Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 03:46
Static task
static1
Behavioral task
behavioral1
Sample
743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe
-
Size
512KB
-
MD5
743c9bcf0c971d3b1e49722f4a480db3
-
SHA1
635b158b0e3d20cb8a245ab64f14fed4be12a799
-
SHA256
18e9dd695e33d41907346fd83c01f1d35c75c23e5acc28c95d2fec9a8644a85d
-
SHA512
a6462e18435ee67acc20a5de5229f80760f2c79d6310a0b987a898b79dcd4d58ffed8c886f62ee86b44c3e3d53e1d910f2bd6918380eee94c53ef90b2736cef3
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6U:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5H
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hdinxmdohh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hdinxmdohh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hdinxmdohh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hdinxmdohh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hdinxmdohh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hdinxmdohh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hdinxmdohh.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hdinxmdohh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3492 hdinxmdohh.exe 2296 edyejqdoyfazrbz.exe 4800 wpwxnrmz.exe 4760 oyeyuelcfique.exe 2504 wpwxnrmz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hdinxmdohh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hdinxmdohh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hdinxmdohh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hdinxmdohh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" hdinxmdohh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hdinxmdohh.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xsrrmffs = "hdinxmdohh.exe" edyejqdoyfazrbz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\plkaqhny = "edyejqdoyfazrbz.exe" edyejqdoyfazrbz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oyeyuelcfique.exe" edyejqdoyfazrbz.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: wpwxnrmz.exe File opened (read-only) \??\v: wpwxnrmz.exe File opened (read-only) \??\w: wpwxnrmz.exe File opened (read-only) \??\g: hdinxmdohh.exe File opened (read-only) \??\i: wpwxnrmz.exe File opened (read-only) \??\e: wpwxnrmz.exe File opened (read-only) \??\l: wpwxnrmz.exe File opened (read-only) \??\o: wpwxnrmz.exe File opened (read-only) \??\m: hdinxmdohh.exe File opened (read-only) \??\i: wpwxnrmz.exe File opened (read-only) \??\r: wpwxnrmz.exe File opened (read-only) \??\a: hdinxmdohh.exe File opened (read-only) \??\e: wpwxnrmz.exe File opened (read-only) \??\g: wpwxnrmz.exe File opened (read-only) \??\t: wpwxnrmz.exe File opened (read-only) \??\w: wpwxnrmz.exe File opened (read-only) \??\s: wpwxnrmz.exe File opened (read-only) \??\r: hdinxmdohh.exe File opened (read-only) \??\b: wpwxnrmz.exe File opened (read-only) \??\q: hdinxmdohh.exe File opened (read-only) \??\v: hdinxmdohh.exe File opened (read-only) \??\g: wpwxnrmz.exe File opened (read-only) \??\p: wpwxnrmz.exe File opened (read-only) \??\l: hdinxmdohh.exe File opened (read-only) \??\l: wpwxnrmz.exe File opened (read-only) \??\r: wpwxnrmz.exe File opened (read-only) \??\k: hdinxmdohh.exe File opened (read-only) \??\w: hdinxmdohh.exe File opened (read-only) \??\j: wpwxnrmz.exe File opened (read-only) \??\o: hdinxmdohh.exe File opened (read-only) \??\b: hdinxmdohh.exe File opened (read-only) \??\a: wpwxnrmz.exe File opened (read-only) \??\h: wpwxnrmz.exe File opened (read-only) \??\u: wpwxnrmz.exe File opened (read-only) \??\a: wpwxnrmz.exe File opened (read-only) \??\n: wpwxnrmz.exe File opened (read-only) \??\y: wpwxnrmz.exe File opened (read-only) \??\p: wpwxnrmz.exe File opened (read-only) \??\m: wpwxnrmz.exe File opened (read-only) \??\e: hdinxmdohh.exe File opened (read-only) \??\m: wpwxnrmz.exe File opened (read-only) \??\q: wpwxnrmz.exe File opened (read-only) \??\h: wpwxnrmz.exe File opened (read-only) \??\x: wpwxnrmz.exe File opened (read-only) \??\z: wpwxnrmz.exe File opened (read-only) \??\v: wpwxnrmz.exe File opened (read-only) \??\x: hdinxmdohh.exe File opened (read-only) \??\k: wpwxnrmz.exe File opened (read-only) \??\b: wpwxnrmz.exe File opened (read-only) \??\k: wpwxnrmz.exe File opened (read-only) \??\t: wpwxnrmz.exe File opened (read-only) \??\o: wpwxnrmz.exe File opened (read-only) \??\s: wpwxnrmz.exe File opened (read-only) \??\x: wpwxnrmz.exe File opened (read-only) \??\y: wpwxnrmz.exe File opened (read-only) \??\i: hdinxmdohh.exe File opened (read-only) \??\u: hdinxmdohh.exe File opened (read-only) \??\y: hdinxmdohh.exe File opened (read-only) \??\t: hdinxmdohh.exe File opened (read-only) \??\h: hdinxmdohh.exe File opened (read-only) \??\n: hdinxmdohh.exe File opened (read-only) \??\s: hdinxmdohh.exe File opened (read-only) \??\u: wpwxnrmz.exe File opened (read-only) \??\z: hdinxmdohh.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" hdinxmdohh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" hdinxmdohh.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/432-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000233df-5.dat autoit_exe behavioral2/files/0x00080000000233dc-18.dat autoit_exe behavioral2/files/0x00070000000233e3-26.dat autoit_exe behavioral2/files/0x00070000000233e4-31.dat autoit_exe behavioral2/files/0x00070000000233f2-68.dat autoit_exe behavioral2/files/0x00080000000233ce-66.dat autoit_exe behavioral2/files/0x00110000000233fb-93.dat autoit_exe behavioral2/files/0x00110000000233fb-352.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\hdinxmdohh.exe 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hdinxmdohh.exe 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\edyejqdoyfazrbz.exe 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe File created C:\Windows\SysWOW64\wpwxnrmz.exe 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe File created C:\Windows\SysWOW64\oyeyuelcfique.exe 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\oyeyuelcfique.exe 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll hdinxmdohh.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wpwxnrmz.exe File created C:\Windows\SysWOW64\edyejqdoyfazrbz.exe 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wpwxnrmz.exe 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wpwxnrmz.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wpwxnrmz.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wpwxnrmz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wpwxnrmz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wpwxnrmz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wpwxnrmz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wpwxnrmz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wpwxnrmz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wpwxnrmz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wpwxnrmz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wpwxnrmz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wpwxnrmz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wpwxnrmz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wpwxnrmz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wpwxnrmz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wpwxnrmz.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wpwxnrmz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wpwxnrmz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wpwxnrmz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wpwxnrmz.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wpwxnrmz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wpwxnrmz.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wpwxnrmz.exe File opened for modification C:\Windows\mydoc.rtf 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wpwxnrmz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wpwxnrmz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wpwxnrmz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wpwxnrmz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wpwxnrmz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wpwxnrmz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wpwxnrmz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wpwxnrmz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wpwxnrmz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C7C9C2083516D3476DD70222CAA7D8664A8" 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFC8E485C8218903DD75B7DE0BDEEE134593766466244D791" 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668B6FF6622DAD27DD0A88A7F9010" 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh hdinxmdohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" hdinxmdohh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf hdinxmdohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B02A449038EA53BFB9D03298D4CC" 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" hdinxmdohh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs hdinxmdohh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg hdinxmdohh.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" hdinxmdohh.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" hdinxmdohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFFAB0FE64F1E5837A3A40869F39E5B3FD028B43690233E2CC429B09A0" 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC67D1596DAC5B9BC7C95ED9037B9" 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat hdinxmdohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" hdinxmdohh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc hdinxmdohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" hdinxmdohh.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1512 WINWORD.EXE 1512 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 3492 hdinxmdohh.exe 3492 hdinxmdohh.exe 3492 hdinxmdohh.exe 3492 hdinxmdohh.exe 3492 hdinxmdohh.exe 3492 hdinxmdohh.exe 3492 hdinxmdohh.exe 3492 hdinxmdohh.exe 3492 hdinxmdohh.exe 3492 hdinxmdohh.exe 4800 wpwxnrmz.exe 4800 wpwxnrmz.exe 4800 wpwxnrmz.exe 4800 wpwxnrmz.exe 4800 wpwxnrmz.exe 4800 wpwxnrmz.exe 4800 wpwxnrmz.exe 4800 wpwxnrmz.exe 2296 edyejqdoyfazrbz.exe 2296 edyejqdoyfazrbz.exe 2296 edyejqdoyfazrbz.exe 2296 edyejqdoyfazrbz.exe 2296 edyejqdoyfazrbz.exe 2296 edyejqdoyfazrbz.exe 2296 edyejqdoyfazrbz.exe 2296 edyejqdoyfazrbz.exe 2296 edyejqdoyfazrbz.exe 2296 edyejqdoyfazrbz.exe 4760 oyeyuelcfique.exe 4760 oyeyuelcfique.exe 4760 oyeyuelcfique.exe 4760 oyeyuelcfique.exe 4760 oyeyuelcfique.exe 4760 oyeyuelcfique.exe 4760 oyeyuelcfique.exe 4760 oyeyuelcfique.exe 4760 oyeyuelcfique.exe 4760 oyeyuelcfique.exe 4760 oyeyuelcfique.exe 4760 oyeyuelcfique.exe 2504 wpwxnrmz.exe 2504 wpwxnrmz.exe 2504 wpwxnrmz.exe 2504 wpwxnrmz.exe 2504 wpwxnrmz.exe 2504 wpwxnrmz.exe 2504 wpwxnrmz.exe 2504 wpwxnrmz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 3492 hdinxmdohh.exe 3492 hdinxmdohh.exe 3492 hdinxmdohh.exe 4800 wpwxnrmz.exe 4800 wpwxnrmz.exe 4800 wpwxnrmz.exe 2296 edyejqdoyfazrbz.exe 2296 edyejqdoyfazrbz.exe 2296 edyejqdoyfazrbz.exe 4760 oyeyuelcfique.exe 4760 oyeyuelcfique.exe 4760 oyeyuelcfique.exe 2504 wpwxnrmz.exe 2504 wpwxnrmz.exe 2504 wpwxnrmz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 3492 hdinxmdohh.exe 3492 hdinxmdohh.exe 3492 hdinxmdohh.exe 4800 wpwxnrmz.exe 4800 wpwxnrmz.exe 4800 wpwxnrmz.exe 2296 edyejqdoyfazrbz.exe 2296 edyejqdoyfazrbz.exe 2296 edyejqdoyfazrbz.exe 4760 oyeyuelcfique.exe 4760 oyeyuelcfique.exe 4760 oyeyuelcfique.exe 2504 wpwxnrmz.exe 2504 wpwxnrmz.exe 2504 wpwxnrmz.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 432 wrote to memory of 3492 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 83 PID 432 wrote to memory of 3492 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 83 PID 432 wrote to memory of 3492 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 83 PID 432 wrote to memory of 2296 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 84 PID 432 wrote to memory of 2296 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 84 PID 432 wrote to memory of 2296 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 84 PID 432 wrote to memory of 4800 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 85 PID 432 wrote to memory of 4800 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 85 PID 432 wrote to memory of 4800 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 85 PID 432 wrote to memory of 4760 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 86 PID 432 wrote to memory of 4760 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 86 PID 432 wrote to memory of 4760 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 86 PID 432 wrote to memory of 1512 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 87 PID 432 wrote to memory of 1512 432 743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe 87 PID 3492 wrote to memory of 2504 3492 hdinxmdohh.exe 89 PID 3492 wrote to memory of 2504 3492 hdinxmdohh.exe 89 PID 3492 wrote to memory of 2504 3492 hdinxmdohh.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\743c9bcf0c971d3b1e49722f4a480db3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\hdinxmdohh.exehdinxmdohh.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\wpwxnrmz.exeC:\Windows\system32\wpwxnrmz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2504
-
-
-
C:\Windows\SysWOW64\edyejqdoyfazrbz.exeedyejqdoyfazrbz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2296
-
-
C:\Windows\SysWOW64\wpwxnrmz.exewpwxnrmz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4800
-
-
C:\Windows\SysWOW64\oyeyuelcfique.exeoyeyuelcfique.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4760
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1512
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD52cf3f5dfa93ddd90d76f2252aaefaabc
SHA1ab95df071c10ff07b93de169fa4231723990593e
SHA25605dabc4cabcaaeeeca514c7a6fc2e0b63c3e5ea6bea3c703150f140e0743abe1
SHA512c8eeabf0d981bcdef2c7c9c17236c1d32819f5d6fe5f0bb1d781d1d381aef3c1c5bd788c6939cb7bc38e2ef7f8ce6f0641b01dbfdcabbf6de922f2b215f2c189
-
Filesize
512KB
MD5b9c44b16965738107c229aa2afd15170
SHA194aeb79df853db6f401b5de7cbcfddbac94f6b6b
SHA256f3f37cb6d9f5447ea4fff36d60ffe6d026a560045e1053dde12f21d1b0620746
SHA5125deea658ac4ade4b316f24032254b062f912ea3a078d05929be1f11ad6a5679b3d2b759b8fae6aa37a97d1e460346b66579128e70fa18b60f05d29e8a18f062c
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD50c59a5f4b604bdb95d678de25e7be485
SHA1b2f63dc74e24096cfaec01add4039bb6b4221650
SHA2564f67992a112a96b5f8fee2357028d149d02be8c07cfff8b729fc33ad27ab5561
SHA5129e31d6948d8d5d1ad4b8ec7ee4910eebda596ca73fd23dd72401e400c661b993b04ce907aa796597773feb9ef6f598b0c852b091996ec03d6bf69b74d5054e4b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5109c2954898c146ee9ad4856a911788c
SHA14f1b688a96d0c8f6f618d9ee2b871e21bec79566
SHA2566b9b1b70773daf7b54c4feb37296d2110a093a2e862bfe5ed5791d45ff21b5a3
SHA512e415daf01c307abf2ff40a716f0995310a18e1e2706ad976e1ab102fceca750d21e151dd7135f61d2fee7d5f5a7b5fa76bbf0453fd0e6ee1247bb58505dcd18c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD50247d2c925a4cc31f455ac388785d81d
SHA1c9156e4965a564225511522606544ad426a5a549
SHA25676e04812db3090fad63fa2098a1666975fab65dfecff4d7d65ff0a045f601520
SHA512717f179fb0fc8a836c5ac5f94f56ceb4eeee9abb3932bf3367cd3d802104ffa82be5b2f45d84be683e1c0aacbcf1ffb71ec6bf29e1f81a3ba8e132978c0daf22
-
Filesize
512KB
MD5f732ecdc4740b33e583d8a6e3e6c0269
SHA14583fed866330671db208f56a67f33f37637c1aa
SHA256c5a8974870ec1ff4400065bf2be698bdbae0c14b24e7812d2a7c428d9750f801
SHA5128b460b6e517887d70102434475e7c07b47bb4cddc53c19709e3223502faad14571ad85924f0d604762c0a3b9da51fe4c4bf434e9284683ee16cb6176bddcb26a
-
Filesize
512KB
MD516ea97b23c34ff5bad828022f55750d6
SHA1044c07a6244540f2c35dc240bc7fa5ccc15b6e64
SHA2567ec236335674673a85828a6c7d891df46d536aab4536432a0293feb5d1141426
SHA5125286daa6e04ec807e5990f945450aeba28965e802eadc1829ddee734c158950a8cec5f01ea0d3f6277aad836e8367bf01488d8e49730104009cdae1a0f6cc5ab
-
Filesize
512KB
MD58be7fb46b8bfffbaefab32967cc01804
SHA1bc78a365121866e0fbf1f2fe1d9a5d1d39164a29
SHA2560a06a1091ad11c91e388fa4f1260df734c8471b42a55232ba6ef5ec6c8a60e76
SHA5124058d949cb90345ec0de5a768286b4b0d33af02056e7fd613c50d0a2aeb21b198311dbc145944a0a1bbdf8d892013c4b14ce777c499310e7679111689b3761fc
-
Filesize
512KB
MD5c0c87106d453bb129a9fc343e28c5fe8
SHA1811fefb5b8f2b5d3dd796188f57c2fa7ab5c4491
SHA256c141ada6bba84bf83dc02346fba0a62069485d9cb785233fd105b2b98d31e191
SHA512be5fb13fbefcf242dfe820b7a4f6921d92c36be875ece68aff502b3d735b819c3afbeef285584dab6b7de6b41b10dacdbfbc9765dfb75015883602844c1328ab
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5ad726d742c1f4fcf7cb5c7e83c255ba3
SHA14ba5031dc33b09a13b3792d9b044622d2752ef36
SHA2563b70aa2839d042bd337e82713c7aa34028deb1ef36bb21ae75ca4c1fbc359771
SHA512cfecf0d8986b2c15355463c3fae256cc0c363b9ed57dc04d2881f9e3d0c07d9ffcbc40af173c488157e7d607cd5d0f08891402bdc4b3c5afec44a1e3a23c7c93
-
Filesize
512KB
MD50b327ae2eb98c75cd01fb6b00700511e
SHA155ee7866cdd3ddebc745ce8a9fb294c6b6111004
SHA2564c27d1cfa8fb3dddcdb551f2f9711e7c57cba72b98cf32d085894862b0de85fd
SHA512e2e2df645a6ee5bc02a939c2a9bda349e0b91127091347c5050dfa203fe48a65b76d59afc806d97a55ce0e65317a36e9974afb7acfb92e5dc027389ff2b3cad2