Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 18:01
Static task
static1
Behavioral task
behavioral1
Sample
6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe
-
Size
512KB
-
MD5
6f5fcfacc18ee9db4f7aaafa9cb96e53
-
SHA1
a9ab2e589987bcc7dd8ec0240aed44c557b20e52
-
SHA256
e424405384a64305ce9c6b0347c446e34e72f01fa5213665ae15dd4795b04bf7
-
SHA512
c0144b6f22db495af0fc0e7c7e8c04cd71799bb717d4eb745c2427c76f37a38d89e1fa71eec9ebba7332ca0a2a904edb982e06562e8924eb35463e56bf0f8722
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6h:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm56
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
ukwatedlwj.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ukwatedlwj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
ukwatedlwj.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ukwatedlwj.exe -
Processes:
ukwatedlwj.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ukwatedlwj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ukwatedlwj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ukwatedlwj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ukwatedlwj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ukwatedlwj.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ukwatedlwj.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ukwatedlwj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
ukwatedlwj.exetvoamafpdhodmhk.exezpttgwih.exeixwsneyyputon.exezpttgwih.exepid process 4524 ukwatedlwj.exe 3516 tvoamafpdhodmhk.exe 4056 zpttgwih.exe 4564 ixwsneyyputon.exe 4296 zpttgwih.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ukwatedlwj.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ukwatedlwj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ukwatedlwj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ukwatedlwj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ukwatedlwj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ukwatedlwj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ukwatedlwj.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
tvoamafpdhodmhk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upvwkodo = "tvoamafpdhodmhk.exe" tvoamafpdhodmhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ixwsneyyputon.exe" tvoamafpdhodmhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccckifnx = "ukwatedlwj.exe" tvoamafpdhodmhk.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ukwatedlwj.exezpttgwih.exezpttgwih.exedescription ioc process File opened (read-only) \??\q: ukwatedlwj.exe File opened (read-only) \??\u: ukwatedlwj.exe File opened (read-only) \??\b: zpttgwih.exe File opened (read-only) \??\h: zpttgwih.exe File opened (read-only) \??\x: zpttgwih.exe File opened (read-only) \??\v: zpttgwih.exe File opened (read-only) \??\y: ukwatedlwj.exe File opened (read-only) \??\a: zpttgwih.exe File opened (read-only) \??\m: zpttgwih.exe File opened (read-only) \??\s: ukwatedlwj.exe File opened (read-only) \??\n: zpttgwih.exe File opened (read-only) \??\t: zpttgwih.exe File opened (read-only) \??\e: zpttgwih.exe File opened (read-only) \??\q: zpttgwih.exe File opened (read-only) \??\o: ukwatedlwj.exe File opened (read-only) \??\a: zpttgwih.exe File opened (read-only) \??\e: zpttgwih.exe File opened (read-only) \??\p: zpttgwih.exe File opened (read-only) \??\r: zpttgwih.exe File opened (read-only) \??\g: zpttgwih.exe File opened (read-only) \??\w: zpttgwih.exe File opened (read-only) \??\k: ukwatedlwj.exe File opened (read-only) \??\l: ukwatedlwj.exe File opened (read-only) \??\m: ukwatedlwj.exe File opened (read-only) \??\z: ukwatedlwj.exe File opened (read-only) \??\m: zpttgwih.exe File opened (read-only) \??\p: zpttgwih.exe File opened (read-only) \??\i: ukwatedlwj.exe File opened (read-only) \??\j: ukwatedlwj.exe File opened (read-only) \??\q: zpttgwih.exe File opened (read-only) \??\z: zpttgwih.exe File opened (read-only) \??\r: zpttgwih.exe File opened (read-only) \??\b: ukwatedlwj.exe File opened (read-only) \??\r: ukwatedlwj.exe File opened (read-only) \??\g: zpttgwih.exe File opened (read-only) \??\o: zpttgwih.exe File opened (read-only) \??\s: zpttgwih.exe File opened (read-only) \??\t: ukwatedlwj.exe File opened (read-only) \??\i: zpttgwih.exe File opened (read-only) \??\i: zpttgwih.exe File opened (read-only) \??\y: zpttgwih.exe File opened (read-only) \??\j: zpttgwih.exe File opened (read-only) \??\l: zpttgwih.exe File opened (read-only) \??\y: zpttgwih.exe File opened (read-only) \??\j: zpttgwih.exe File opened (read-only) \??\h: ukwatedlwj.exe File opened (read-only) \??\p: ukwatedlwj.exe File opened (read-only) \??\w: ukwatedlwj.exe File opened (read-only) \??\z: zpttgwih.exe File opened (read-only) \??\v: ukwatedlwj.exe File opened (read-only) \??\s: zpttgwih.exe File opened (read-only) \??\h: zpttgwih.exe File opened (read-only) \??\g: ukwatedlwj.exe File opened (read-only) \??\k: zpttgwih.exe File opened (read-only) \??\o: zpttgwih.exe File opened (read-only) \??\w: zpttgwih.exe File opened (read-only) \??\k: zpttgwih.exe File opened (read-only) \??\n: zpttgwih.exe File opened (read-only) \??\a: ukwatedlwj.exe File opened (read-only) \??\v: zpttgwih.exe File opened (read-only) \??\b: zpttgwih.exe File opened (read-only) \??\x: zpttgwih.exe File opened (read-only) \??\e: ukwatedlwj.exe File opened (read-only) \??\n: ukwatedlwj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ukwatedlwj.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ukwatedlwj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ukwatedlwj.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2932-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\tvoamafpdhodmhk.exe autoit_exe C:\Windows\SysWOW64\ukwatedlwj.exe autoit_exe C:\Windows\SysWOW64\zpttgwih.exe autoit_exe C:\Windows\SysWOW64\ixwsneyyputon.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exezpttgwih.exezpttgwih.exeukwatedlwj.exedescription ioc process File created C:\Windows\SysWOW64\tvoamafpdhodmhk.exe 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe File created C:\Windows\SysWOW64\zpttgwih.exe 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe File created C:\Windows\SysWOW64\ixwsneyyputon.exe 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zpttgwih.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zpttgwih.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zpttgwih.exe File opened for modification C:\Windows\SysWOW64\ukwatedlwj.exe 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tvoamafpdhodmhk.exe 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zpttgwih.exe 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ixwsneyyputon.exe 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ukwatedlwj.exe File created C:\Windows\SysWOW64\ukwatedlwj.exe 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
zpttgwih.exezpttgwih.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zpttgwih.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zpttgwih.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zpttgwih.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zpttgwih.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zpttgwih.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zpttgwih.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zpttgwih.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zpttgwih.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zpttgwih.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zpttgwih.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zpttgwih.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zpttgwih.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zpttgwih.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zpttgwih.exe -
Drops file in Windows directory 19 IoCs
Processes:
zpttgwih.exezpttgwih.exe6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exeWINWORD.EXEdescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zpttgwih.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zpttgwih.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zpttgwih.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zpttgwih.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zpttgwih.exe File opened for modification C:\Windows\mydoc.rtf 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zpttgwih.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zpttgwih.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zpttgwih.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zpttgwih.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zpttgwih.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zpttgwih.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zpttgwih.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zpttgwih.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zpttgwih.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zpttgwih.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zpttgwih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
ukwatedlwj.exe6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ukwatedlwj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ukwatedlwj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ukwatedlwj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ukwatedlwj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FC8F4F2782129136D75B7E9CBCE4E632584266436331D79A" 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ukwatedlwj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ukwatedlwj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ukwatedlwj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ukwatedlwj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ukwatedlwj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8F9C9F962F198837D3B40869D3E91B08B02FC4367033DE1BA42E808A1" 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B02A4495389F53C9B9D5329CD7CE" 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C70E14E4DBC7B8CF7C90EDE534C6" 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462C0A9D5583276D4176D570222CAB7CF264AA" 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F26BB6FE6721AAD279D0A88A0C9062" 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ukwatedlwj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ukwatedlwj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ukwatedlwj.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2952 WINWORD.EXE 2952 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exeukwatedlwj.exezpttgwih.exetvoamafpdhodmhk.exeixwsneyyputon.exezpttgwih.exepid process 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 4524 ukwatedlwj.exe 4524 ukwatedlwj.exe 4524 ukwatedlwj.exe 4524 ukwatedlwj.exe 4524 ukwatedlwj.exe 4524 ukwatedlwj.exe 4524 ukwatedlwj.exe 4524 ukwatedlwj.exe 4524 ukwatedlwj.exe 4524 ukwatedlwj.exe 4056 zpttgwih.exe 4056 zpttgwih.exe 4056 zpttgwih.exe 4056 zpttgwih.exe 4056 zpttgwih.exe 4056 zpttgwih.exe 4056 zpttgwih.exe 4056 zpttgwih.exe 3516 tvoamafpdhodmhk.exe 3516 tvoamafpdhodmhk.exe 3516 tvoamafpdhodmhk.exe 3516 tvoamafpdhodmhk.exe 3516 tvoamafpdhodmhk.exe 3516 tvoamafpdhodmhk.exe 3516 tvoamafpdhodmhk.exe 3516 tvoamafpdhodmhk.exe 3516 tvoamafpdhodmhk.exe 3516 tvoamafpdhodmhk.exe 4564 ixwsneyyputon.exe 4564 ixwsneyyputon.exe 4564 ixwsneyyputon.exe 4564 ixwsneyyputon.exe 4564 ixwsneyyputon.exe 4564 ixwsneyyputon.exe 4564 ixwsneyyputon.exe 4564 ixwsneyyputon.exe 4564 ixwsneyyputon.exe 4564 ixwsneyyputon.exe 4564 ixwsneyyputon.exe 4564 ixwsneyyputon.exe 4296 zpttgwih.exe 4296 zpttgwih.exe 4296 zpttgwih.exe 4296 zpttgwih.exe 4296 zpttgwih.exe 4296 zpttgwih.exe 4296 zpttgwih.exe 4296 zpttgwih.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exeukwatedlwj.exezpttgwih.exeixwsneyyputon.exetvoamafpdhodmhk.exezpttgwih.exepid process 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 4524 ukwatedlwj.exe 4524 ukwatedlwj.exe 4524 ukwatedlwj.exe 4056 zpttgwih.exe 4564 ixwsneyyputon.exe 3516 tvoamafpdhodmhk.exe 4056 zpttgwih.exe 4564 ixwsneyyputon.exe 3516 tvoamafpdhodmhk.exe 4056 zpttgwih.exe 4564 ixwsneyyputon.exe 3516 tvoamafpdhodmhk.exe 4296 zpttgwih.exe 4296 zpttgwih.exe 4296 zpttgwih.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exeukwatedlwj.exezpttgwih.exeixwsneyyputon.exetvoamafpdhodmhk.exezpttgwih.exepid process 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe 4524 ukwatedlwj.exe 4524 ukwatedlwj.exe 4524 ukwatedlwj.exe 4056 zpttgwih.exe 4564 ixwsneyyputon.exe 3516 tvoamafpdhodmhk.exe 4056 zpttgwih.exe 4564 ixwsneyyputon.exe 3516 tvoamafpdhodmhk.exe 4056 zpttgwih.exe 4564 ixwsneyyputon.exe 3516 tvoamafpdhodmhk.exe 4296 zpttgwih.exe 4296 zpttgwih.exe 4296 zpttgwih.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2952 WINWORD.EXE 2952 WINWORD.EXE 2952 WINWORD.EXE 2952 WINWORD.EXE 2952 WINWORD.EXE 2952 WINWORD.EXE 2952 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exeukwatedlwj.exedescription pid process target process PID 2932 wrote to memory of 4524 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe ukwatedlwj.exe PID 2932 wrote to memory of 4524 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe ukwatedlwj.exe PID 2932 wrote to memory of 4524 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe ukwatedlwj.exe PID 2932 wrote to memory of 3516 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe tvoamafpdhodmhk.exe PID 2932 wrote to memory of 3516 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe tvoamafpdhodmhk.exe PID 2932 wrote to memory of 3516 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe tvoamafpdhodmhk.exe PID 2932 wrote to memory of 4056 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe zpttgwih.exe PID 2932 wrote to memory of 4056 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe zpttgwih.exe PID 2932 wrote to memory of 4056 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe zpttgwih.exe PID 2932 wrote to memory of 4564 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe ixwsneyyputon.exe PID 2932 wrote to memory of 4564 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe ixwsneyyputon.exe PID 2932 wrote to memory of 4564 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe ixwsneyyputon.exe PID 2932 wrote to memory of 2952 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe WINWORD.EXE PID 2932 wrote to memory of 2952 2932 6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe WINWORD.EXE PID 4524 wrote to memory of 4296 4524 ukwatedlwj.exe zpttgwih.exe PID 4524 wrote to memory of 4296 4524 ukwatedlwj.exe zpttgwih.exe PID 4524 wrote to memory of 4296 4524 ukwatedlwj.exe zpttgwih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ukwatedlwj.exeukwatedlwj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\zpttgwih.exeC:\Windows\system32\zpttgwih.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\tvoamafpdhodmhk.exetvoamafpdhodmhk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\zpttgwih.exezpttgwih.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ixwsneyyputon.exeixwsneyyputon.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5bd3a7060ed5265211a00d7255081d973
SHA1b7c71448343d1aec881aa422c9613c38157bcc30
SHA25609d6d78605f86cf0d8b6ebadb2ad29ac95556213e05c9a706593ee9f16e770d4
SHA512fba1ff61303d0a77b9d03a10e8a1b67c2e8b26c327bede54fba5ac5a245e6267b6958fbb5b61ea1e29150f7fab2855cccc736fe40fdc8a76ccf6f69f24afd79c
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD55cb6c2ed720edd2eb99c6564a1f9327f
SHA102a4f63670e3c0250ced865b30eb01029ad3a974
SHA2561c56868fbee783bcb5fc12b2a2499368a9348b6c0ae6bf3f7326bbcdc83b1b69
SHA51245d3fd2c6f7cdaa4473c89a1c09107cbaa922b137905043af74526cbc3e3f955eddd4c4dfd60628577d76fc9727deab5a3564e02919d4ec1c8e896f66169706d
-
C:\Users\Admin\AppData\Local\Temp\TCD784D.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD51619c4e8eb723bfee441873bca8b63f8
SHA1c51c2ea893f0e1a5494096da37e149a733e4b76a
SHA256c01b356de4947e4afaac205255789763c48c86e3a310c25f4771503ce374a168
SHA51234453f4d8e68ad9a3072f1b5358dc09e65ca0c1d392a4503f1eeb4e78211acc1dd4b823d9906291dafc8bd032f0a79bbf42c8ee69124217ca5343f24eb3887f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD59765fe0a63545a6ea036d310be530b55
SHA1a704c3218a45721e122ca1fabc09869c7fa5945d
SHA2565edc56bc77673125518b7209ff3e14a8c0bc89f271f0189e25c21914359ea805
SHA512e63cd73c5c440ca7cc15a1ce1ce721ccc475c6379b193d5b6f357d57c7d44b2d19023b57b137f524ac6392d4153bd46c8873c6ad877dfa741a8eca52e32a87d9
-
C:\Windows\SysWOW64\ixwsneyyputon.exeFilesize
512KB
MD54caa251f9c85b671ee43ccc3076119b9
SHA121ef9e6c5159e4271009f1d59ce5952e5068828f
SHA2566245dbe690d800206381d3fae8956930fb12a91fddb421fe070a5c664dc7565e
SHA5120a63e8996583de76812c6b82252ff34aaf8425f0b313d42baa8df6571204d6817e3151748c4010193cf4363ef302835f3475c7b2a44974bc410208b4b86b1000
-
C:\Windows\SysWOW64\tvoamafpdhodmhk.exeFilesize
512KB
MD576383dbd8c54712c05236b9944f7fe21
SHA136f07a4e4a14e4b639ebd02f696b19dffb34ddc9
SHA256759f74193acf793cde4df63b6ca83b192f67a63afa230b8c99a0eb1fc36af4fa
SHA512adfacba292ea48044aced7878f3ae7c74ba83ba34aac8421df5a4ce3b373a658c84f7820d8e5d6bcad3bac2ab4d71d01b661049faab0e5a483b736425b9774fc
-
C:\Windows\SysWOW64\ukwatedlwj.exeFilesize
512KB
MD5ec2a462ea238e24143b5d79f2457bd60
SHA161974a4bc7ad81d35103e9670bb48d8b702801a5
SHA256ca9f7d1cce38645c773f5445f621dcef1c8a06df4c9917c21122f2a9bb95b373
SHA5126fe9f6b0e5d571297195b6fde3d9be77a1d32477dc6038789ec82e2c5c738c252a1acdfb7ed8872316a8923298a4980f8a7fc6a78bdf973fabc45d8ef850fafd
-
C:\Windows\SysWOW64\zpttgwih.exeFilesize
512KB
MD5bd81c555a89878a47c601330a2d16b61
SHA193644f8b50eaa597fdc519475b7ff0b5323f0a6d
SHA25623c4831f3bc7fba051dece86b97902b12d38aa699a791a053b0d05a223217d83
SHA512061da086c9a272a9790469414fd1276a9145b46d7231899a23d51dbc3a4d8ef4d9c996bf0baa583ee2d800bf11d17757801d757b9a9409d4db08c9eae10f063c
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5e168a8c78ff514ec7bdfed1a5d514b6a
SHA19bbe542f91e82e57e05ae4c88cf7873cc3028ccc
SHA256015f929fa567f2aed0d25a9c3df9b8c7dcf3fff9e74bd35b516702a62235b35e
SHA5128795d8b82d50149165a33e175b52f31bd0402cba56b3b5ab5013c035897c13122630cc77f48a517feec9bce09be3214e27106ee060d2b91ff2420b96108d954b
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5e790cb5785b931d88b40acf615d4224e
SHA15e210ee2864bf31a4cecd3d94fbcbd77440df5d3
SHA256ccf9af881e94af28c86d6e260684d678fba370694f76eac4330f6cd2aad98896
SHA51204c7381700e23dc134d8dc3550aa5876a4031ecdffee03924caf7332bd63fc842aa272d001f5fed2629e7a6fa5abf310fe8709019fa4d1b5cae697baf6745cbb
-
memory/2932-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2952-41-0x00007FF820100000-0x00007FF820110000-memory.dmpFilesize
64KB
-
memory/2952-40-0x00007FF820100000-0x00007FF820110000-memory.dmpFilesize
64KB
-
memory/2952-38-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/2952-39-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/2952-36-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/2952-37-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/2952-35-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/2952-595-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/2952-596-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/2952-598-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/2952-597-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB