Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 06:34
Static task
static1
Behavioral task
behavioral1
Sample
7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe
-
Size
512KB
-
MD5
7836bcdffc0d71f1fe7b31d42ec7ef6d
-
SHA1
8c7c3b603465b9b9b1e935686ab44591887ec29a
-
SHA256
6ed931b2d4f9899668844533f9965107b2ac3981d7a3ac9523f63c97c2b756f6
-
SHA512
6ad4ff8dd53583e0fa76fa00d5ec605aad0da80d0fc5275910fb00532128fb0ae8c4e5faaf83b796a179e3ba97faa4f316b317d4cc80cd42387d3a68e6cd6870
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6L:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
mwueaptlro.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mwueaptlro.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
mwueaptlro.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mwueaptlro.exe -
Processes:
mwueaptlro.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mwueaptlro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mwueaptlro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mwueaptlro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mwueaptlro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mwueaptlro.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
mwueaptlro.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mwueaptlro.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
mwueaptlro.exebzsclykilrnlsjh.exeavbonchageruj.exetamhgepe.exetamhgepe.exepid process 3052 mwueaptlro.exe 1220 bzsclykilrnlsjh.exe 3520 avbonchageruj.exe 2448 tamhgepe.exe 4896 tamhgepe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
mwueaptlro.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mwueaptlro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mwueaptlro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mwueaptlro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mwueaptlro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mwueaptlro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mwueaptlro.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
bzsclykilrnlsjh.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kjptoydh = "mwueaptlro.exe" bzsclykilrnlsjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\awdgvhyf = "bzsclykilrnlsjh.exe" bzsclykilrnlsjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "avbonchageruj.exe" bzsclykilrnlsjh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
tamhgepe.exemwueaptlro.exetamhgepe.exedescription ioc process File opened (read-only) \??\z: tamhgepe.exe File opened (read-only) \??\l: mwueaptlro.exe File opened (read-only) \??\y: tamhgepe.exe File opened (read-only) \??\g: tamhgepe.exe File opened (read-only) \??\s: tamhgepe.exe File opened (read-only) \??\x: tamhgepe.exe File opened (read-only) \??\a: tamhgepe.exe File opened (read-only) \??\a: mwueaptlro.exe File opened (read-only) \??\e: mwueaptlro.exe File opened (read-only) \??\q: mwueaptlro.exe File opened (read-only) \??\g: tamhgepe.exe File opened (read-only) \??\o: mwueaptlro.exe File opened (read-only) \??\r: tamhgepe.exe File opened (read-only) \??\j: tamhgepe.exe File opened (read-only) \??\l: tamhgepe.exe File opened (read-only) \??\n: tamhgepe.exe File opened (read-only) \??\q: tamhgepe.exe File opened (read-only) \??\g: mwueaptlro.exe File opened (read-only) \??\y: mwueaptlro.exe File opened (read-only) \??\t: tamhgepe.exe File opened (read-only) \??\w: tamhgepe.exe File opened (read-only) \??\t: tamhgepe.exe File opened (read-only) \??\u: tamhgepe.exe File opened (read-only) \??\m: tamhgepe.exe File opened (read-only) \??\n: mwueaptlro.exe File opened (read-only) \??\x: mwueaptlro.exe File opened (read-only) \??\r: tamhgepe.exe File opened (read-only) \??\h: tamhgepe.exe File opened (read-only) \??\h: tamhgepe.exe File opened (read-only) \??\m: tamhgepe.exe File opened (read-only) \??\k: mwueaptlro.exe File opened (read-only) \??\s: mwueaptlro.exe File opened (read-only) \??\v: mwueaptlro.exe File opened (read-only) \??\a: tamhgepe.exe File opened (read-only) \??\z: mwueaptlro.exe File opened (read-only) \??\q: tamhgepe.exe File opened (read-only) \??\u: tamhgepe.exe File opened (read-only) \??\o: tamhgepe.exe File opened (read-only) \??\v: tamhgepe.exe File opened (read-only) \??\p: mwueaptlro.exe File opened (read-only) \??\t: mwueaptlro.exe File opened (read-only) \??\w: mwueaptlro.exe File opened (read-only) \??\l: tamhgepe.exe File opened (read-only) \??\w: tamhgepe.exe File opened (read-only) \??\x: tamhgepe.exe File opened (read-only) \??\r: mwueaptlro.exe File opened (read-only) \??\u: mwueaptlro.exe File opened (read-only) \??\b: tamhgepe.exe File opened (read-only) \??\k: tamhgepe.exe File opened (read-only) \??\p: tamhgepe.exe File opened (read-only) \??\v: tamhgepe.exe File opened (read-only) \??\z: tamhgepe.exe File opened (read-only) \??\y: tamhgepe.exe File opened (read-only) \??\i: mwueaptlro.exe File opened (read-only) \??\j: mwueaptlro.exe File opened (read-only) \??\b: tamhgepe.exe File opened (read-only) \??\n: tamhgepe.exe File opened (read-only) \??\b: mwueaptlro.exe File opened (read-only) \??\s: tamhgepe.exe File opened (read-only) \??\i: tamhgepe.exe File opened (read-only) \??\p: tamhgepe.exe File opened (read-only) \??\e: tamhgepe.exe File opened (read-only) \??\i: tamhgepe.exe File opened (read-only) \??\k: tamhgepe.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
mwueaptlro.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mwueaptlro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mwueaptlro.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1216-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\bzsclykilrnlsjh.exe autoit_exe C:\Windows\SysWOW64\mwueaptlro.exe autoit_exe C:\Windows\SysWOW64\tamhgepe.exe autoit_exe C:\Windows\SysWOW64\avbonchageruj.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exetamhgepe.exetamhgepe.exemwueaptlro.exedescription ioc process File opened for modification C:\Windows\SysWOW64\avbonchageruj.exe 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tamhgepe.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tamhgepe.exe File created C:\Windows\SysWOW64\mwueaptlro.exe 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mwueaptlro.exe 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe File created C:\Windows\SysWOW64\bzsclykilrnlsjh.exe 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bzsclykilrnlsjh.exe 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe File created C:\Windows\SysWOW64\avbonchageruj.exe 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe File created C:\Windows\SysWOW64\tamhgepe.exe 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tamhgepe.exe 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll mwueaptlro.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tamhgepe.exe -
Drops file in Program Files directory 15 IoCs
Processes:
tamhgepe.exetamhgepe.exedescription ioc process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tamhgepe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tamhgepe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tamhgepe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tamhgepe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tamhgepe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tamhgepe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal tamhgepe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal tamhgepe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tamhgepe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal tamhgepe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tamhgepe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tamhgepe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tamhgepe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal tamhgepe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tamhgepe.exe -
Drops file in Windows directory 19 IoCs
Processes:
tamhgepe.exetamhgepe.exeWINWORD.EXE7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exedescription ioc process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tamhgepe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tamhgepe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tamhgepe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tamhgepe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tamhgepe.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tamhgepe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tamhgepe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tamhgepe.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tamhgepe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tamhgepe.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tamhgepe.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tamhgepe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tamhgepe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tamhgepe.exe File opened for modification C:\Windows\mydoc.rtf 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tamhgepe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tamhgepe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
mwueaptlro.exe7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mwueaptlro.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mwueaptlro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2D7F9D2C83236A4677D077222CAB7CF564D6" 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mwueaptlro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mwueaptlro.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mwueaptlro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mwueaptlro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mwueaptlro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mwueaptlro.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mwueaptlro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mwueaptlro.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mwueaptlro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEF9BEFE11F1E3837C3A3186E93998B0FA038F4366034CE2CD42EA08A2" 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B12B47E339EA53C9BAD733EED7B8" 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C70F15E6DAC7B9B97C95EC9734CF" 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mwueaptlro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FCF8485D851E9136D75D7D9DBD97E135594266456244D79E" 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BC6FF1F22DCD27FD1A78A7D9162" 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4920 WINWORD.EXE 4920 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exemwueaptlro.exebzsclykilrnlsjh.exetamhgepe.exeavbonchageruj.exetamhgepe.exepid process 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 3052 mwueaptlro.exe 3052 mwueaptlro.exe 3052 mwueaptlro.exe 3052 mwueaptlro.exe 1220 bzsclykilrnlsjh.exe 1220 bzsclykilrnlsjh.exe 3052 mwueaptlro.exe 3052 mwueaptlro.exe 1220 bzsclykilrnlsjh.exe 3052 mwueaptlro.exe 1220 bzsclykilrnlsjh.exe 3052 mwueaptlro.exe 1220 bzsclykilrnlsjh.exe 1220 bzsclykilrnlsjh.exe 3052 mwueaptlro.exe 3052 mwueaptlro.exe 1220 bzsclykilrnlsjh.exe 1220 bzsclykilrnlsjh.exe 1220 bzsclykilrnlsjh.exe 1220 bzsclykilrnlsjh.exe 2448 tamhgepe.exe 2448 tamhgepe.exe 2448 tamhgepe.exe 2448 tamhgepe.exe 2448 tamhgepe.exe 2448 tamhgepe.exe 2448 tamhgepe.exe 2448 tamhgepe.exe 3520 avbonchageruj.exe 3520 avbonchageruj.exe 3520 avbonchageruj.exe 3520 avbonchageruj.exe 3520 avbonchageruj.exe 3520 avbonchageruj.exe 3520 avbonchageruj.exe 3520 avbonchageruj.exe 3520 avbonchageruj.exe 3520 avbonchageruj.exe 3520 avbonchageruj.exe 3520 avbonchageruj.exe 1220 bzsclykilrnlsjh.exe 1220 bzsclykilrnlsjh.exe 4896 tamhgepe.exe 4896 tamhgepe.exe 4896 tamhgepe.exe 4896 tamhgepe.exe 4896 tamhgepe.exe 4896 tamhgepe.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exemwueaptlro.exebzsclykilrnlsjh.exetamhgepe.exeavbonchageruj.exetamhgepe.exepid process 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 3052 mwueaptlro.exe 3052 mwueaptlro.exe 3052 mwueaptlro.exe 1220 bzsclykilrnlsjh.exe 1220 bzsclykilrnlsjh.exe 1220 bzsclykilrnlsjh.exe 2448 tamhgepe.exe 3520 avbonchageruj.exe 2448 tamhgepe.exe 3520 avbonchageruj.exe 2448 tamhgepe.exe 3520 avbonchageruj.exe 4896 tamhgepe.exe 4896 tamhgepe.exe 4896 tamhgepe.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exemwueaptlro.exebzsclykilrnlsjh.exetamhgepe.exeavbonchageruj.exetamhgepe.exepid process 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe 3052 mwueaptlro.exe 3052 mwueaptlro.exe 3052 mwueaptlro.exe 1220 bzsclykilrnlsjh.exe 1220 bzsclykilrnlsjh.exe 1220 bzsclykilrnlsjh.exe 2448 tamhgepe.exe 3520 avbonchageruj.exe 2448 tamhgepe.exe 3520 avbonchageruj.exe 2448 tamhgepe.exe 3520 avbonchageruj.exe 4896 tamhgepe.exe 4896 tamhgepe.exe 4896 tamhgepe.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4920 WINWORD.EXE 4920 WINWORD.EXE 4920 WINWORD.EXE 4920 WINWORD.EXE 4920 WINWORD.EXE 4920 WINWORD.EXE 4920 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exemwueaptlro.exedescription pid process target process PID 1216 wrote to memory of 3052 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe mwueaptlro.exe PID 1216 wrote to memory of 3052 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe mwueaptlro.exe PID 1216 wrote to memory of 3052 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe mwueaptlro.exe PID 1216 wrote to memory of 1220 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe bzsclykilrnlsjh.exe PID 1216 wrote to memory of 1220 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe bzsclykilrnlsjh.exe PID 1216 wrote to memory of 1220 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe bzsclykilrnlsjh.exe PID 1216 wrote to memory of 2448 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe tamhgepe.exe PID 1216 wrote to memory of 2448 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe tamhgepe.exe PID 1216 wrote to memory of 2448 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe tamhgepe.exe PID 1216 wrote to memory of 3520 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe avbonchageruj.exe PID 1216 wrote to memory of 3520 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe avbonchageruj.exe PID 1216 wrote to memory of 3520 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe avbonchageruj.exe PID 1216 wrote to memory of 4920 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe WINWORD.EXE PID 1216 wrote to memory of 4920 1216 7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe WINWORD.EXE PID 3052 wrote to memory of 4896 3052 mwueaptlro.exe tamhgepe.exe PID 3052 wrote to memory of 4896 3052 mwueaptlro.exe tamhgepe.exe PID 3052 wrote to memory of 4896 3052 mwueaptlro.exe tamhgepe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7836bcdffc0d71f1fe7b31d42ec7ef6d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\mwueaptlro.exemwueaptlro.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\tamhgepe.exeC:\Windows\system32\tamhgepe.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4896 -
C:\Windows\SysWOW64\bzsclykilrnlsjh.exebzsclykilrnlsjh.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1220 -
C:\Windows\SysWOW64\tamhgepe.exetamhgepe.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2448 -
C:\Windows\SysWOW64\avbonchageruj.exeavbonchageruj.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3520 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4920
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5477df099183f3491da83126e2b29cb28
SHA13dedd7269db9b67e3d509b6405efde3cf9c6d1d3
SHA256487c4d388d6592ffbd540f61e745c5f9a1bf886fd639da39e806a1e917b71c86
SHA5122a60c1d197d0781645cf2c1cc05f5fbc176ecb1c28f36344c169eea2fc0714ee7e6094914cd2af588bd84b3d893dbd88bd890981da6f3c753d92f2837b778bdc
-
Filesize
512KB
MD5fcce29efc71d364cdd64e1b80393bc56
SHA1e7fdf4fd984c189a3df99aa0b7580ca430da653a
SHA25610381207fb5e6f53c48321fbc846c30ff923bb89442e422f9fe8b3be6ab24a1e
SHA512dd8225e8aa6688d8ea609f5c7ab9ba623255a0acc0cae84a7da9436e34d34aeb6c5b93cf89b34ccc9882d71f468ccc3779bbd836520900a711ab14525c290e40
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD554ee007e5f8bec51ff19bc98b29525be
SHA14d7f302ef562a913baf813d674ffc79d016fff9b
SHA25603987c0d249c78ed208ae3fc8ac13e286e37084df02597d57fa5045ca7889f6f
SHA5125a58493bdeb445218eff7661790601b258c3f8af9d98c89ee8afb25ca212fafd279503fabf608595d5a5b1dce3f880427fd5cc1b13946c871a7c36dce4d615e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD50fbd83d09599a3dc86faee52e4ec0912
SHA19c00f1d3852e22e743c24a52fa2988384fc5ed5b
SHA2560a341fabc0c4325d6908d9182804e8705a82963ded7f78097029f5780fd2aeae
SHA5122f5ca6ee43a34d44dda1d683c0da7583df788d071353f43e2f54334c55e21e495f367897cbc592e6e3c46d5f2a318aeeb1181d19ba60a7f437c0e5dd6d725016
-
Filesize
512KB
MD5239b6024a2546aa3344e28b00b73868c
SHA18b2c29fc9e77d3b32d66c139690eebb0644005d8
SHA2567f650b3b9f8123d274795dc0660f196540bb36a05be33ccd558c224ef42d0d01
SHA5123584337cb688f7cfea2fc831730fcd7a743425fb2a3d7064e2ed65bfcc909456b73845e14fab3545778b2fea0e363e6df49f726062fecebf5cbcb99cd01f7a35
-
Filesize
512KB
MD52ad019e5a16c694ef43e6555a9c84215
SHA19e23d8f9d5f4032e6fc6c7f6de9ac6ba86fc5f43
SHA2567c1a8be8bdb712261df8b2d43f86e8a05a3458a733967dfe73a0cd928127f418
SHA512090ad3f7cb67fc5b18bd7477f8f3cb9028f8b1e3858ead444b808f4d0d7f41b5f5d1d3f2340143e24908107111480d12e04d952ba6623bdf240725853306cd51
-
Filesize
512KB
MD57c89046979003b4ee25dd3cdb516349f
SHA18f1b0f6aafeaea6665246ee9273138fcdd266d05
SHA256055010ee3bc75d6e9060b5a39627c235304e90054ae3050f00fdcfc668e944d5
SHA512e371dba74a401b31c9da91561467c2196439028279cc2dae63d4564745bd8e26261e41c23ec0db32a5b94affe138f2825763461526eb4500aa43053d7b5dbae3
-
Filesize
512KB
MD55616bbcc34396394874f989211d9274d
SHA173a3c7b5654d5cb9cedbe52e4c16301abf40105f
SHA256a2f397487e157f4819c40cb5f022e89704afec84627ba697c972c03e290e24fe
SHA5127e90f28f5cd7020c86167aee6e034399b81f6fe92d6bee5f94b93109ef6fa9d7f83233b8ce83b5e3c050ed22007f251bb46d4cc6444c136da2d08d7a80911f4f
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD515457e1beac9b4cdaefcbf8560b5a236
SHA1a033e1cb1795f99d4c73afb3f1ab8d5a9279d6f4
SHA256b2b690780a8a0bbceac85975eee2c70f138e8a7b33087bf446a87f9de83cab8f
SHA512a0cdcd2ca243c6886a7226281fda9ed2cfcb322c9741f003c9b37226ec17c16a8671b7098a11c2cb32245fbdf08e66eff11ec72289be1222e40c2a8cf7c4e2d8
-
Filesize
512KB
MD56eba262ed69037bbc61f1895b97fca15
SHA17cd7546356660ac8f81d3ec664262f276467a872
SHA25637d461c6e18a6efa9d2de49f80e2f92fce96b439394bf7c16a62bc755356178c
SHA512329b9a509f54b92cd038889849a5d69d1c596d284ef102b44744cbedb032cc0c16d58d3921f486655f170e93a23dfadb7978cd00db171bcdb19ffa56c5492bce