddea0039f224081dce324bd05d08231f39d26c433f0ba2ad
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD53f652960fa28c367464cf17f8d7eb2e9
SHA194c1e8442af38bc53737d62e450d024a95426c46
SHA2561468571e6d1b1d521040f6dafe8635a7c79325b074912cd5f066d39130e5aac3
SHA512bbef824910904f16dd5bac7a7046a408431245725d32dbf58f56229e5938e5073392b30a07c24e42a51622181fa746e0bc3ded1456b8be40e1c2212547a7ef5f
-
memory/3448-610-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmpFilesize
64KB
-
memory/3448-41-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmpFilesize
64KB
-
memory/3448-40-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmpFilesize
64KB
-
memory/3448-38-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmpFilesize
64KB
-
memory/3448-39-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmpFilesize
64KB
-
memory/3448-42-0x00007FF7CF6E0000-0x00007FF7CF6F0000-memory.dmpFilesize
64KB
-
memory/3448-37-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmpFilesize
64KB
-
memory/3448-43-0x00007FF7CF6E0000-0x00007FF7CF6F0000-memory.dmpFilesize
64KB
-
memory/3448-611-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmpFilesize
64KB
-
memory/3448-609-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmpFilesize
64KB
-
memory/3448-612-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmpFilesize
64KB
-
memory/3668-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB