Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 08:05
Static task
static1
Behavioral task
behavioral1
Sample
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe
-
Size
512KB
-
MD5
7873e7e0692a506e43e36d4bf4da28b7
-
SHA1
32629a66348b9a5016084c7e320a3a967ef61cc3
-
SHA256
be0ddeb3e3b7d943e20c4f535891d04c2b3981894dc777dcc17d27d304b1dbf9
-
SHA512
5f1474dc892a850fd1a94aeaf940b0a89f61698a044bcc6b65479ee892b343da24c218f4a55ff284b2202f7804687f9ef581a7ebc6fd56eb6cbfece3dda9e6e2
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5j
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
etivxclkgk.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" etivxclkgk.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
etivxclkgk.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" etivxclkgk.exe -
Processes:
etivxclkgk.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" etivxclkgk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" etivxclkgk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" etivxclkgk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" etivxclkgk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" etivxclkgk.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
etivxclkgk.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" etivxclkgk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
etivxclkgk.exegqpdldfnvianyey.exelaxlndxf.exekvtkwzkjenxzk.exelaxlndxf.exepid process 1880 etivxclkgk.exe 1828 gqpdldfnvianyey.exe 4244 laxlndxf.exe 2660 kvtkwzkjenxzk.exe 1608 laxlndxf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
etivxclkgk.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" etivxclkgk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" etivxclkgk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" etivxclkgk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" etivxclkgk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" etivxclkgk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" etivxclkgk.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
gqpdldfnvianyey.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zykktwty = "etivxclkgk.exe" gqpdldfnvianyey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\igtavzru = "gqpdldfnvianyey.exe" gqpdldfnvianyey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kvtkwzkjenxzk.exe" gqpdldfnvianyey.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
laxlndxf.exeetivxclkgk.exelaxlndxf.exedescription ioc process File opened (read-only) \??\a: laxlndxf.exe File opened (read-only) \??\g: laxlndxf.exe File opened (read-only) \??\q: laxlndxf.exe File opened (read-only) \??\i: etivxclkgk.exe File opened (read-only) \??\k: etivxclkgk.exe File opened (read-only) \??\r: laxlndxf.exe File opened (read-only) \??\p: etivxclkgk.exe File opened (read-only) \??\v: etivxclkgk.exe File opened (read-only) \??\j: laxlndxf.exe File opened (read-only) \??\p: laxlndxf.exe File opened (read-only) \??\h: etivxclkgk.exe File opened (read-only) \??\u: etivxclkgk.exe File opened (read-only) \??\l: laxlndxf.exe File opened (read-only) \??\e: laxlndxf.exe File opened (read-only) \??\r: laxlndxf.exe File opened (read-only) \??\o: etivxclkgk.exe File opened (read-only) \??\t: etivxclkgk.exe File opened (read-only) \??\w: etivxclkgk.exe File opened (read-only) \??\i: laxlndxf.exe File opened (read-only) \??\b: laxlndxf.exe File opened (read-only) \??\r: etivxclkgk.exe File opened (read-only) \??\x: etivxclkgk.exe File opened (read-only) \??\j: laxlndxf.exe File opened (read-only) \??\a: etivxclkgk.exe File opened (read-only) \??\l: etivxclkgk.exe File opened (read-only) \??\g: laxlndxf.exe File opened (read-only) \??\z: laxlndxf.exe File opened (read-only) \??\s: laxlndxf.exe File opened (read-only) \??\e: etivxclkgk.exe File opened (read-only) \??\s: etivxclkgk.exe File opened (read-only) \??\x: laxlndxf.exe File opened (read-only) \??\o: laxlndxf.exe File opened (read-only) \??\g: etivxclkgk.exe File opened (read-only) \??\a: laxlndxf.exe File opened (read-only) \??\v: laxlndxf.exe File opened (read-only) \??\n: etivxclkgk.exe File opened (read-only) \??\b: laxlndxf.exe File opened (read-only) \??\k: laxlndxf.exe File opened (read-only) \??\m: laxlndxf.exe File opened (read-only) \??\q: laxlndxf.exe File opened (read-only) \??\w: laxlndxf.exe File opened (read-only) \??\y: laxlndxf.exe File opened (read-only) \??\p: laxlndxf.exe File opened (read-only) \??\x: laxlndxf.exe File opened (read-only) \??\z: laxlndxf.exe File opened (read-only) \??\j: etivxclkgk.exe File opened (read-only) \??\m: etivxclkgk.exe File opened (read-only) \??\o: laxlndxf.exe File opened (read-only) \??\s: laxlndxf.exe File opened (read-only) \??\i: laxlndxf.exe File opened (read-only) \??\b: etivxclkgk.exe File opened (read-only) \??\q: etivxclkgk.exe File opened (read-only) \??\y: etivxclkgk.exe File opened (read-only) \??\e: laxlndxf.exe File opened (read-only) \??\y: laxlndxf.exe File opened (read-only) \??\l: laxlndxf.exe File opened (read-only) \??\v: laxlndxf.exe File opened (read-only) \??\w: laxlndxf.exe File opened (read-only) \??\n: laxlndxf.exe File opened (read-only) \??\t: laxlndxf.exe File opened (read-only) \??\t: laxlndxf.exe File opened (read-only) \??\u: laxlndxf.exe File opened (read-only) \??\h: laxlndxf.exe File opened (read-only) \??\z: etivxclkgk.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
etivxclkgk.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" etivxclkgk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" etivxclkgk.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1484-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\gqpdldfnvianyey.exe autoit_exe C:\Windows\SysWOW64\etivxclkgk.exe autoit_exe C:\Windows\SysWOW64\laxlndxf.exe autoit_exe C:\Windows\SysWOW64\kvtkwzkjenxzk.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exelaxlndxf.exeetivxclkgk.exelaxlndxf.exedescription ioc process File created C:\Windows\SysWOW64\etivxclkgk.exe 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File created C:\Windows\SysWOW64\gqpdldfnvianyey.exe 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gqpdldfnvianyey.exe 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File created C:\Windows\SysWOW64\laxlndxf.exe 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File created C:\Windows\SysWOW64\kvtkwzkjenxzk.exe 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kvtkwzkjenxzk.exe 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe laxlndxf.exe File opened for modification C:\Windows\SysWOW64\etivxclkgk.exe 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\laxlndxf.exe 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll etivxclkgk.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe laxlndxf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe laxlndxf.exe -
Drops file in Program Files directory 14 IoCs
Processes:
laxlndxf.exelaxlndxf.exedescription ioc process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe laxlndxf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe laxlndxf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal laxlndxf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe laxlndxf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe laxlndxf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe laxlndxf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe laxlndxf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe laxlndxf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal laxlndxf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe laxlndxf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal laxlndxf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe laxlndxf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe laxlndxf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal laxlndxf.exe -
Drops file in Windows directory 19 IoCs
Processes:
WINWORD.EXElaxlndxf.exelaxlndxf.exe7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exedescription ioc process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe laxlndxf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe laxlndxf.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe laxlndxf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe laxlndxf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe laxlndxf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe laxlndxf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe laxlndxf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe laxlndxf.exe File opened for modification C:\Windows\mydoc.rtf 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe laxlndxf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe laxlndxf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe laxlndxf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe laxlndxf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe laxlndxf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe laxlndxf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe laxlndxf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe laxlndxf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
etivxclkgk.exe7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" etivxclkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B12B44E639EE53BFBAD6339DD7B9" 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08068C3FE6F21AAD10FD1A98B7D9063" 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat etivxclkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" etivxclkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" etivxclkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFCF84F5F851A9046D62D7DE5BDE7E1375932664F6234D79F" 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C60F14E6DAC5B9B97F97ECE737CC" 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc etivxclkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" etivxclkgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg etivxclkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" etivxclkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462D7C9C2082596D3476D370532CAE7DF264AD" 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" etivxclkgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh etivxclkgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf etivxclkgk.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9F9CCFE14F1E2837C3B45869D39E6B38902FD4369034EE2BE429E09A3" 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs etivxclkgk.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1112 WINWORD.EXE 1112 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exegqpdldfnvianyey.exekvtkwzkjenxzk.exeetivxclkgk.exelaxlndxf.exelaxlndxf.exepid process 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1828 gqpdldfnvianyey.exe 1828 gqpdldfnvianyey.exe 1828 gqpdldfnvianyey.exe 1828 gqpdldfnvianyey.exe 1828 gqpdldfnvianyey.exe 1828 gqpdldfnvianyey.exe 1828 gqpdldfnvianyey.exe 1828 gqpdldfnvianyey.exe 1828 gqpdldfnvianyey.exe 1828 gqpdldfnvianyey.exe 2660 kvtkwzkjenxzk.exe 2660 kvtkwzkjenxzk.exe 2660 kvtkwzkjenxzk.exe 2660 kvtkwzkjenxzk.exe 2660 kvtkwzkjenxzk.exe 2660 kvtkwzkjenxzk.exe 2660 kvtkwzkjenxzk.exe 2660 kvtkwzkjenxzk.exe 2660 kvtkwzkjenxzk.exe 2660 kvtkwzkjenxzk.exe 2660 kvtkwzkjenxzk.exe 2660 kvtkwzkjenxzk.exe 1880 etivxclkgk.exe 1880 etivxclkgk.exe 1880 etivxclkgk.exe 1880 etivxclkgk.exe 1880 etivxclkgk.exe 1880 etivxclkgk.exe 1880 etivxclkgk.exe 1880 etivxclkgk.exe 1880 etivxclkgk.exe 1880 etivxclkgk.exe 4244 laxlndxf.exe 4244 laxlndxf.exe 4244 laxlndxf.exe 4244 laxlndxf.exe 4244 laxlndxf.exe 4244 laxlndxf.exe 4244 laxlndxf.exe 4244 laxlndxf.exe 1828 gqpdldfnvianyey.exe 1828 gqpdldfnvianyey.exe 1608 laxlndxf.exe 1608 laxlndxf.exe 1608 laxlndxf.exe 1608 laxlndxf.exe 1608 laxlndxf.exe 1608 laxlndxf.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exegqpdldfnvianyey.exelaxlndxf.exeetivxclkgk.exekvtkwzkjenxzk.exelaxlndxf.exepid process 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1828 gqpdldfnvianyey.exe 1828 gqpdldfnvianyey.exe 1828 gqpdldfnvianyey.exe 4244 laxlndxf.exe 4244 laxlndxf.exe 4244 laxlndxf.exe 1880 etivxclkgk.exe 2660 kvtkwzkjenxzk.exe 1880 etivxclkgk.exe 2660 kvtkwzkjenxzk.exe 1880 etivxclkgk.exe 2660 kvtkwzkjenxzk.exe 1608 laxlndxf.exe 1608 laxlndxf.exe 1608 laxlndxf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exegqpdldfnvianyey.exelaxlndxf.exeetivxclkgk.exekvtkwzkjenxzk.exelaxlndxf.exepid process 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1828 gqpdldfnvianyey.exe 1828 gqpdldfnvianyey.exe 1828 gqpdldfnvianyey.exe 4244 laxlndxf.exe 4244 laxlndxf.exe 4244 laxlndxf.exe 1880 etivxclkgk.exe 2660 kvtkwzkjenxzk.exe 1880 etivxclkgk.exe 2660 kvtkwzkjenxzk.exe 1880 etivxclkgk.exe 2660 kvtkwzkjenxzk.exe 1608 laxlndxf.exe 1608 laxlndxf.exe 1608 laxlndxf.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1112 WINWORD.EXE 1112 WINWORD.EXE 1112 WINWORD.EXE 1112 WINWORD.EXE 1112 WINWORD.EXE 1112 WINWORD.EXE 1112 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exeetivxclkgk.exedescription pid process target process PID 1484 wrote to memory of 1880 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe etivxclkgk.exe PID 1484 wrote to memory of 1880 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe etivxclkgk.exe PID 1484 wrote to memory of 1880 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe etivxclkgk.exe PID 1484 wrote to memory of 1828 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe gqpdldfnvianyey.exe PID 1484 wrote to memory of 1828 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe gqpdldfnvianyey.exe PID 1484 wrote to memory of 1828 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe gqpdldfnvianyey.exe PID 1484 wrote to memory of 4244 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe laxlndxf.exe PID 1484 wrote to memory of 4244 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe laxlndxf.exe PID 1484 wrote to memory of 4244 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe laxlndxf.exe PID 1484 wrote to memory of 2660 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe kvtkwzkjenxzk.exe PID 1484 wrote to memory of 2660 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe kvtkwzkjenxzk.exe PID 1484 wrote to memory of 2660 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe kvtkwzkjenxzk.exe PID 1484 wrote to memory of 1112 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe WINWORD.EXE PID 1484 wrote to memory of 1112 1484 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe WINWORD.EXE PID 1880 wrote to memory of 1608 1880 etivxclkgk.exe laxlndxf.exe PID 1880 wrote to memory of 1608 1880 etivxclkgk.exe laxlndxf.exe PID 1880 wrote to memory of 1608 1880 etivxclkgk.exe laxlndxf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\etivxclkgk.exeetivxclkgk.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\laxlndxf.exeC:\Windows\system32\laxlndxf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1608 -
C:\Windows\SysWOW64\gqpdldfnvianyey.exegqpdldfnvianyey.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1828 -
C:\Windows\SysWOW64\laxlndxf.exelaxlndxf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4244 -
C:\Windows\SysWOW64\kvtkwzkjenxzk.exekvtkwzkjenxzk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2660 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1112
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5d318cd69f61d6769d347fb085581dfe4
SHA142dc4da51294ee4d0d666c5598dd5923b336b842
SHA256b6a7649d9a94f6e03f492408e9ad7d9a2ed7756a1c2153f3af0204d4706d53ef
SHA5126269e455da7f313c7049056e31e246931c4e8fbe82c7ed602b954d9b337456079cd0304b0ea5dc311c9c7365c50dea06755dbb10fa86ce077871dad6f71d02a5
-
Filesize
512KB
MD59aca522fcfc68844733ce676aa060fc2
SHA17fd79180e7cd767bffb212d4f2774cb8c797b0c0
SHA25608b1e665cbb3919289bc719babc0fbade28a9776c4d5cfb05bd2af5445c59c41
SHA512511892652df110c079c91bc36a8725e4da8f95bf97f256d0d37b5021bc5a041d53c51c014a2b37ea2daa73df600744d3c818c1f42647d7d9f41450be99b3e97c
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD514707219780c17608a82289c27070b7c
SHA1c82e7e7a12c76a28b239f71f8998a5feace0240b
SHA2560a2ace0c8105f1ae8042f7507731e8642f1ebbdac11946c4745c77570d89b201
SHA512fff1853f31961fb1514fa2eaeb1a7e60a98cf7faf95a90c801f8291a02cbcd821cc100b5c3c0128b3f9c4e8948ef45f4c52aae992a22e7acbdbe82a044a52583
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5b3fe1e26cd9583b13b7d6019a644254e
SHA1ceef60e6d4600d2ca5cb79a7792f6132239731e9
SHA256aab6f5c7f98e4560cf05b23a98818f82c6392843bfed0fca11732110a0e60651
SHA51221bba807e71c2ebbd45369166f57048542a1b82c18b710fea178bf32919e028506278bcd2f6ae393fe85e115e59be90cfce10ba4feceb443801fbec91504e94b
-
Filesize
512KB
MD59ad172ba982a52689b6f1c077e8f7bb9
SHA18bcf433d9a4d5a9533e145a2d0663585750be540
SHA256eb6d3f884ca2f07c7190bf42808fd88d09b99e10b05a163f2e6d0a2e41974cbb
SHA512f17d2f80d5bf77ef75e0eadb4cbdf4638922f8ec25ef65857a83293cf4399a303b0ab1f6a39186c7f5fb5faeff96188e866b2c0ff8701516cc0ffeef8c4fc878
-
Filesize
512KB
MD5803ef3fe8e260e442b9bd8d61ed0045d
SHA192df3f1a1856360b26aa0c7ca9d61237f44be641
SHA25684875b96e1a6717379965919ba95e3e59f5ed0d1072a1b9efa1fd4240248c70f
SHA5124a6838c77b265d38560a1e0294a98f24c3958be42c70a853c3442c9f3cf511d912d4c7fd53c1d7542f4a9077f06ecd56ec288d656a3d8ed46e4a62e718415907
-
Filesize
512KB
MD52350f16872049c200680d31a641ba006
SHA1af64d9fad855d3a5f2a91069387ad36538c6376b
SHA256da346d07d4ea7b6aff903b5f22d0cb8bedc3424eb21c437d9614bb298e02760f
SHA512be86d1eb978aca5be3a03c63d6b9e80361cede11440d50ba7cb9441388ffb07283217f99aebe63a2988c03ad0462103a2f9381ea16b078aba5d8e70140a831ed
-
Filesize
512KB
MD504aa114395413d5a16dc54f8264a62d2
SHA1c1b4f2ff95f8010134c3f38650f3d402dc6cf859
SHA256bafa3a16ada68d0517d1115bab1dc1862cc1f0fd7ca8c257e30e2bdaf4244185
SHA512f30891df1f4a3975eac707fc940f7096c3aaf4024bf44d010ca99de066f9e4ba06efe6fd8a0028d7c389f83e5170f45cf7eadc7d759cfdbed951335b4e2dadba
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD57e68c7833be7f72404681f71bbcf021e
SHA1935111dcac6b8cd1b01ef393c0d23d87a2f8f0d0
SHA256f7a335175167b18f6644636350128f4960fcbdd389719ceef610e17cf7daa66a
SHA512b8807cea98153aee8e401429bedf3f82e54fdb25df8d73ddd1c5d67162d46779d642012d85f7b2561cf1088f69fc9f56a60ea3ebab6cace3557da2d313c50ced
-
Filesize
512KB
MD524b83e33e9cc8b1150b625fab8a9ae2d
SHA1fafdb36630b3abfd90d326913ec0b13d6171a3a9
SHA256e295db245d0079d4b43a807a880d8fbf241883a9f85f7abcf87c0b8a94251065
SHA512ced6b8ad74e860fd96a5a627aeef4db649363b88a1206ffa9d7539f3acaf284cdfbbc3fa733dd4aaecd371e2bb639126b19e3e613514094cbd886c8d37aa080a