Analysis
-
max time kernel
153s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 20:14
Static task
static1
Behavioral task
behavioral1
Sample
6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe
-
Size
512KB
-
MD5
6fb585b4fa8768a55275e9e9f0811e11
-
SHA1
947d2321a3d22e92f1cccba0277ec3890d4016d7
-
SHA256
fadf485c8272484dff579e9f26f2b9ae45088740ccefe4519ac72d8638744136
-
SHA512
0efbe655f1de08cf57a2d7bd1b619d68bbf0b235417ffe0b2082f3d547ded5defc033888a32322f876e70ad6f4368c5e9e9c1f23baaeb7ab670db6c48b52aba4
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6+:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5D
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
dnnjzkgqnx.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dnnjzkgqnx.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
dnnjzkgqnx.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dnnjzkgqnx.exe -
Processes:
dnnjzkgqnx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dnnjzkgqnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dnnjzkgqnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dnnjzkgqnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dnnjzkgqnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dnnjzkgqnx.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
dnnjzkgqnx.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dnnjzkgqnx.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
dnnjzkgqnx.exekcoefjhxmgrvrkr.exemzgpunhz.exedzlycfugogjzn.exemzgpunhz.exepid process 2880 dnnjzkgqnx.exe 5072 kcoefjhxmgrvrkr.exe 1896 mzgpunhz.exe 4736 dzlycfugogjzn.exe 4108 mzgpunhz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
dnnjzkgqnx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dnnjzkgqnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dnnjzkgqnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dnnjzkgqnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dnnjzkgqnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dnnjzkgqnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dnnjzkgqnx.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
kcoefjhxmgrvrkr.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yyanrfzu = "dnnjzkgqnx.exe" kcoefjhxmgrvrkr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\knnxfisn = "kcoefjhxmgrvrkr.exe" kcoefjhxmgrvrkr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dzlycfugogjzn.exe" kcoefjhxmgrvrkr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
mzgpunhz.exednnjzkgqnx.exemzgpunhz.exedescription ioc process File opened (read-only) \??\i: mzgpunhz.exe File opened (read-only) \??\o: mzgpunhz.exe File opened (read-only) \??\y: dnnjzkgqnx.exe File opened (read-only) \??\a: mzgpunhz.exe File opened (read-only) \??\s: mzgpunhz.exe File opened (read-only) \??\h: mzgpunhz.exe File opened (read-only) \??\n: mzgpunhz.exe File opened (read-only) \??\x: mzgpunhz.exe File opened (read-only) \??\i: dnnjzkgqnx.exe File opened (read-only) \??\z: dnnjzkgqnx.exe File opened (read-only) \??\q: mzgpunhz.exe File opened (read-only) \??\e: dnnjzkgqnx.exe File opened (read-only) \??\m: dnnjzkgqnx.exe File opened (read-only) \??\e: mzgpunhz.exe File opened (read-only) \??\u: mzgpunhz.exe File opened (read-only) \??\a: mzgpunhz.exe File opened (read-only) \??\o: dnnjzkgqnx.exe File opened (read-only) \??\s: dnnjzkgqnx.exe File opened (read-only) \??\j: mzgpunhz.exe File opened (read-only) \??\t: mzgpunhz.exe File opened (read-only) \??\l: dnnjzkgqnx.exe File opened (read-only) \??\t: dnnjzkgqnx.exe File opened (read-only) \??\g: mzgpunhz.exe File opened (read-only) \??\s: mzgpunhz.exe File opened (read-only) \??\i: mzgpunhz.exe File opened (read-only) \??\o: mzgpunhz.exe File opened (read-only) \??\w: mzgpunhz.exe File opened (read-only) \??\j: mzgpunhz.exe File opened (read-only) \??\u: mzgpunhz.exe File opened (read-only) \??\q: dnnjzkgqnx.exe File opened (read-only) \??\k: mzgpunhz.exe File opened (read-only) \??\n: mzgpunhz.exe File opened (read-only) \??\k: dnnjzkgqnx.exe File opened (read-only) \??\n: dnnjzkgqnx.exe File opened (read-only) \??\m: mzgpunhz.exe File opened (read-only) \??\p: mzgpunhz.exe File opened (read-only) \??\x: mzgpunhz.exe File opened (read-only) \??\v: dnnjzkgqnx.exe File opened (read-only) \??\z: mzgpunhz.exe File opened (read-only) \??\a: dnnjzkgqnx.exe File opened (read-only) \??\b: dnnjzkgqnx.exe File opened (read-only) \??\v: mzgpunhz.exe File opened (read-only) \??\l: mzgpunhz.exe File opened (read-only) \??\r: mzgpunhz.exe File opened (read-only) \??\z: mzgpunhz.exe File opened (read-only) \??\e: mzgpunhz.exe File opened (read-only) \??\g: mzgpunhz.exe File opened (read-only) \??\m: mzgpunhz.exe File opened (read-only) \??\p: mzgpunhz.exe File opened (read-only) \??\g: dnnjzkgqnx.exe File opened (read-only) \??\x: dnnjzkgqnx.exe File opened (read-only) \??\v: mzgpunhz.exe File opened (read-only) \??\l: mzgpunhz.exe File opened (read-only) \??\t: mzgpunhz.exe File opened (read-only) \??\r: mzgpunhz.exe File opened (read-only) \??\r: dnnjzkgqnx.exe File opened (read-only) \??\w: dnnjzkgqnx.exe File opened (read-only) \??\q: mzgpunhz.exe File opened (read-only) \??\b: mzgpunhz.exe File opened (read-only) \??\k: mzgpunhz.exe File opened (read-only) \??\w: mzgpunhz.exe File opened (read-only) \??\h: dnnjzkgqnx.exe File opened (read-only) \??\b: mzgpunhz.exe File opened (read-only) \??\h: mzgpunhz.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
dnnjzkgqnx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dnnjzkgqnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dnnjzkgqnx.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3620-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\kcoefjhxmgrvrkr.exe autoit_exe C:\Windows\SysWOW64\dnnjzkgqnx.exe autoit_exe C:\Windows\SysWOW64\mzgpunhz.exe autoit_exe C:\Windows\SysWOW64\dzlycfugogjzn.exe autoit_exe \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\SetEnable.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exemzgpunhz.exednnjzkgqnx.exemzgpunhz.exedescription ioc process File opened for modification C:\Windows\SysWOW64\dnnjzkgqnx.exe 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe File created C:\Windows\SysWOW64\dzlycfugogjzn.exe 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mzgpunhz.exe File created C:\Windows\SysWOW64\kcoefjhxmgrvrkr.exe 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kcoefjhxmgrvrkr.exe 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mzgpunhz.exe 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dnnjzkgqnx.exe File created C:\Windows\SysWOW64\mzgpunhz.exe 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dzlycfugogjzn.exe 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mzgpunhz.exe File created C:\Windows\SysWOW64\dnnjzkgqnx.exe 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mzgpunhz.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mzgpunhz.exe -
Drops file in Program Files directory 15 IoCs
Processes:
mzgpunhz.exemzgpunhz.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mzgpunhz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mzgpunhz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mzgpunhz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mzgpunhz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mzgpunhz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mzgpunhz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mzgpunhz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mzgpunhz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mzgpunhz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mzgpunhz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mzgpunhz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mzgpunhz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mzgpunhz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mzgpunhz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mzgpunhz.exe -
Drops file in Windows directory 3 IoCs
Processes:
6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exednnjzkgqnx.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEFACEF962F1E5830F3B4B86EC3E99B0F902884211023FE2CC42EB09A8" 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B020479038E252CBBADC329DD4CC" 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08168C3FE1C21ADD172D0A88B089016" 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dnnjzkgqnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" dnnjzkgqnx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dnnjzkgqnx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf dnnjzkgqnx.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" dnnjzkgqnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FC8D482C82189142D7217E90BD95E13D594067366234D79A" 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dnnjzkgqnx.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472C769C2783556D3676A270212DDF7D8065A8" 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dnnjzkgqnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dnnjzkgqnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dnnjzkgqnx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs dnnjzkgqnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dnnjzkgqnx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dnnjzkgqnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC67F15ECDBB3B8B97C92ECE434C7" 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1900 WINWORD.EXE 1900 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exednnjzkgqnx.exemzgpunhz.exekcoefjhxmgrvrkr.exedzlycfugogjzn.exemzgpunhz.exepid process 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 2880 dnnjzkgqnx.exe 2880 dnnjzkgqnx.exe 2880 dnnjzkgqnx.exe 2880 dnnjzkgqnx.exe 2880 dnnjzkgqnx.exe 2880 dnnjzkgqnx.exe 2880 dnnjzkgqnx.exe 2880 dnnjzkgqnx.exe 2880 dnnjzkgqnx.exe 2880 dnnjzkgqnx.exe 1896 mzgpunhz.exe 1896 mzgpunhz.exe 1896 mzgpunhz.exe 1896 mzgpunhz.exe 1896 mzgpunhz.exe 1896 mzgpunhz.exe 1896 mzgpunhz.exe 1896 mzgpunhz.exe 5072 kcoefjhxmgrvrkr.exe 5072 kcoefjhxmgrvrkr.exe 5072 kcoefjhxmgrvrkr.exe 5072 kcoefjhxmgrvrkr.exe 5072 kcoefjhxmgrvrkr.exe 5072 kcoefjhxmgrvrkr.exe 5072 kcoefjhxmgrvrkr.exe 5072 kcoefjhxmgrvrkr.exe 4736 dzlycfugogjzn.exe 4736 dzlycfugogjzn.exe 4736 dzlycfugogjzn.exe 4736 dzlycfugogjzn.exe 4736 dzlycfugogjzn.exe 4736 dzlycfugogjzn.exe 4736 dzlycfugogjzn.exe 4736 dzlycfugogjzn.exe 4736 dzlycfugogjzn.exe 4736 dzlycfugogjzn.exe 4736 dzlycfugogjzn.exe 4736 dzlycfugogjzn.exe 5072 kcoefjhxmgrvrkr.exe 5072 kcoefjhxmgrvrkr.exe 5072 kcoefjhxmgrvrkr.exe 5072 kcoefjhxmgrvrkr.exe 4736 dzlycfugogjzn.exe 4736 dzlycfugogjzn.exe 4736 dzlycfugogjzn.exe 4736 dzlycfugogjzn.exe 4108 mzgpunhz.exe 4108 mzgpunhz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exednnjzkgqnx.exemzgpunhz.exekcoefjhxmgrvrkr.exedzlycfugogjzn.exemzgpunhz.exepid process 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 2880 dnnjzkgqnx.exe 2880 dnnjzkgqnx.exe 2880 dnnjzkgqnx.exe 1896 mzgpunhz.exe 5072 kcoefjhxmgrvrkr.exe 1896 mzgpunhz.exe 4736 dzlycfugogjzn.exe 5072 kcoefjhxmgrvrkr.exe 1896 mzgpunhz.exe 4736 dzlycfugogjzn.exe 5072 kcoefjhxmgrvrkr.exe 4736 dzlycfugogjzn.exe 4108 mzgpunhz.exe 4108 mzgpunhz.exe 4108 mzgpunhz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exednnjzkgqnx.exemzgpunhz.exekcoefjhxmgrvrkr.exedzlycfugogjzn.exemzgpunhz.exepid process 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe 2880 dnnjzkgqnx.exe 2880 dnnjzkgqnx.exe 2880 dnnjzkgqnx.exe 1896 mzgpunhz.exe 5072 kcoefjhxmgrvrkr.exe 1896 mzgpunhz.exe 4736 dzlycfugogjzn.exe 5072 kcoefjhxmgrvrkr.exe 1896 mzgpunhz.exe 4736 dzlycfugogjzn.exe 5072 kcoefjhxmgrvrkr.exe 4736 dzlycfugogjzn.exe 4108 mzgpunhz.exe 4108 mzgpunhz.exe 4108 mzgpunhz.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1900 WINWORD.EXE 1900 WINWORD.EXE 1900 WINWORD.EXE 1900 WINWORD.EXE 1900 WINWORD.EXE 1900 WINWORD.EXE 1900 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exednnjzkgqnx.exedescription pid process target process PID 3620 wrote to memory of 2880 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe dnnjzkgqnx.exe PID 3620 wrote to memory of 2880 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe dnnjzkgqnx.exe PID 3620 wrote to memory of 2880 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe dnnjzkgqnx.exe PID 3620 wrote to memory of 5072 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe kcoefjhxmgrvrkr.exe PID 3620 wrote to memory of 5072 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe kcoefjhxmgrvrkr.exe PID 3620 wrote to memory of 5072 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe kcoefjhxmgrvrkr.exe PID 3620 wrote to memory of 1896 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe mzgpunhz.exe PID 3620 wrote to memory of 1896 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe mzgpunhz.exe PID 3620 wrote to memory of 1896 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe mzgpunhz.exe PID 3620 wrote to memory of 4736 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe dzlycfugogjzn.exe PID 3620 wrote to memory of 4736 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe dzlycfugogjzn.exe PID 3620 wrote to memory of 4736 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe dzlycfugogjzn.exe PID 2880 wrote to memory of 4108 2880 dnnjzkgqnx.exe mzgpunhz.exe PID 2880 wrote to memory of 4108 2880 dnnjzkgqnx.exe mzgpunhz.exe PID 2880 wrote to memory of 4108 2880 dnnjzkgqnx.exe mzgpunhz.exe PID 3620 wrote to memory of 1900 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe WINWORD.EXE PID 3620 wrote to memory of 1900 3620 6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6fb585b4fa8768a55275e9e9f0811e11_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dnnjzkgqnx.exednnjzkgqnx.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mzgpunhz.exeC:\Windows\system32\mzgpunhz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\kcoefjhxmgrvrkr.exekcoefjhxmgrvrkr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\mzgpunhz.exemzgpunhz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\dzlycfugogjzn.exedzlycfugogjzn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5cc563a8c5caa0e10b28e3d8dd4e3a193
SHA1777581e2999e3240efb55514810cf48daebd6ed0
SHA256a73aa130135125e0e57addccbda930186b99249c30baf5514b1124a5b6e4f8ef
SHA512a4d3b5ff5fcdef996dfdf106a40895f8bffb61de9890f67210c1d9f467d6f664c2fd104617d2bb3f602f931397a20bca5c132c299b7604c5ade989e60737a504
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5a34f34e4252b8718eb8bb4fa4c4f1a76
SHA10ffb2bf3807348f6b64022cca00aa275557c786d
SHA256fe5068f961b0438c86039eaa1bcaebb73441e7c0a76dc3a49def737555720fb6
SHA512e34fa1c8a92167314f30561f18f95baed996503881cadbf8b1cd3eeb8fd22b9f36e0045120c27c89c83b5ba7b30ede049fd479d46d3fd9f45310b21013e5f3a4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD525b0fed6e14635e42992752bda6052d5
SHA16dcb1c9d70cce3c9290fb7c0e809dca598cae2a7
SHA2568e0eaddb0de447f89ef82a627975c768595432f05d6257f8bf7348dc2af16061
SHA51259cde7157eee0b7a8855ed8522bfc0c5b1ccabdb3331fefaea3d66461a6f6f6f28fd8c5d216ceea02c427bd6f9c23ed3615170fbb72f76a5d3c94c35072e2b42
-
C:\Users\Admin\Documents\SetEnable.doc.exeFilesize
512KB
MD5714e0d38846744155a6754316df78b46
SHA10868a97c1cbdbafc80bdd9ab2343c577f4c37820
SHA2560136591c0788950643aa975e0f60c809bbde6d8b292dd792b290208eb82bd4d6
SHA512a4de5be4bf84e7f675d5d92cfa46743068f5b631df23c23b69e82321c7c1de3cc9510f964b3587758a77687eae82d9916cfd8f420209d2e3a0e140bc5bd3b756
-
C:\Windows\SysWOW64\dnnjzkgqnx.exeFilesize
512KB
MD5666ab63efe3e6fa707d71212c228ef2f
SHA1b5a1f033a3ed63149925c23b8655a7b744a9e6ab
SHA2563f29706301d9e33f48521a88596b4ad7e5e8a7cd53eed360564ca4e8e77d5aa6
SHA512fdf35c183fa5a4ceaf8e3f6a8037331245cd30ce5b5de52f59b461ed0bd0d53b1fa96a5bb10299895d97b42810fa50be4de9d1eec356e5d16fdd968f426a7c62
-
C:\Windows\SysWOW64\dzlycfugogjzn.exeFilesize
512KB
MD53b8e369137e11c05785f4142b4345489
SHA18e2a282db8544d52788236c45378c55279fcfb8f
SHA256bbb19c57a951161bb7f9239e3b096856b807099b5d8bb831f638a0604f1fc650
SHA5127d6d6b208fa5235d42a0f045fd6947eca965cce2f65ba1aae6c67e48600698b7c25653c6ba6cba63e75b0577c7f552aa0a9bf613d7f0dc83fa668191ae4ed629
-
C:\Windows\SysWOW64\kcoefjhxmgrvrkr.exeFilesize
512KB
MD5c39abed44e89c6987d3f3fb0385c4ca4
SHA1a1eedb2a6d0d2e815721db2a938021bd637f66d7
SHA2566d1a87ee55d2d171f9d5ea649e5951abb4f3ab4c183ece86ac8e35ab40be58a9
SHA512547bb91a70e6d23dc1052a6c43c9156edc7534546d579685e449693764989d4e4d808a6cf1b7b6f5037427ad78c02e693de1df6b43279e4e0ab6b4959983752b
-
C:\Windows\SysWOW64\mzgpunhz.exeFilesize
512KB
MD5196f51822161dffa2aa2cc11180075f2
SHA1e7c868ab0a682abd765ace6ae117334935efa4a1
SHA2564fe65c30a0b4b973395017acd88cbc70cd75f6d4f23336457eb87fbdd09581b4
SHA5123b2deb1f81e941ebeebee4b295c33fbb071e2e3612297986d1d3e65ab91687e0317c756cb40dccc374bdbee3126948f46a66225ca7be0b110f7e6ac6ba2b6499
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5cdbdbe51fecf63214bb2d23e8361081f
SHA12b2a66eafbded5c6711b00d2ed7866dca61c653d
SHA256f4af53ece3612f5de58956769c5f1443d60e4ff5396f7133d726e55fdc576e37
SHA512b32c2e82dd98557eaf7322104609daa014707a6cb3f5a95c261e7e7802c9ef6492e5cc401472a7190c7cab1db6f35840929255a67b6e4b8c184cdec7b837d22f
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD54e3391950c02214452af57e594185f89
SHA120d02135ee59728be2a2beb7edc85f022a6f6650
SHA256ce9a6222e582137a38681bbc166106925db43a94a23c0d83d27f36b80a7e7e66
SHA5125dbbd9c51879bef43026993468ec66e5548bbcfbd7eb944f38f2c34d816e55f5db7c78039c63d5fdb1ab736a3d6e91ca4af1dab57b4bc67dd89c18a1583f2137
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5efcf5157b80e2402a7a7cf266264db4a
SHA10eb978826a27dcc6f00c0d06e46ed92f1dbb1db0
SHA2564e20ad0864add58a2158d5213c89fa81a5eeae81d73f6c013f976d5b06ce89e3
SHA5129b05c892390de9b9bc0951468cf5a3ba1a625bf4580bb9b8afcb8d77b5d5ad2e99e243370c89fc8ece7fd551fb2551957c0ac5cb0b475b31e2a378e000cd85d5
-
memory/1900-37-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmpFilesize
64KB
-
memory/1900-38-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmpFilesize
64KB
-
memory/1900-41-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmpFilesize
64KB
-
memory/1900-39-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmpFilesize
64KB
-
memory/1900-40-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmpFilesize
64KB
-
memory/1900-42-0x00007FFFB4610000-0x00007FFFB4620000-memory.dmpFilesize
64KB
-
memory/1900-43-0x00007FFFB4610000-0x00007FFFB4620000-memory.dmpFilesize
64KB
-
memory/1900-126-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmpFilesize
64KB
-
memory/1900-125-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmpFilesize
64KB
-
memory/1900-124-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmpFilesize
64KB
-
memory/1900-123-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmpFilesize
64KB
-
memory/3620-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB