Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 20:03
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe
-
Size
512KB
-
MD5
6faf8ed502a1238bf9952e8ef9cce25f
-
SHA1
200b03e5e2daf5f6be4e25036ef682091dd6d853
-
SHA256
7e12bae0d5ede6bc024333bd1a7eb7edfceffa0876043d274df30780864d09cc
-
SHA512
89fb2cc3a3f991d4156f425257a0624f84ca2d0d6d6955aff8628fae9ac61b7d8d6906bb6d4bda458028b2468b97ac610f9f503bc417a8203942302c40e8f33e
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6j:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5W
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bakgxglapy.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bakgxglapy.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bakgxglapy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bakgxglapy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bakgxglapy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bakgxglapy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bakgxglapy.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bakgxglapy.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 688 bakgxglapy.exe 3852 jfvzmdmdtvhincl.exe 4912 bkfvhiro.exe 3620 txtndwqjyvvlc.exe 2892 bkfvhiro.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bakgxglapy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bakgxglapy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bakgxglapy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bakgxglapy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bakgxglapy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bakgxglapy.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\omtckzyp = "bakgxglapy.exe" jfvzmdmdtvhincl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dwjaegeb = "jfvzmdmdtvhincl.exe" jfvzmdmdtvhincl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "txtndwqjyvvlc.exe" jfvzmdmdtvhincl.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: bakgxglapy.exe File opened (read-only) \??\m: bakgxglapy.exe File opened (read-only) \??\p: bkfvhiro.exe File opened (read-only) \??\m: bkfvhiro.exe File opened (read-only) \??\o: bkfvhiro.exe File opened (read-only) \??\g: bkfvhiro.exe File opened (read-only) \??\r: bkfvhiro.exe File opened (read-only) \??\j: bkfvhiro.exe File opened (read-only) \??\k: bkfvhiro.exe File opened (read-only) \??\h: bkfvhiro.exe File opened (read-only) \??\j: bkfvhiro.exe File opened (read-only) \??\m: bkfvhiro.exe File opened (read-only) \??\q: bkfvhiro.exe File opened (read-only) \??\e: bkfvhiro.exe File opened (read-only) \??\e: bkfvhiro.exe File opened (read-only) \??\o: bkfvhiro.exe File opened (read-only) \??\b: bakgxglapy.exe File opened (read-only) \??\x: bakgxglapy.exe File opened (read-only) \??\r: bakgxglapy.exe File opened (read-only) \??\v: bakgxglapy.exe File opened (read-only) \??\w: bkfvhiro.exe File opened (read-only) \??\n: bakgxglapy.exe File opened (read-only) \??\p: bakgxglapy.exe File opened (read-only) \??\h: bakgxglapy.exe File opened (read-only) \??\w: bakgxglapy.exe File opened (read-only) \??\x: bkfvhiro.exe File opened (read-only) \??\t: bkfvhiro.exe File opened (read-only) \??\w: bkfvhiro.exe File opened (read-only) \??\l: bakgxglapy.exe File opened (read-only) \??\t: bakgxglapy.exe File opened (read-only) \??\a: bkfvhiro.exe File opened (read-only) \??\l: bkfvhiro.exe File opened (read-only) \??\n: bkfvhiro.exe File opened (read-only) \??\x: bkfvhiro.exe File opened (read-only) \??\v: bkfvhiro.exe File opened (read-only) \??\z: bkfvhiro.exe File opened (read-only) \??\g: bakgxglapy.exe File opened (read-only) \??\s: bakgxglapy.exe File opened (read-only) \??\i: bkfvhiro.exe File opened (read-only) \??\q: bkfvhiro.exe File opened (read-only) \??\r: bkfvhiro.exe File opened (read-only) \??\l: bkfvhiro.exe File opened (read-only) \??\e: bakgxglapy.exe File opened (read-only) \??\u: bkfvhiro.exe File opened (read-only) \??\y: bkfvhiro.exe File opened (read-only) \??\a: bkfvhiro.exe File opened (read-only) \??\i: bkfvhiro.exe File opened (read-only) \??\q: bakgxglapy.exe File opened (read-only) \??\s: bkfvhiro.exe File opened (read-only) \??\u: bkfvhiro.exe File opened (read-only) \??\u: bakgxglapy.exe File opened (read-only) \??\s: bkfvhiro.exe File opened (read-only) \??\n: bkfvhiro.exe File opened (read-only) \??\j: bakgxglapy.exe File opened (read-only) \??\z: bakgxglapy.exe File opened (read-only) \??\z: bkfvhiro.exe File opened (read-only) \??\h: bkfvhiro.exe File opened (read-only) \??\y: bkfvhiro.exe File opened (read-only) \??\b: bkfvhiro.exe File opened (read-only) \??\b: bkfvhiro.exe File opened (read-only) \??\g: bkfvhiro.exe File opened (read-only) \??\v: bkfvhiro.exe File opened (read-only) \??\k: bakgxglapy.exe File opened (read-only) \??\o: bakgxglapy.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bakgxglapy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bakgxglapy.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1632-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023451-5.dat autoit_exe behavioral2/files/0x000800000002344d-18.dat autoit_exe behavioral2/files/0x0007000000023452-26.dat autoit_exe behavioral2/files/0x0007000000023453-32.dat autoit_exe behavioral2/files/0x00020000000229af-70.dat autoit_exe behavioral2/files/0x0008000000023413-74.dat autoit_exe behavioral2/files/0x0004000000021ebc-83.dat autoit_exe behavioral2/files/0x001e0000000006d1-99.dat autoit_exe behavioral2/files/0x001e0000000006d1-105.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bkfvhiro.exe 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\txtndwqjyvvlc.exe 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe File created C:\Windows\SysWOW64\jfvzmdmdtvhincl.exe 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bkfvhiro.exe File created C:\Windows\SysWOW64\bakgxglapy.exe 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bakgxglapy.exe 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jfvzmdmdtvhincl.exe 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe File created C:\Windows\SysWOW64\bkfvhiro.exe 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe File created C:\Windows\SysWOW64\txtndwqjyvvlc.exe 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bakgxglapy.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bkfvhiro.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bkfvhiro.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bkfvhiro.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bkfvhiro.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bkfvhiro.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bkfvhiro.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bkfvhiro.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bkfvhiro.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bkfvhiro.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bkfvhiro.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bkfvhiro.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bkfvhiro.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bkfvhiro.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bkfvhiro.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bkfvhiro.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bkfvhiro.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bkfvhiro.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bkfvhiro.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bkfvhiro.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bkfvhiro.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bkfvhiro.exe File opened for modification C:\Windows\mydoc.rtf 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bkfvhiro.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bkfvhiro.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bkfvhiro.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bkfvhiro.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bkfvhiro.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bkfvhiro.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bkfvhiro.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bkfvhiro.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bkfvhiro.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bkfvhiro.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bkfvhiro.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bkfvhiro.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bkfvhiro.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bakgxglapy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bakgxglapy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bakgxglapy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bakgxglapy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bakgxglapy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bakgxglapy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C799C2283586D3476D770532CDF7C8E65AB" 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFFAC9FE6BF293837D3B4586963995B38B038B4360034BE1BF429C08A6" 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FC8F4F5F851F913CD6207E94BDE7E640584166416332D7EE" 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7876BB8FF1B21DBD27BD1A48B09906A" 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bakgxglapy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bakgxglapy.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bakgxglapy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bakgxglapy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bakgxglapy.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B1214793389D53BDBAA233E8D7C9" 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C70F1591DAC5B8C17CE3EDE234CB" 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bakgxglapy.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4080 WINWORD.EXE 4080 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 3852 jfvzmdmdtvhincl.exe 3852 jfvzmdmdtvhincl.exe 3852 jfvzmdmdtvhincl.exe 3852 jfvzmdmdtvhincl.exe 3852 jfvzmdmdtvhincl.exe 3852 jfvzmdmdtvhincl.exe 3852 jfvzmdmdtvhincl.exe 3852 jfvzmdmdtvhincl.exe 3852 jfvzmdmdtvhincl.exe 3852 jfvzmdmdtvhincl.exe 688 bakgxglapy.exe 688 bakgxglapy.exe 688 bakgxglapy.exe 688 bakgxglapy.exe 688 bakgxglapy.exe 688 bakgxglapy.exe 688 bakgxglapy.exe 688 bakgxglapy.exe 688 bakgxglapy.exe 688 bakgxglapy.exe 4912 bkfvhiro.exe 4912 bkfvhiro.exe 4912 bkfvhiro.exe 4912 bkfvhiro.exe 3620 txtndwqjyvvlc.exe 3620 txtndwqjyvvlc.exe 4912 bkfvhiro.exe 4912 bkfvhiro.exe 4912 bkfvhiro.exe 3620 txtndwqjyvvlc.exe 4912 bkfvhiro.exe 3620 txtndwqjyvvlc.exe 3620 txtndwqjyvvlc.exe 3620 txtndwqjyvvlc.exe 3620 txtndwqjyvvlc.exe 3620 txtndwqjyvvlc.exe 3620 txtndwqjyvvlc.exe 3620 txtndwqjyvvlc.exe 3620 txtndwqjyvvlc.exe 3620 txtndwqjyvvlc.exe 3852 jfvzmdmdtvhincl.exe 3852 jfvzmdmdtvhincl.exe 2892 bkfvhiro.exe 2892 bkfvhiro.exe 2892 bkfvhiro.exe 2892 bkfvhiro.exe 2892 bkfvhiro.exe 2892 bkfvhiro.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 3852 jfvzmdmdtvhincl.exe 3852 jfvzmdmdtvhincl.exe 3852 jfvzmdmdtvhincl.exe 688 bakgxglapy.exe 688 bakgxglapy.exe 688 bakgxglapy.exe 4912 bkfvhiro.exe 4912 bkfvhiro.exe 4912 bkfvhiro.exe 3620 txtndwqjyvvlc.exe 3620 txtndwqjyvvlc.exe 3620 txtndwqjyvvlc.exe 2892 bkfvhiro.exe 2892 bkfvhiro.exe 2892 bkfvhiro.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 3852 jfvzmdmdtvhincl.exe 3852 jfvzmdmdtvhincl.exe 3852 jfvzmdmdtvhincl.exe 688 bakgxglapy.exe 688 bakgxglapy.exe 688 bakgxglapy.exe 4912 bkfvhiro.exe 4912 bkfvhiro.exe 4912 bkfvhiro.exe 3620 txtndwqjyvvlc.exe 3620 txtndwqjyvvlc.exe 3620 txtndwqjyvvlc.exe 2892 bkfvhiro.exe 2892 bkfvhiro.exe 2892 bkfvhiro.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4080 WINWORD.EXE 4080 WINWORD.EXE 4080 WINWORD.EXE 4080 WINWORD.EXE 4080 WINWORD.EXE 4080 WINWORD.EXE 4080 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1632 wrote to memory of 688 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 87 PID 1632 wrote to memory of 688 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 87 PID 1632 wrote to memory of 688 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 87 PID 1632 wrote to memory of 3852 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 88 PID 1632 wrote to memory of 3852 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 88 PID 1632 wrote to memory of 3852 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 88 PID 1632 wrote to memory of 4912 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4912 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4912 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 89 PID 1632 wrote to memory of 3620 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 90 PID 1632 wrote to memory of 3620 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 90 PID 1632 wrote to memory of 3620 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 90 PID 1632 wrote to memory of 4080 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 91 PID 1632 wrote to memory of 4080 1632 6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe 91 PID 688 wrote to memory of 2892 688 bakgxglapy.exe 93 PID 688 wrote to memory of 2892 688 bakgxglapy.exe 93 PID 688 wrote to memory of 2892 688 bakgxglapy.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\bakgxglapy.exebakgxglapy.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\bkfvhiro.exeC:\Windows\system32\bkfvhiro.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2892
-
-
-
C:\Windows\SysWOW64\jfvzmdmdtvhincl.exejfvzmdmdtvhincl.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3852
-
-
C:\Windows\SysWOW64\bkfvhiro.exebkfvhiro.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4912
-
-
C:\Windows\SysWOW64\txtndwqjyvvlc.exetxtndwqjyvvlc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3620
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4080
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD591822f4b334809d6a99cf11e912260c6
SHA164729db256316c45501925652d548fbfcc517198
SHA256915cc62f4a253176545f1134dfa38705b57ef640195e9062adbddcc667358d16
SHA512b2c275046ebf6bd2b8abc7be965956c2385f2fa5f0e3f62d1306136cb451d728e0293567851a37a3ab048a1fe3489acab7a0335950bfbb561646060cf3a974a4
-
Filesize
512KB
MD5d7f988b07698be002783bd9cab2cf25f
SHA1ade441d96642b1530f5f53c34bbdcaffc4b99385
SHA256e53d4bccc2789733984d3586614cdd76016302daf381dcb1f07d64e6b6d1a551
SHA5125a48333542c1f763b1de1ed110658cb6957705bbd61deab83b381a83e80a4e4df30e78ef5ca954af14d0e0015bda959061dd490650ecb3ac48c33538d66cc3c2
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f691663f4c6b236ae77bea0a6654f904
SHA1b23e95c00583eed4213175e9393112f630d7c8da
SHA25605bed1afdfb16aa1bc51e61b0ea1dd6da1d2d682d9cf69133536fb1b94235119
SHA5123ddb9dd451f8246f879b31e136f896a52429b7931fc54eac4343aa48054d426c9bb74941ff018934ce20f4eeebcf4a9332bc9c7e5d20960cb78c02baf0ff192c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5516ef38a3edbe998ecf62076628de403
SHA12b41ba7d9b78c904a741c1351e522f5712179e29
SHA25639b765f024cbdb2c7ce7d0b7a8df29fb5504d444536edb7d1f6047eeeca7d6c8
SHA51261de6b8e098f42482ff0e6efe25c57b703b33fbdd7c0dc97c287870a8af3fe993cd7c48731d9cf18570a1df12911d88c04d5d6b1e54b31205ba34bcea2a56b90
-
Filesize
512KB
MD50cbf7ebb8b1ca344a09257c60600da31
SHA1a58b77ac6721f916d47f576cfb5f9788d84202c6
SHA256978a2b185dbfd1d7e72b9409931e8fd6e339bf959a1d4ec623003ef16a74262b
SHA51265e34d65e4afd08fedac0f66d3f971dfccf0691acb3a37ec81e4ee46e5e62f0b263c946aade9d3c2480571369ea70621dc7980c2fc6042736bc77bac17a708ef
-
Filesize
512KB
MD5dadebc729f3634976801977fab27960c
SHA1badc0a58258c5067969b47ca02fede9db3421246
SHA2564854ef6a0c033d2c722d6e8b1352810153462dd06e9f6e2c2c8531b1e245b8ba
SHA512befb7c55f0117d4219c7f4ba20023de71758cd80a0bca5504acd42f470340c39153dd8d68f500250e098f447eedf8af7416df1da6a2dde7d690d5ff1e0e7cc09
-
Filesize
512KB
MD5fce29fb5399ddf5a0a0506c9413faac4
SHA18b7884a03451685e281816edd7a33e1f82b8585d
SHA256d99bd473e110e53652111132fff3588fb94ed8b0d665433f746c60e177b39b55
SHA51290c67e25a4393dd1394bc7ced9619d092f33b1dfe073bf29da85597209f9c02829a921e8b4f377f40c93bd5f5307ff79944d5b5a8b5bee176e10c2c8442647d9
-
Filesize
512KB
MD599cfe0ab7f29f603860df8136266cb5e
SHA1b19349473df0b57c98aab33d731883404c5fed8f
SHA256454f91c5b8a6228fac127ac40af05dc7b33439e662b356fd127d4e6f3a7068ec
SHA5122a5f6c1ac33739cc3c4ca5d2f0bcffca999addb52aabdd5dff5910a8471d435d9ecc4f3f58a411b81fa623d589d001397cc52f8e9c9d110c451b89ebdb611681
-
Filesize
512KB
MD5d6a74bb632f772a4a232070c860aea68
SHA1a38351fd792c706a2bb99a1367099a7d359eb159
SHA256fc8843df01f390ce362c0a87ed1bd2bd5f4bb41e3fe586ed806277af507192fa
SHA512efaae9cb0a3c281c959f30f90459f3ee57b02cb58b7a759d3c61767a7f5238c3461095acc77682f309c8052006da394583a8d072f5ccf82b80ae6291a5803406
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD59d759d1c3146f3804ce10bd42f0bfb43
SHA11a101de3fb5b49d17af7b68ebfebd709dda0b092
SHA2563964ccaf134d5cd4e853938602c694f7e3d81c9a00ed2dad09f052ffc0ea4fc0
SHA512eda77764a36960bda47959c60b3708adbff28cbfebc3a5669afe82e4a6bbcfc1cd2702d4e49e61a3e4d79963a1c97d00ad1e0ea95873b6dfb2b9ce9be5751818
-
Filesize
512KB
MD58fb3803e8f7dc943f1ddd55595a4e4ff
SHA1822147a783296fcc53bd198618f632919216c10d
SHA256538c31f3c152f3861f3a5722c1aaa9aac3ca5dd0fd9362163364cbebc0be6f59
SHA512cf029deee4d3804dedbe1da464e7cad23c6e73b55de56dd5f688521bd29a59fcb8fd219ab0ac5cbeec9d783cb6fd4b1fd45a0d4aafbef4044a609b5202186e47