Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 03:52
Static task
static1
Behavioral task
behavioral1
Sample
743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe
-
Size
512KB
-
MD5
743eff7ff42d1cf8bb783735577868a7
-
SHA1
1d2f37382b24080b3af19e0a0b7decb0b04dbdab
-
SHA256
06507fdc6deba0ca9301fbe30ce8d9c450215a1cac9e4f0817e1fdc47000be06
-
SHA512
a454da802db3e3145b9bfcd9f9858d653ffb2d6c91e3f809b28aaae1793a009e3928ac48b606e81d978ff613c3b7010aea66d15a036ae303fe01d9fff6e3e85b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj67:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5s
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" yykvwtqmpm.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yykvwtqmpm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yykvwtqmpm.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yykvwtqmpm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3112 yykvwtqmpm.exe 3508 ldugrbbpleokuvb.exe 3948 jqgqpltb.exe 2124 bmpcqrdsbrrff.exe 512 jqgqpltb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yykvwtqmpm.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fvpigpjr = "yykvwtqmpm.exe" ldugrbbpleokuvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tjmnnmvz = "ldugrbbpleokuvb.exe" ldugrbbpleokuvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bmpcqrdsbrrff.exe" ldugrbbpleokuvb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: jqgqpltb.exe File opened (read-only) \??\w: jqgqpltb.exe File opened (read-only) \??\n: yykvwtqmpm.exe File opened (read-only) \??\i: jqgqpltb.exe File opened (read-only) \??\q: jqgqpltb.exe File opened (read-only) \??\s: jqgqpltb.exe File opened (read-only) \??\y: jqgqpltb.exe File opened (read-only) \??\n: jqgqpltb.exe File opened (read-only) \??\v: jqgqpltb.exe File opened (read-only) \??\a: jqgqpltb.exe File opened (read-only) \??\g: jqgqpltb.exe File opened (read-only) \??\h: jqgqpltb.exe File opened (read-only) \??\u: jqgqpltb.exe File opened (read-only) \??\n: jqgqpltb.exe File opened (read-only) \??\j: yykvwtqmpm.exe File opened (read-only) \??\e: jqgqpltb.exe File opened (read-only) \??\l: jqgqpltb.exe File opened (read-only) \??\g: yykvwtqmpm.exe File opened (read-only) \??\w: yykvwtqmpm.exe File opened (read-only) \??\p: jqgqpltb.exe File opened (read-only) \??\w: jqgqpltb.exe File opened (read-only) \??\r: yykvwtqmpm.exe File opened (read-only) \??\h: jqgqpltb.exe File opened (read-only) \??\h: yykvwtqmpm.exe File opened (read-only) \??\b: jqgqpltb.exe File opened (read-only) \??\o: jqgqpltb.exe File opened (read-only) \??\q: yykvwtqmpm.exe File opened (read-only) \??\y: yykvwtqmpm.exe File opened (read-only) \??\z: yykvwtqmpm.exe File opened (read-only) \??\p: yykvwtqmpm.exe File opened (read-only) \??\v: yykvwtqmpm.exe File opened (read-only) \??\m: jqgqpltb.exe File opened (read-only) \??\z: jqgqpltb.exe File opened (read-only) \??\j: jqgqpltb.exe File opened (read-only) \??\l: jqgqpltb.exe File opened (read-only) \??\m: jqgqpltb.exe File opened (read-only) \??\q: jqgqpltb.exe File opened (read-only) \??\r: jqgqpltb.exe File opened (read-only) \??\x: jqgqpltb.exe File opened (read-only) \??\z: jqgqpltb.exe File opened (read-only) \??\t: jqgqpltb.exe File opened (read-only) \??\o: jqgqpltb.exe File opened (read-only) \??\r: jqgqpltb.exe File opened (read-only) \??\i: jqgqpltb.exe File opened (read-only) \??\o: yykvwtqmpm.exe File opened (read-only) \??\s: yykvwtqmpm.exe File opened (read-only) \??\x: yykvwtqmpm.exe File opened (read-only) \??\m: yykvwtqmpm.exe File opened (read-only) \??\j: jqgqpltb.exe File opened (read-only) \??\p: jqgqpltb.exe File opened (read-only) \??\u: jqgqpltb.exe File opened (read-only) \??\t: jqgqpltb.exe File opened (read-only) \??\i: yykvwtqmpm.exe File opened (read-only) \??\k: yykvwtqmpm.exe File opened (read-only) \??\l: yykvwtqmpm.exe File opened (read-only) \??\b: yykvwtqmpm.exe File opened (read-only) \??\b: jqgqpltb.exe File opened (read-only) \??\k: jqgqpltb.exe File opened (read-only) \??\g: jqgqpltb.exe File opened (read-only) \??\k: jqgqpltb.exe File opened (read-only) \??\e: jqgqpltb.exe File opened (read-only) \??\a: yykvwtqmpm.exe File opened (read-only) \??\a: jqgqpltb.exe File opened (read-only) \??\x: jqgqpltb.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" yykvwtqmpm.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4364-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000233bf-10.dat autoit_exe behavioral2/files/0x0006000000023276-18.dat autoit_exe behavioral2/files/0x00080000000233bb-23.dat autoit_exe behavioral2/files/0x00070000000233c0-31.dat autoit_exe behavioral2/files/0x00070000000233ce-66.dat autoit_exe behavioral2/files/0x00070000000233cf-69.dat autoit_exe behavioral2/files/0x001c0000000233fa-558.dat autoit_exe behavioral2/files/0x001c0000000233fa-569.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jqgqpltb.exe File created C:\Windows\SysWOW64\yykvwtqmpm.exe 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe File created C:\Windows\SysWOW64\jqgqpltb.exe 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe File created C:\Windows\SysWOW64\bmpcqrdsbrrff.exe 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll yykvwtqmpm.exe File opened for modification C:\Windows\SysWOW64\bmpcqrdsbrrff.exe 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jqgqpltb.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jqgqpltb.exe File opened for modification C:\Windows\SysWOW64\yykvwtqmpm.exe 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe File created C:\Windows\SysWOW64\ldugrbbpleokuvb.exe 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ldugrbbpleokuvb.exe 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jqgqpltb.exe 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jqgqpltb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jqgqpltb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jqgqpltb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jqgqpltb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jqgqpltb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jqgqpltb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jqgqpltb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jqgqpltb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jqgqpltb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jqgqpltb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jqgqpltb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jqgqpltb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jqgqpltb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jqgqpltb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jqgqpltb.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jqgqpltb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jqgqpltb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jqgqpltb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jqgqpltb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jqgqpltb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jqgqpltb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jqgqpltb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jqgqpltb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jqgqpltb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jqgqpltb.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jqgqpltb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jqgqpltb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jqgqpltb.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jqgqpltb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jqgqpltb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jqgqpltb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B02B479038E352CEBAA533EAD7C4" 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat yykvwtqmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" yykvwtqmpm.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352D089C2282596D4477D477272CAC7C8E64AF" 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F768B3FF1F21D1D20ED1D58A089013" 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" yykvwtqmpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf yykvwtqmpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs yykvwtqmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" yykvwtqmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C67B1594DAB5B8CA7CE9ECE337BC" 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc yykvwtqmpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg yykvwtqmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FAB0FE13F1E7840B3B4386993E91B0FA02F143670332E2CB45E608A8" 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FF8A4F5B85129040D65A7D91BCEEE130584566456341D7E9" 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" yykvwtqmpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh yykvwtqmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" yykvwtqmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" yykvwtqmpm.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4128 WINWORD.EXE 4128 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 3112 yykvwtqmpm.exe 3112 yykvwtqmpm.exe 3112 yykvwtqmpm.exe 3112 yykvwtqmpm.exe 3112 yykvwtqmpm.exe 3112 yykvwtqmpm.exe 3112 yykvwtqmpm.exe 3112 yykvwtqmpm.exe 3112 yykvwtqmpm.exe 3112 yykvwtqmpm.exe 3948 jqgqpltb.exe 3948 jqgqpltb.exe 3948 jqgqpltb.exe 3948 jqgqpltb.exe 3948 jqgqpltb.exe 3948 jqgqpltb.exe 3948 jqgqpltb.exe 3948 jqgqpltb.exe 2124 bmpcqrdsbrrff.exe 2124 bmpcqrdsbrrff.exe 2124 bmpcqrdsbrrff.exe 2124 bmpcqrdsbrrff.exe 2124 bmpcqrdsbrrff.exe 2124 bmpcqrdsbrrff.exe 2124 bmpcqrdsbrrff.exe 2124 bmpcqrdsbrrff.exe 2124 bmpcqrdsbrrff.exe 2124 bmpcqrdsbrrff.exe 2124 bmpcqrdsbrrff.exe 2124 bmpcqrdsbrrff.exe 3508 ldugrbbpleokuvb.exe 3508 ldugrbbpleokuvb.exe 3508 ldugrbbpleokuvb.exe 3508 ldugrbbpleokuvb.exe 3508 ldugrbbpleokuvb.exe 3508 ldugrbbpleokuvb.exe 3508 ldugrbbpleokuvb.exe 3508 ldugrbbpleokuvb.exe 3508 ldugrbbpleokuvb.exe 3508 ldugrbbpleokuvb.exe 512 jqgqpltb.exe 512 jqgqpltb.exe 512 jqgqpltb.exe 512 jqgqpltb.exe 512 jqgqpltb.exe 512 jqgqpltb.exe 512 jqgqpltb.exe 512 jqgqpltb.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 3112 yykvwtqmpm.exe 3112 yykvwtqmpm.exe 3112 yykvwtqmpm.exe 3508 ldugrbbpleokuvb.exe 3948 jqgqpltb.exe 3508 ldugrbbpleokuvb.exe 3948 jqgqpltb.exe 3508 ldugrbbpleokuvb.exe 3948 jqgqpltb.exe 2124 bmpcqrdsbrrff.exe 2124 bmpcqrdsbrrff.exe 2124 bmpcqrdsbrrff.exe 512 jqgqpltb.exe 512 jqgqpltb.exe 512 jqgqpltb.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 3112 yykvwtqmpm.exe 3112 yykvwtqmpm.exe 3112 yykvwtqmpm.exe 3508 ldugrbbpleokuvb.exe 3948 jqgqpltb.exe 3508 ldugrbbpleokuvb.exe 3948 jqgqpltb.exe 3508 ldugrbbpleokuvb.exe 3948 jqgqpltb.exe 2124 bmpcqrdsbrrff.exe 2124 bmpcqrdsbrrff.exe 2124 bmpcqrdsbrrff.exe 512 jqgqpltb.exe 512 jqgqpltb.exe 512 jqgqpltb.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4128 WINWORD.EXE 4128 WINWORD.EXE 4128 WINWORD.EXE 4128 WINWORD.EXE 4128 WINWORD.EXE 4128 WINWORD.EXE 4128 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4364 wrote to memory of 3112 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 82 PID 4364 wrote to memory of 3112 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 82 PID 4364 wrote to memory of 3112 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 82 PID 4364 wrote to memory of 3508 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 83 PID 4364 wrote to memory of 3508 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 83 PID 4364 wrote to memory of 3508 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 83 PID 4364 wrote to memory of 3948 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 84 PID 4364 wrote to memory of 3948 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 84 PID 4364 wrote to memory of 3948 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 84 PID 4364 wrote to memory of 2124 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 85 PID 4364 wrote to memory of 2124 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 85 PID 4364 wrote to memory of 2124 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 85 PID 4364 wrote to memory of 4128 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 86 PID 4364 wrote to memory of 4128 4364 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 86 PID 3112 wrote to memory of 512 3112 yykvwtqmpm.exe 88 PID 3112 wrote to memory of 512 3112 yykvwtqmpm.exe 88 PID 3112 wrote to memory of 512 3112 yykvwtqmpm.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\yykvwtqmpm.exeyykvwtqmpm.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\jqgqpltb.exeC:\Windows\system32\jqgqpltb.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:512
-
-
-
C:\Windows\SysWOW64\ldugrbbpleokuvb.exeldugrbbpleokuvb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3508
-
-
C:\Windows\SysWOW64\jqgqpltb.exejqgqpltb.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3948
-
-
C:\Windows\SysWOW64\bmpcqrdsbrrff.exebmpcqrdsbrrff.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2124
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4128
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD510969d7354fce7263db313bcf54b4ad0
SHA1d47587ab6a32d8a31ab8c25609ce33cf750daaa3
SHA256a747bb5f5badf7b6292f59cb902d9ca36ef2ae63cf939d041ca986048ac70450
SHA512e9885643022370354a906a19aa1678d57054ac57f6eee30219616215121b57852fd397619c00b989d2ba13c07f936a1ca896ad02ce9a87010def5cc7e76745c7
-
Filesize
512KB
MD5b3a6d019a3bb19709076075f7105097e
SHA1e384ccadf0b6ed4bfc462d3089e5633ebd5c2d92
SHA25667a8a023af9a997c99b3a82e1c65909763cf4ab9922ff1395030d8643b2b1312
SHA512e08c9c1be25a5ab81c2982aa6dcfa7c8feb1d5dc28eaf289b674fb240ced604d0dfc4f8ad7293feaec88d4b221071be32312eccad9aa9cc69a5c5500e9fce346
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD5408ff72ac77dfbd94124373f0a45a68e
SHA13d2ca24fe5531456ace256f7fbedd6dc6f553646
SHA256035fe50fb10220afc92b62741669d0936114689bda12e37d0deee3cf7fc44fba
SHA512df506c72f762d2a0a024ac9a98f1eaa074d286041a4b743717d3c489f47f7d0ddc7a8e08bdd7f45f515a9283a3bd7fb629beb11f00a05f78a4f17d34a428cd7b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD55d5329b95c2b5efef31d9c63575fb01d
SHA19263c08c225d28198fe5bb44c97708ed4ce86ddf
SHA2567c94fd7faf3533886ae6f19ef90e18b0f1d10933fb97b051cf658425d48a5043
SHA51284392818a1aee077e796a748e6f2e8c275332424c966ff39af4e0f120e6f71e60e1ae8ddaa65aa423d0db7806cb9ac9030a5102706f5d38ece0a22eb777ee746
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5de2251bb13e571b8b952dc6bee2e51a4
SHA11d20e0442c80318ea00055d08071d6133900b08d
SHA2568a23d6945b6f270e7b7813528f47703dbff08ce827c0b18b9b40a69fae24685a
SHA51286167023aef83f7c2b5ff63613b99f062f2018da5e6fe1652994afd7f9255d90f52a9acc48c15a2ca7f0fdda402b62c0668669a2ca405361982dbf402b3e44ce
-
Filesize
512KB
MD5c66a8668b2878bab87d6a486278bf152
SHA15570faf50186a7165d55c68f3518f3c511b6c52c
SHA256db74cfcf5a03e92d5cae98818de250f458b512944e6cf8388d627b3de0bd7d27
SHA5123783a4932dd627c17a15e0ea68de5f8b0049760619178d7f3c7a8c6dc87a9de654fb9e34d426f9e87f1a1e680af4078fb52fe838fda5af0a034905600fe40d6b
-
Filesize
512KB
MD5d37144681e2a19438df8c652cbbe947c
SHA12ad4a734128ba3e1169ec49fd4a284a99f6e8749
SHA25627ed26cf5c90b6af7a70ec354d5e8f1f7803539de840f0eed4ed55c1815a10d5
SHA512a9b1b082bdabf8776681555bce871dadca92bb6189f886839bf947ef5c4fd0573dc8e2935dd7d8954dca0d444f5e1ba5cf3574aa4b735cdb0b5dbd97c3c9fffb
-
Filesize
512KB
MD508ce64b84e7a14ec64538022c69a15e9
SHA18527e38dfe50e47b07126102d335f0ab1df79d32
SHA25669cd6895b508c89724e478d7e9d00dcba718904bed2eda98d729af5087207d53
SHA512de5f77dd9887fdd4fef5b2cbab6de5c03ac0e555b0ff9306167cfe18a9cebba48f37a63aa62a01cf3f180110572d0a7a66aed4938718dfb543599de2d2dfe4ce
-
Filesize
512KB
MD5d22fc3ca4dc30072f6a71964de50eb52
SHA1f02a0b32a06d538b666bada68f06ade52be0e113
SHA256ccd7b7d1ecc8e10359c117afb0c2a05946b63f7f259ebdd71bbebb337d59bb5f
SHA512458b444ba73dd989e5ac5f37c82bd75a540651c6479cabb436b94824315930e5ca6ff850081e94f3bda5518c2d511ce447d9fb71e3c45d56e115cb646578bc21
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD57c5e261a9f83b66732b4675c4b34dd9e
SHA16a50598c9fbcb2135453552e96526ac636acdfa5
SHA256700943b30172f8b677efa8464e87ab2948b74b8b02790e235914607b4a4f72f2
SHA512c4e89bf0ac4c3949c4ba6a54d1c41b4a8248d26a99b8ad5082116d6bc21c4b8282426118084e19fbd3b4e4743a29ba4ac324615fb0007c802728b3304d5962ae
-
Filesize
512KB
MD5f9712f60773d430a9b7d155206e77bae
SHA1dd24bd6619a77d44a6a69c373f58c38e0a8973e3
SHA256b54835647d0e60d96dfc95c11588c75d922652b6201eb7e396c5f2c14c51a76f
SHA512d4c33bc861093bc510562e9bac8120b9e6cd4039ac5441c6052154c0d0f69e839e01f14d00b4e612a1c33ee0fa3f4aa4668a43f95bbcebf1bdae26be603d22a6