Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 03:20
Static task
static1
Behavioral task
behavioral1
Sample
742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe
-
Size
512KB
-
MD5
742d588d22ea42abbd53193a222b8dd0
-
SHA1
9b815abbb75384a2852cf5190a6138eec7db53f8
-
SHA256
3da141fdf33f54ef540f20ee3597c0381ec572f0e61140e5441244b124a0422c
-
SHA512
6a48ba800860512c2d906fae4ee9fd801508c1ba2a9934e8dab8e44babb8ea217c9d922260c905e8375de103aebb1e2ec98c946ad3eb28bf9a25e796132a2556
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5n
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" abfuynxees.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" abfuynxees.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" abfuynxees.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" abfuynxees.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" abfuynxees.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" abfuynxees.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" abfuynxees.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" abfuynxees.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3816 abfuynxees.exe 3388 zlhfrvicyamkfcf.exe 464 yjkgyvkn.exe 3616 rfwsouyjkgevd.exe 4476 yjkgyvkn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" abfuynxees.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" abfuynxees.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" abfuynxees.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" abfuynxees.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" abfuynxees.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" abfuynxees.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqwywsje = "zlhfrvicyamkfcf.exe" zlhfrvicyamkfcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rfwsouyjkgevd.exe" zlhfrvicyamkfcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ksfklsyp = "abfuynxees.exe" zlhfrvicyamkfcf.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: yjkgyvkn.exe File opened (read-only) \??\i: yjkgyvkn.exe File opened (read-only) \??\y: yjkgyvkn.exe File opened (read-only) \??\s: abfuynxees.exe File opened (read-only) \??\s: yjkgyvkn.exe File opened (read-only) \??\j: yjkgyvkn.exe File opened (read-only) \??\z: yjkgyvkn.exe File opened (read-only) \??\e: abfuynxees.exe File opened (read-only) \??\a: yjkgyvkn.exe File opened (read-only) \??\r: abfuynxees.exe File opened (read-only) \??\y: yjkgyvkn.exe File opened (read-only) \??\g: yjkgyvkn.exe File opened (read-only) \??\n: abfuynxees.exe File opened (read-only) \??\z: abfuynxees.exe File opened (read-only) \??\g: yjkgyvkn.exe File opened (read-only) \??\p: abfuynxees.exe File opened (read-only) \??\q: abfuynxees.exe File opened (read-only) \??\t: abfuynxees.exe File opened (read-only) \??\j: yjkgyvkn.exe File opened (read-only) \??\q: yjkgyvkn.exe File opened (read-only) \??\l: yjkgyvkn.exe File opened (read-only) \??\w: yjkgyvkn.exe File opened (read-only) \??\g: abfuynxees.exe File opened (read-only) \??\u: abfuynxees.exe File opened (read-only) \??\j: abfuynxees.exe File opened (read-only) \??\l: yjkgyvkn.exe File opened (read-only) \??\t: yjkgyvkn.exe File opened (read-only) \??\k: abfuynxees.exe File opened (read-only) \??\r: yjkgyvkn.exe File opened (read-only) \??\x: abfuynxees.exe File opened (read-only) \??\e: yjkgyvkn.exe File opened (read-only) \??\o: yjkgyvkn.exe File opened (read-only) \??\r: yjkgyvkn.exe File opened (read-only) \??\a: abfuynxees.exe File opened (read-only) \??\w: abfuynxees.exe File opened (read-only) \??\v: yjkgyvkn.exe File opened (read-only) \??\e: yjkgyvkn.exe File opened (read-only) \??\q: yjkgyvkn.exe File opened (read-only) \??\i: abfuynxees.exe File opened (read-only) \??\n: yjkgyvkn.exe File opened (read-only) \??\o: abfuynxees.exe File opened (read-only) \??\v: abfuynxees.exe File opened (read-only) \??\t: yjkgyvkn.exe File opened (read-only) \??\u: yjkgyvkn.exe File opened (read-only) \??\h: yjkgyvkn.exe File opened (read-only) \??\k: yjkgyvkn.exe File opened (read-only) \??\n: yjkgyvkn.exe File opened (read-only) \??\s: yjkgyvkn.exe File opened (read-only) \??\a: yjkgyvkn.exe File opened (read-only) \??\h: abfuynxees.exe File opened (read-only) \??\l: abfuynxees.exe File opened (read-only) \??\y: abfuynxees.exe File opened (read-only) \??\i: yjkgyvkn.exe File opened (read-only) \??\b: yjkgyvkn.exe File opened (read-only) \??\m: yjkgyvkn.exe File opened (read-only) \??\p: yjkgyvkn.exe File opened (read-only) \??\x: yjkgyvkn.exe File opened (read-only) \??\k: yjkgyvkn.exe File opened (read-only) \??\m: yjkgyvkn.exe File opened (read-only) \??\v: yjkgyvkn.exe File opened (read-only) \??\x: yjkgyvkn.exe File opened (read-only) \??\m: abfuynxees.exe File opened (read-only) \??\b: yjkgyvkn.exe File opened (read-only) \??\p: yjkgyvkn.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" abfuynxees.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" abfuynxees.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3684-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023409-5.dat autoit_exe behavioral2/files/0x0006000000022f1f-18.dat autoit_exe behavioral2/files/0x000700000002340a-26.dat autoit_exe behavioral2/files/0x000700000002340b-31.dat autoit_exe behavioral2/files/0x0007000000023416-72.dat autoit_exe behavioral2/files/0x00090000000233c0-75.dat autoit_exe behavioral2/files/0x0007000000023418-77.dat autoit_exe behavioral2/files/0x0008000000022949-580.dat autoit_exe behavioral2/files/0x0008000000022949-585.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zlhfrvicyamkfcf.exe 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yjkgyvkn.exe 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll abfuynxees.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yjkgyvkn.exe File created C:\Windows\SysWOW64\abfuynxees.exe 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe File created C:\Windows\SysWOW64\rfwsouyjkgevd.exe 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rfwsouyjkgevd.exe 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yjkgyvkn.exe File opened for modification C:\Windows\SysWOW64\abfuynxees.exe 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe File created C:\Windows\SysWOW64\yjkgyvkn.exe 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yjkgyvkn.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yjkgyvkn.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yjkgyvkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal yjkgyvkn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yjkgyvkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yjkgyvkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yjkgyvkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal yjkgyvkn.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yjkgyvkn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yjkgyvkn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yjkgyvkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yjkgyvkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal yjkgyvkn.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yjkgyvkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yjkgyvkn.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yjkgyvkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal yjkgyvkn.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yjkgyvkn.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yjkgyvkn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yjkgyvkn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yjkgyvkn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yjkgyvkn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yjkgyvkn.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yjkgyvkn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yjkgyvkn.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yjkgyvkn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yjkgyvkn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yjkgyvkn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yjkgyvkn.exe File opened for modification C:\Windows\mydoc.rtf 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yjkgyvkn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yjkgyvkn.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yjkgyvkn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yjkgyvkn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFAB8F965F1E4840B3A4786EB3992B3FD028A43650332E1C8429C08D3" 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg abfuynxees.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh abfuynxees.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" abfuynxees.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc abfuynxees.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" abfuynxees.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78368B6FE1D21AAD27CD1D48B09906A" 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" abfuynxees.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" abfuynxees.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" abfuynxees.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" abfuynxees.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat abfuynxees.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf abfuynxees.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs abfuynxees.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422C7A9C5682236D3576A5772E2CDB7DF465DA" 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B12047E5399E52BEB9D4329ED7C8" 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FFF84F2782129137D65B7E9CBDE7E146594067426241D790" 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C70914E5DBB2B9BA7FE7ED9434CC" 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1992 WINWORD.EXE 1992 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3816 abfuynxees.exe 3816 abfuynxees.exe 3816 abfuynxees.exe 3816 abfuynxees.exe 3816 abfuynxees.exe 3816 abfuynxees.exe 3816 abfuynxees.exe 3816 abfuynxees.exe 3816 abfuynxees.exe 3816 abfuynxees.exe 464 yjkgyvkn.exe 464 yjkgyvkn.exe 464 yjkgyvkn.exe 464 yjkgyvkn.exe 464 yjkgyvkn.exe 464 yjkgyvkn.exe 464 yjkgyvkn.exe 464 yjkgyvkn.exe 3388 zlhfrvicyamkfcf.exe 3388 zlhfrvicyamkfcf.exe 3388 zlhfrvicyamkfcf.exe 3388 zlhfrvicyamkfcf.exe 3388 zlhfrvicyamkfcf.exe 3388 zlhfrvicyamkfcf.exe 3388 zlhfrvicyamkfcf.exe 3388 zlhfrvicyamkfcf.exe 3616 rfwsouyjkgevd.exe 3616 rfwsouyjkgevd.exe 3616 rfwsouyjkgevd.exe 3616 rfwsouyjkgevd.exe 3616 rfwsouyjkgevd.exe 3616 rfwsouyjkgevd.exe 3616 rfwsouyjkgevd.exe 3616 rfwsouyjkgevd.exe 3616 rfwsouyjkgevd.exe 3616 rfwsouyjkgevd.exe 3616 rfwsouyjkgevd.exe 3616 rfwsouyjkgevd.exe 3388 zlhfrvicyamkfcf.exe 3388 zlhfrvicyamkfcf.exe 4476 yjkgyvkn.exe 4476 yjkgyvkn.exe 4476 yjkgyvkn.exe 4476 yjkgyvkn.exe 4476 yjkgyvkn.exe 4476 yjkgyvkn.exe 4476 yjkgyvkn.exe 4476 yjkgyvkn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3816 abfuynxees.exe 3816 abfuynxees.exe 3816 abfuynxees.exe 464 yjkgyvkn.exe 464 yjkgyvkn.exe 464 yjkgyvkn.exe 3616 rfwsouyjkgevd.exe 3388 zlhfrvicyamkfcf.exe 3616 rfwsouyjkgevd.exe 3388 zlhfrvicyamkfcf.exe 3616 rfwsouyjkgevd.exe 3388 zlhfrvicyamkfcf.exe 4476 yjkgyvkn.exe 4476 yjkgyvkn.exe 4476 yjkgyvkn.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 3816 abfuynxees.exe 3816 abfuynxees.exe 3816 abfuynxees.exe 464 yjkgyvkn.exe 464 yjkgyvkn.exe 464 yjkgyvkn.exe 3616 rfwsouyjkgevd.exe 3388 zlhfrvicyamkfcf.exe 3616 rfwsouyjkgevd.exe 3388 zlhfrvicyamkfcf.exe 3616 rfwsouyjkgevd.exe 3388 zlhfrvicyamkfcf.exe 4476 yjkgyvkn.exe 4476 yjkgyvkn.exe 4476 yjkgyvkn.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3684 wrote to memory of 3816 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 84 PID 3684 wrote to memory of 3816 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 84 PID 3684 wrote to memory of 3816 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 84 PID 3684 wrote to memory of 3388 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 85 PID 3684 wrote to memory of 3388 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 85 PID 3684 wrote to memory of 3388 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 85 PID 3684 wrote to memory of 464 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 86 PID 3684 wrote to memory of 464 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 86 PID 3684 wrote to memory of 464 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 86 PID 3684 wrote to memory of 3616 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 87 PID 3684 wrote to memory of 3616 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 87 PID 3684 wrote to memory of 3616 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 87 PID 3684 wrote to memory of 1992 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 88 PID 3684 wrote to memory of 1992 3684 742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe 88 PID 3816 wrote to memory of 4476 3816 abfuynxees.exe 91 PID 3816 wrote to memory of 4476 3816 abfuynxees.exe 91 PID 3816 wrote to memory of 4476 3816 abfuynxees.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\742d588d22ea42abbd53193a222b8dd0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\abfuynxees.exeabfuynxees.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\yjkgyvkn.exeC:\Windows\system32\yjkgyvkn.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4476
-
-
-
C:\Windows\SysWOW64\zlhfrvicyamkfcf.exezlhfrvicyamkfcf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3388
-
-
C:\Windows\SysWOW64\yjkgyvkn.exeyjkgyvkn.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:464
-
-
C:\Windows\SysWOW64\rfwsouyjkgevd.exerfwsouyjkgevd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3616
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1992
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52220ed0713866c031d0310e43ce93aa5
SHA170d255f05152b96099d19dd89698d2551464e535
SHA256ef226820b36bd81701c09d9e18085309a98a00f77e4e34b0276c5fdf20e25c0c
SHA512f232a601c7e0d120b6f5b12ad62f9face55c949fdd555231c1caadaaaa099e284262d05b34f2b323f49643f316560643689e1aa6c0737b37c2978847ee87d133
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5020662c1d55f9c7180936b820160376e
SHA163106ca0f9dceb1f25d76d8b2bdd54b2b1ddc227
SHA2568b40eaecbfe7998ab99111b56d0bf4c21c66453707d4a567baa99c3ba5cdd5fa
SHA5121b6615b5457d63ff51062922473f016cd3fc95eb9f50f3d7f557a779fe4a1c2672c49d71bfc7d28717fa29db16ec17f729e0d2cfb750915b67fb65e152e7b320
-
Filesize
512KB
MD59d0009ba5f39e51f02ca5a4ad2ce8fa7
SHA159382f466177dedac3a72ba8334ec751609f801a
SHA2568288bae9193e36cdeac475b0bd0d7e3c9878a068c8708f43051c55653e140f90
SHA51291aadbf814eb5d4afdfe2963ec54d0452d55d9c00e97ab9e659e0c33a5f7c2fa6a41deb38bd25f753a2f9ff1e1229a96d52d8d789c43f3727493c6f8b08b2b8b
-
Filesize
512KB
MD5ec4daa4943ec204addf121eb524f3b1d
SHA1b8b450c43c1d8abedac42ca0f83686f53020f5c5
SHA256def455048277b055c599d7d34628373de1a1f0ef4a89ac3bfd948e733d74b2df
SHA51285f991dc0f04cf24665841f63bcb11d9383b7034d42799574ff6d31267e0b8696d7a0bf27905be9ab92eb0829d3af97dd3dcabfb4ca1a5db53578191844ce354
-
Filesize
512KB
MD50ea7104d9bdb769573bfb75766339742
SHA14de4c4c7f0db14c6a2999271c376601799bb63cb
SHA256cd1bfac26134a21f363128cc1e95515f81c01b23eb815d434c89b7dc9d07d9dc
SHA512671db94c8c86b8d378582d960754ade4a8a70af340ea84561afca35bc97e43bb272d606e1dd16c2ffa917be3caf9d92d52a95028400a8aa2ffffb27bc068f8d9
-
Filesize
512KB
MD5dc861194a975f2a4e564efcf6ee97f6f
SHA1d5b417e8d8e018f8dea7864de038aab594b5aa5a
SHA25619c8dfeb1c58501a5e8cd61a8af441b3751ae7f8f2a3bb66378babf14e912b5e
SHA51261bbfe7d3f61d619bf41355e317bc3c2da1afc4202a65b66d39db2d4ac8506a8c3f565dc870375fe15808350b6a52020cd5745db3f1112c13a57a3ab6eee36e7
-
Filesize
512KB
MD5c170c0c80ea3d7777c46a20315866421
SHA1f34c0efcda6ea0026e9fff5f634afaa977f6e2fc
SHA2561a55fd3ab993779c4adc422880668b9772b5a877c7bbad434e762bd3591ac4d5
SHA512afa97a11118cfc113d643a8f602f5bbb869ae4105fa2f00e0bc48309bd4288b4121ab04365af86f80908dac163353d9bfb7d3e2741204f0fccf7d98856d115f6
-
Filesize
512KB
MD5ed3254a891874cae2054468f6875e917
SHA15630c70ce8ecef317aca154cfdce1f5e591033a1
SHA2568bd5d914448c37dd3025708ddd51cc677bdd5518074fe7ce94143a64e0ced6a2
SHA512857c45ee60104ccb62b6bb88a30942ab7e1c80ed03f07b60ce41b7e5564fee83627b70547a83f8dc73267f280e1b144eb3e1589776ab9d64ff9496fedcc4715c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD560db0b7578af3356e2c1599b31d4a7b9
SHA157f79cf1b50c3657f1f7d7a8ffccb92dc7e448cb
SHA25682c6db443ab29df4e1df7f72100e033130c292fe607a8a689016663878f6dcd7
SHA51233ef06a098e9e97890711b47ef2a41053f08d138c79ffe1735651e259286207b344d6c8d7f33092d83739f7b4802dc640a0029885fbdd1f441663ec2c594607c
-
Filesize
512KB
MD5c0fc71978e69bf1dff770255f1f80b76
SHA152e6ede2f0246eec634705aa6de8f8563bdf5a19
SHA25600105dfff3bf39abdd7a714aad32bbcd5cacdea33e2418003417e73c43b14009
SHA5128d6e97ceede30de86777be19777cb4ed91f1e065abdd0a65d45d03533289cb707401393175018d63795e600eae3d6738986679b0825c499eee26dbb4010214d7
-
Filesize
512KB
MD54710b693bcc1ba768744b36d83c04cc0
SHA1d602aa2463c47049ac771fc9b1141982a0e5e1be
SHA25669809ac311207d1bc4b6b2b8e46cb237cede68a5d8b66ac90439688ed263c07a
SHA512ddc12d1fea0359fae9783d31b8bb986c16d18084ad21865fee6508570bc5002b03218b27983d0c075e530366357caf32bff684a8b85389b639b744f851fee4b1