Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 17:54
Static task
static1
Behavioral task
behavioral1
Sample
6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe
-
Size
512KB
-
MD5
6f5a7a69cd72cd5e83dfd3be1b2edc5e
-
SHA1
68bd47aac61a6b8d17f0fc4660eea301be01bf7b
-
SHA256
84945b5e51c3c82fedb0d2daed1f94117eb9eb1450ab8a894117d097b72be82b
-
SHA512
b5d912e280ba601d89fe4137138fe305202c9e0cec3ecbf8f96b6d625387413ec01e2ecf71ec5d11e382f37795dca9d0342fed8e0ba4c32dd942013f2478a743
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5E
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
hdtsjavczg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hdtsjavczg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
hdtsjavczg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hdtsjavczg.exe -
Processes:
hdtsjavczg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hdtsjavczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hdtsjavczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hdtsjavczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hdtsjavczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hdtsjavczg.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
hdtsjavczg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hdtsjavczg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
hdtsjavczg.exebjuokepa.exelopargsdvtfidpm.exehthhufgkzmxnk.exebjuokepa.exepid process 3788 hdtsjavczg.exe 1612 bjuokepa.exe 632 lopargsdvtfidpm.exe 5084 hthhufgkzmxnk.exe 1056 bjuokepa.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
hdtsjavczg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hdtsjavczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hdtsjavczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hdtsjavczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" hdtsjavczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hdtsjavczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hdtsjavczg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
lopargsdvtfidpm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wdconmba = "lopargsdvtfidpm.exe" lopargsdvtfidpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hthhufgkzmxnk.exe" lopargsdvtfidpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\klemkluw = "hdtsjavczg.exe" lopargsdvtfidpm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
hdtsjavczg.exebjuokepa.exebjuokepa.exedescription ioc process File opened (read-only) \??\e: hdtsjavczg.exe File opened (read-only) \??\b: bjuokepa.exe File opened (read-only) \??\n: bjuokepa.exe File opened (read-only) \??\v: bjuokepa.exe File opened (read-only) \??\a: bjuokepa.exe File opened (read-only) \??\t: bjuokepa.exe File opened (read-only) \??\w: bjuokepa.exe File opened (read-only) \??\b: hdtsjavczg.exe File opened (read-only) \??\k: hdtsjavczg.exe File opened (read-only) \??\v: hdtsjavczg.exe File opened (read-only) \??\e: bjuokepa.exe File opened (read-only) \??\r: bjuokepa.exe File opened (read-only) \??\w: bjuokepa.exe File opened (read-only) \??\p: bjuokepa.exe File opened (read-only) \??\u: hdtsjavczg.exe File opened (read-only) \??\t: hdtsjavczg.exe File opened (read-only) \??\a: hdtsjavczg.exe File opened (read-only) \??\l: hdtsjavczg.exe File opened (read-only) \??\q: bjuokepa.exe File opened (read-only) \??\r: bjuokepa.exe File opened (read-only) \??\u: bjuokepa.exe File opened (read-only) \??\o: hdtsjavczg.exe File opened (read-only) \??\j: bjuokepa.exe File opened (read-only) \??\y: hdtsjavczg.exe File opened (read-only) \??\h: bjuokepa.exe File opened (read-only) \??\o: bjuokepa.exe File opened (read-only) \??\s: bjuokepa.exe File opened (read-only) \??\q: hdtsjavczg.exe File opened (read-only) \??\z: bjuokepa.exe File opened (read-only) \??\w: hdtsjavczg.exe File opened (read-only) \??\z: hdtsjavczg.exe File opened (read-only) \??\i: bjuokepa.exe File opened (read-only) \??\p: bjuokepa.exe File opened (read-only) \??\j: bjuokepa.exe File opened (read-only) \??\o: bjuokepa.exe File opened (read-only) \??\z: bjuokepa.exe File opened (read-only) \??\a: bjuokepa.exe File opened (read-only) \??\x: bjuokepa.exe File opened (read-only) \??\r: hdtsjavczg.exe File opened (read-only) \??\x: bjuokepa.exe File opened (read-only) \??\n: hdtsjavczg.exe File opened (read-only) \??\u: bjuokepa.exe File opened (read-only) \??\y: bjuokepa.exe File opened (read-only) \??\g: hdtsjavczg.exe File opened (read-only) \??\i: hdtsjavczg.exe File opened (read-only) \??\e: bjuokepa.exe File opened (read-only) \??\g: bjuokepa.exe File opened (read-only) \??\i: bjuokepa.exe File opened (read-only) \??\y: bjuokepa.exe File opened (read-only) \??\j: hdtsjavczg.exe File opened (read-only) \??\m: hdtsjavczg.exe File opened (read-only) \??\m: bjuokepa.exe File opened (read-only) \??\t: bjuokepa.exe File opened (read-only) \??\k: bjuokepa.exe File opened (read-only) \??\h: bjuokepa.exe File opened (read-only) \??\q: bjuokepa.exe File opened (read-only) \??\m: bjuokepa.exe File opened (read-only) \??\l: bjuokepa.exe File opened (read-only) \??\p: hdtsjavczg.exe File opened (read-only) \??\s: hdtsjavczg.exe File opened (read-only) \??\g: bjuokepa.exe File opened (read-only) \??\s: bjuokepa.exe File opened (read-only) \??\b: bjuokepa.exe File opened (read-only) \??\v: bjuokepa.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
hdtsjavczg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" hdtsjavczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" hdtsjavczg.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4940-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\lopargsdvtfidpm.exe autoit_exe C:\Windows\SysWOW64\hdtsjavczg.exe autoit_exe C:\Windows\SysWOW64\bjuokepa.exe autoit_exe C:\Windows\SysWOW64\hthhufgkzmxnk.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\RepairStart.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exebjuokepa.exebjuokepa.exehdtsjavczg.exedescription ioc process File created C:\Windows\SysWOW64\hdtsjavczg.exe 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hdtsjavczg.exe 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe File created C:\Windows\SysWOW64\lopargsdvtfidpm.exe 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe File created C:\Windows\SysWOW64\bjuokepa.exe 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bjuokepa.exe 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe File created C:\Windows\SysWOW64\hthhufgkzmxnk.exe 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bjuokepa.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bjuokepa.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bjuokepa.exe File opened for modification C:\Windows\SysWOW64\lopargsdvtfidpm.exe 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hthhufgkzmxnk.exe 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll hdtsjavczg.exe -
Drops file in Program Files directory 15 IoCs
Processes:
bjuokepa.exebjuokepa.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bjuokepa.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bjuokepa.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bjuokepa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bjuokepa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bjuokepa.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bjuokepa.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bjuokepa.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bjuokepa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bjuokepa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bjuokepa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bjuokepa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bjuokepa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bjuokepa.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bjuokepa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bjuokepa.exe -
Drops file in Windows directory 19 IoCs
Processes:
6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exebjuokepa.exebjuokepa.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bjuokepa.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bjuokepa.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bjuokepa.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bjuokepa.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bjuokepa.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bjuokepa.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bjuokepa.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bjuokepa.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bjuokepa.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bjuokepa.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bjuokepa.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bjuokepa.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bjuokepa.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bjuokepa.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bjuokepa.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bjuokepa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
hdtsjavczg.exe6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf hdtsjavczg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" hdtsjavczg.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BB9FE1821ACD27BD0A28B7C9014" 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" hdtsjavczg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc hdtsjavczg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FC8348288519903DD7217D92BDE6E641594A664F6330D79F" 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat hdtsjavczg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" hdtsjavczg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs hdtsjavczg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh hdtsjavczg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" hdtsjavczg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C7C9D2D82256A3676D177202CDD7C8464DE" 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B120449239ED53C5BAD733EED7BC" 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC67515E1DAB4B8CA7CE9EDE734C8" 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FABBFE14F198840B3B4681983995B38903F04315034BE1CA459908A7" 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" hdtsjavczg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" hdtsjavczg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg hdtsjavczg.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3960 WINWORD.EXE 3960 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exehdtsjavczg.exelopargsdvtfidpm.exebjuokepa.exehthhufgkzmxnk.exebjuokepa.exepid process 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 3788 hdtsjavczg.exe 3788 hdtsjavczg.exe 3788 hdtsjavczg.exe 3788 hdtsjavczg.exe 3788 hdtsjavczg.exe 3788 hdtsjavczg.exe 3788 hdtsjavczg.exe 3788 hdtsjavczg.exe 3788 hdtsjavczg.exe 3788 hdtsjavczg.exe 632 lopargsdvtfidpm.exe 632 lopargsdvtfidpm.exe 632 lopargsdvtfidpm.exe 632 lopargsdvtfidpm.exe 632 lopargsdvtfidpm.exe 632 lopargsdvtfidpm.exe 632 lopargsdvtfidpm.exe 632 lopargsdvtfidpm.exe 1612 bjuokepa.exe 1612 bjuokepa.exe 1612 bjuokepa.exe 1612 bjuokepa.exe 1612 bjuokepa.exe 1612 bjuokepa.exe 1612 bjuokepa.exe 1612 bjuokepa.exe 5084 hthhufgkzmxnk.exe 632 lopargsdvtfidpm.exe 632 lopargsdvtfidpm.exe 5084 hthhufgkzmxnk.exe 5084 hthhufgkzmxnk.exe 5084 hthhufgkzmxnk.exe 5084 hthhufgkzmxnk.exe 5084 hthhufgkzmxnk.exe 5084 hthhufgkzmxnk.exe 5084 hthhufgkzmxnk.exe 5084 hthhufgkzmxnk.exe 5084 hthhufgkzmxnk.exe 5084 hthhufgkzmxnk.exe 5084 hthhufgkzmxnk.exe 1056 bjuokepa.exe 1056 bjuokepa.exe 1056 bjuokepa.exe 1056 bjuokepa.exe 1056 bjuokepa.exe 1056 bjuokepa.exe 1056 bjuokepa.exe 1056 bjuokepa.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exehdtsjavczg.exebjuokepa.exelopargsdvtfidpm.exehthhufgkzmxnk.exebjuokepa.exepid process 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 3788 hdtsjavczg.exe 3788 hdtsjavczg.exe 3788 hdtsjavczg.exe 1612 bjuokepa.exe 1612 bjuokepa.exe 1612 bjuokepa.exe 632 lopargsdvtfidpm.exe 632 lopargsdvtfidpm.exe 632 lopargsdvtfidpm.exe 5084 hthhufgkzmxnk.exe 5084 hthhufgkzmxnk.exe 5084 hthhufgkzmxnk.exe 1056 bjuokepa.exe 1056 bjuokepa.exe 1056 bjuokepa.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exehdtsjavczg.exebjuokepa.exelopargsdvtfidpm.exehthhufgkzmxnk.exebjuokepa.exepid process 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe 3788 hdtsjavczg.exe 3788 hdtsjavczg.exe 3788 hdtsjavczg.exe 1612 bjuokepa.exe 1612 bjuokepa.exe 1612 bjuokepa.exe 632 lopargsdvtfidpm.exe 632 lopargsdvtfidpm.exe 632 lopargsdvtfidpm.exe 5084 hthhufgkzmxnk.exe 5084 hthhufgkzmxnk.exe 5084 hthhufgkzmxnk.exe 1056 bjuokepa.exe 1056 bjuokepa.exe 1056 bjuokepa.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3960 WINWORD.EXE 3960 WINWORD.EXE 3960 WINWORD.EXE 3960 WINWORD.EXE 3960 WINWORD.EXE 3960 WINWORD.EXE 3960 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exehdtsjavczg.exedescription pid process target process PID 4940 wrote to memory of 3788 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe hdtsjavczg.exe PID 4940 wrote to memory of 3788 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe hdtsjavczg.exe PID 4940 wrote to memory of 3788 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe hdtsjavczg.exe PID 4940 wrote to memory of 632 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe lopargsdvtfidpm.exe PID 4940 wrote to memory of 632 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe lopargsdvtfidpm.exe PID 4940 wrote to memory of 632 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe lopargsdvtfidpm.exe PID 4940 wrote to memory of 1612 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe bjuokepa.exe PID 4940 wrote to memory of 1612 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe bjuokepa.exe PID 4940 wrote to memory of 1612 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe bjuokepa.exe PID 4940 wrote to memory of 5084 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe hthhufgkzmxnk.exe PID 4940 wrote to memory of 5084 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe hthhufgkzmxnk.exe PID 4940 wrote to memory of 5084 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe hthhufgkzmxnk.exe PID 4940 wrote to memory of 3960 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe WINWORD.EXE PID 4940 wrote to memory of 3960 4940 6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe WINWORD.EXE PID 3788 wrote to memory of 1056 3788 hdtsjavczg.exe bjuokepa.exe PID 3788 wrote to memory of 1056 3788 hdtsjavczg.exe bjuokepa.exe PID 3788 wrote to memory of 1056 3788 hdtsjavczg.exe bjuokepa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f5a7a69cd72cd5e83dfd3be1b2edc5e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\hdtsjavczg.exehdtsjavczg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\bjuokepa.exeC:\Windows\system32\bjuokepa.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1056 -
C:\Windows\SysWOW64\lopargsdvtfidpm.exelopargsdvtfidpm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:632 -
C:\Windows\SysWOW64\bjuokepa.exebjuokepa.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1612 -
C:\Windows\SysWOW64\hthhufgkzmxnk.exehthhufgkzmxnk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5084 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3960
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD54b59598267531231338b72d1e3f5d206
SHA1d2770fced4ffc444ebdf9e718d4dc6c6bfae67f0
SHA25619ce398dbcdd73da6b54ef526682f71f94645e56407a4d207e6945b35b610517
SHA512517d91912e18a95d937bff0ea0a7ecfc5a9e877295723434c3dec7cf2e967c0e3aa4e7faafb5e1638c1ee2362ab543312a92d868255c5de41b1a86543486ffb5
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5d79a6e24a9813ac94e487ec545d8b1b6
SHA1d7f2e51b9c442c50ed0c8362c19d4c8e9d929183
SHA256ac5d8f278554ee01b0c90208107d7fe2525d6aa5cae7a9b11de33c0eac2d581f
SHA512ec583a438ec6f802e41a24c8a7a8fae7bd4af2d91e42e0671c88440dfad8a1a11e17c626b71144e9f0dbe9f53091b7330d289cf92a4cd92bcdce4cc28bc402fc
-
C:\Users\Admin\AppData\Local\Temp\TCD704D.tmp\iso690.xslFilesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD5a57751e460746bc6e449df2cc9ed1e05
SHA15ca34df88a95256c7af7b98989361975fd293d15
SHA256dc68b2412ca3943796d1fb5a33f93a9eb593ae9aa5c6d7f5ecffb59f2ab85fce
SHA5124a0b61e6487d55ac09d69edff4f2e729bfc7476882088acc69e59cd2ffa7285ed837f6cde8206583cca53a1043b3cc589a4938bc00db42a0ebc644340f079e5b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5e7948795979520cf045660dad8a14582
SHA16537c1e9425fdc9c975b03b5b33ab8c30ed3cdb4
SHA256a1b9d46a5a5e6a3aedd5d59fb31dd12f455d3222a78bf648b3ef7d8927a4f369
SHA512b4e4f0aa0a8358149487049ba0ec2fcdc0e76cf29740c6c8a480167a4e83860fb6a06819b11bb25d036c55d502e67bd1bbf02cf7f81b01e4d27e1bb76df29626
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD55c29bddb604ee49df37b44f4a3255b5d
SHA1bf933bf264ca6c6093e05cb6cae40206c328b07d
SHA25649a902dbb7aa676951d07f0b86b4bd8f5199127b4909fc7d044c74fb597c89da
SHA5125bae4de7cb02d4a890ccfab0b32c36e7bedef6ecf50ce846593d663656ca7e3e307e198002e73a97ed2eb9e1f3f1d0ff4a0c8bc4675539ba498751b2b440ee23
-
C:\Users\Admin\Documents\RepairStart.doc.exeFilesize
512KB
MD5ada22ab7f0f07acdcb1b278266759be1
SHA1d5184da768ec18a93992060c7e66ad1beb552d2b
SHA256b5aeaee1b9aec8092a56a5b529f4ffaef859f96a963c8c13b457b3af9d8d3953
SHA5127d583b72c4017f6fd9c76d2172caa3cf6f9a9870819d32ecb0f014a9549353929a689f1f2bd7dde7165319baf18bdaade3002586dfe043efe0f3cc7f1f046813
-
C:\Windows\SysWOW64\bjuokepa.exeFilesize
512KB
MD501fcdec0129b1c22a4f04649c4d5bb06
SHA16db6dd76757d21806daef0c8a409abb26d3bc8a9
SHA2568ce184b6eaa890eb9fc1b2a105c382d44b32ee26057c740701838b0970bdf30a
SHA512e0f1b4e391d6ec7e2e8e57f8b4a7cb352717f7e8a4685196f99ff27e9bf1d7a3667dc873d3ae88e04e0928b961466b96f21abe831ed4c68b2421b9b1aecf8ae1
-
C:\Windows\SysWOW64\hdtsjavczg.exeFilesize
512KB
MD5fa6a9369f6acdb453abf246f8971ebe4
SHA15747c830aaa0093be88f9a0e6dd6fca9de87091f
SHA2564074f438bdacba6936b239471138ccf0885294fd8055fbbbaffe9288ec2b93a2
SHA512382fed27f559c8226e21c0cd2329d7b64963a4a59f3ea3796895c3fa3038b33f24f12d2ea7b004d547ffb03f39c187361cc4906c5070efebbb4c8563113c56b2
-
C:\Windows\SysWOW64\hthhufgkzmxnk.exeFilesize
512KB
MD539088a934af3a72fa1ab19b07f97f758
SHA106ce2aa6a7626fb76607183a86f96dd3c78d82ec
SHA256f0aaf44280aebdb24005d943f348913da256578236a36f847eaf9924d64a4d2e
SHA51212651870c8d2def379b92548a0a655abfe6269435ea581aea74d949fca0113f5ec6da169dd216eb85fb73e6d9e97ad09f8815a9c9dad7bbf62ca00bba0adf1ee
-
C:\Windows\SysWOW64\lopargsdvtfidpm.exeFilesize
512KB
MD5025448fc4174db13c4ae9917f1e98da1
SHA1831c7434bed906ec290c28e8a1f222083275b84b
SHA2563126f978292b2c0962c0b8f17468f76142c73f2eb0967f9fd82dfe0c6bbcf59e
SHA512521b77707ba0834eeab1a5f13c5f782441a15f0cf08fb174cd67396b4b59d5e45c66b1092cff46deb496d2d3a0ae26bba09d7989cb5d3965c26586ea19b9e30c
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5128d80655dbe33449dfaf8f7cf9ada5a
SHA11d8444b0cda040e3ceb8204097ce7aea261ab5fc
SHA256d522d172884717bd4840b01bbc8f0ab2b7571e745d184f41a851eda657eae802
SHA512dbe90516961ceea6312efde6ca949ec3ccafd2b0b4f6cdfb7d17a4b62344fe750851fde51eddece5fae7191a1f5b2c2d79ed8cd92fd6f16acac158d68ce28a33
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5df4d7c979cf4b1012bbd947b12d589fa
SHA1ddbbb4a20e187f1fe400dcd9698aabccff68710c
SHA25632d25bf4e241d004751b75cdd77ad002f6658b8e5c26bf50f77b5fba4c904e1a
SHA512ddc304c75acab3b52ecab59bca03062143520036d74ed2127ac5832081aac230698555eaf11f8966e1d8da0138063cbe617bb913815da2e40e2f9e24a8837475
-
memory/3960-39-0x00007FF926650000-0x00007FF926660000-memory.dmpFilesize
64KB
-
memory/3960-38-0x00007FF926650000-0x00007FF926660000-memory.dmpFilesize
64KB
-
memory/3960-36-0x00007FF926650000-0x00007FF926660000-memory.dmpFilesize
64KB
-
memory/3960-37-0x00007FF926650000-0x00007FF926660000-memory.dmpFilesize
64KB
-
memory/3960-40-0x00007FF923FC0000-0x00007FF923FD0000-memory.dmpFilesize
64KB
-
memory/3960-35-0x00007FF926650000-0x00007FF926660000-memory.dmpFilesize
64KB
-
memory/3960-42-0x00007FF923FC0000-0x00007FF923FD0000-memory.dmpFilesize
64KB
-
memory/3960-604-0x00007FF926650000-0x00007FF926660000-memory.dmpFilesize
64KB
-
memory/3960-606-0x00007FF926650000-0x00007FF926660000-memory.dmpFilesize
64KB
-
memory/3960-603-0x00007FF926650000-0x00007FF926660000-memory.dmpFilesize
64KB
-
memory/3960-605-0x00007FF926650000-0x00007FF926660000-memory.dmpFilesize
64KB
-
memory/4940-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB