Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 14:24
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe
-
Size
512KB
-
MD5
7d48f64289fcefd49eed1118d6aecd46
-
SHA1
4bda1e89fd37ff2828a55b5a0c9e2e27678763d4
-
SHA256
58e2fd5aa91aa0db73cb213fcc16a9d358682a2bc62e51d71d9122a509a4f58d
-
SHA512
50f69cdf51716b9dbeed7a90850ab48e4a87615395c012409c84028d19bbfd94dbed1340dd17d04878f7c0d758040ac1f2b7deb0fc906906df60ee85125933a9
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vsmwemrjig.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vsmwemrjig.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vsmwemrjig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vsmwemrjig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vsmwemrjig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vsmwemrjig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vsmwemrjig.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vsmwemrjig.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4596 vsmwemrjig.exe 1924 ybavqkfdygqgvxf.exe 4972 giwnkswz.exe 1952 ikdwvmjcjissv.exe 5432 giwnkswz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vsmwemrjig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vsmwemrjig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vsmwemrjig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vsmwemrjig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vsmwemrjig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vsmwemrjig.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svqbscnj = "vsmwemrjig.exe" ybavqkfdygqgvxf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gbowbqks = "ybavqkfdygqgvxf.exe" ybavqkfdygqgvxf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ikdwvmjcjissv.exe" ybavqkfdygqgvxf.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: giwnkswz.exe File opened (read-only) \??\g: giwnkswz.exe File opened (read-only) \??\o: giwnkswz.exe File opened (read-only) \??\e: giwnkswz.exe File opened (read-only) \??\b: vsmwemrjig.exe File opened (read-only) \??\s: vsmwemrjig.exe File opened (read-only) \??\a: giwnkswz.exe File opened (read-only) \??\b: giwnkswz.exe File opened (read-only) \??\q: giwnkswz.exe File opened (read-only) \??\u: vsmwemrjig.exe File opened (read-only) \??\x: vsmwemrjig.exe File opened (read-only) \??\a: giwnkswz.exe File opened (read-only) \??\g: giwnkswz.exe File opened (read-only) \??\w: giwnkswz.exe File opened (read-only) \??\l: vsmwemrjig.exe File opened (read-only) \??\r: vsmwemrjig.exe File opened (read-only) \??\y: vsmwemrjig.exe File opened (read-only) \??\o: giwnkswz.exe File opened (read-only) \??\z: giwnkswz.exe File opened (read-only) \??\m: vsmwemrjig.exe File opened (read-only) \??\l: giwnkswz.exe File opened (read-only) \??\w: giwnkswz.exe File opened (read-only) \??\s: giwnkswz.exe File opened (read-only) \??\y: giwnkswz.exe File opened (read-only) \??\t: vsmwemrjig.exe File opened (read-only) \??\i: giwnkswz.exe File opened (read-only) \??\t: giwnkswz.exe File opened (read-only) \??\v: giwnkswz.exe File opened (read-only) \??\r: giwnkswz.exe File opened (read-only) \??\w: vsmwemrjig.exe File opened (read-only) \??\v: vsmwemrjig.exe File opened (read-only) \??\b: giwnkswz.exe File opened (read-only) \??\j: vsmwemrjig.exe File opened (read-only) \??\q: vsmwemrjig.exe File opened (read-only) \??\m: giwnkswz.exe File opened (read-only) \??\t: giwnkswz.exe File opened (read-only) \??\o: vsmwemrjig.exe File opened (read-only) \??\s: giwnkswz.exe File opened (read-only) \??\k: vsmwemrjig.exe File opened (read-only) \??\p: vsmwemrjig.exe File opened (read-only) \??\z: vsmwemrjig.exe File opened (read-only) \??\r: giwnkswz.exe File opened (read-only) \??\j: giwnkswz.exe File opened (read-only) \??\m: giwnkswz.exe File opened (read-only) \??\i: vsmwemrjig.exe File opened (read-only) \??\k: giwnkswz.exe File opened (read-only) \??\p: giwnkswz.exe File opened (read-only) \??\x: giwnkswz.exe File opened (read-only) \??\n: vsmwemrjig.exe File opened (read-only) \??\h: giwnkswz.exe File opened (read-only) \??\x: giwnkswz.exe File opened (read-only) \??\h: giwnkswz.exe File opened (read-only) \??\i: giwnkswz.exe File opened (read-only) \??\n: giwnkswz.exe File opened (read-only) \??\v: giwnkswz.exe File opened (read-only) \??\a: vsmwemrjig.exe File opened (read-only) \??\j: giwnkswz.exe File opened (read-only) \??\u: giwnkswz.exe File opened (read-only) \??\g: vsmwemrjig.exe File opened (read-only) \??\e: giwnkswz.exe File opened (read-only) \??\q: giwnkswz.exe File opened (read-only) \??\u: giwnkswz.exe File opened (read-only) \??\z: giwnkswz.exe File opened (read-only) \??\k: giwnkswz.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vsmwemrjig.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vsmwemrjig.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4620-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023268-5.dat autoit_exe behavioral2/files/0x0008000000023266-18.dat autoit_exe behavioral2/files/0x000700000002326a-29.dat autoit_exe behavioral2/files/0x0007000000023269-31.dat autoit_exe behavioral2/files/0x0003000000000711-69.dat autoit_exe behavioral2/files/0x0007000000023274-64.dat autoit_exe behavioral2/files/0x000200000001eab3-87.dat autoit_exe behavioral2/files/0x000300000000070f-93.dat autoit_exe behavioral2/files/0x000300000000070f-96.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe giwnkswz.exe File opened for modification C:\Windows\SysWOW64\ybavqkfdygqgvxf.exe 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe File created C:\Windows\SysWOW64\giwnkswz.exe 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vsmwemrjig.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe giwnkswz.exe File opened for modification C:\Windows\SysWOW64\vsmwemrjig.exe 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\giwnkswz.exe 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe File created C:\Windows\SysWOW64\ikdwvmjcjissv.exe 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe giwnkswz.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe giwnkswz.exe File created C:\Windows\SysWOW64\vsmwemrjig.exe 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe File created C:\Windows\SysWOW64\ybavqkfdygqgvxf.exe 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ikdwvmjcjissv.exe 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal giwnkswz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe giwnkswz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe giwnkswz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe giwnkswz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal giwnkswz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe giwnkswz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal giwnkswz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe giwnkswz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe giwnkswz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal giwnkswz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe giwnkswz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe giwnkswz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe giwnkswz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe giwnkswz.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCFACDF917F2E4840E3B4A869D3995B3FD02884269033EE2C845E808D3" 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B158449039EC53C5B9D13392D4CC" 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC60815EDDBC7B8BD7FE5ED9537CA" 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vsmwemrjig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vsmwemrjig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vsmwemrjig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F268B3FF1C21DAD173D0D48A0C9160" 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vsmwemrjig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vsmwemrjig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vsmwemrjig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vsmwemrjig.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vsmwemrjig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vsmwemrjig.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452D7B9C2482586A4276DD77242CAD7D8764DE" 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FF8C485F826F9045D72A7DE6BDEEE141593766446246D6E9" 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vsmwemrjig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vsmwemrjig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vsmwemrjig.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5424 WINWORD.EXE 5424 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4596 vsmwemrjig.exe 4596 vsmwemrjig.exe 4596 vsmwemrjig.exe 4596 vsmwemrjig.exe 4596 vsmwemrjig.exe 4596 vsmwemrjig.exe 4596 vsmwemrjig.exe 4596 vsmwemrjig.exe 4596 vsmwemrjig.exe 4596 vsmwemrjig.exe 1924 ybavqkfdygqgvxf.exe 1924 ybavqkfdygqgvxf.exe 1924 ybavqkfdygqgvxf.exe 1924 ybavqkfdygqgvxf.exe 1924 ybavqkfdygqgvxf.exe 1924 ybavqkfdygqgvxf.exe 4972 giwnkswz.exe 1924 ybavqkfdygqgvxf.exe 4972 giwnkswz.exe 1924 ybavqkfdygqgvxf.exe 4972 giwnkswz.exe 4972 giwnkswz.exe 4972 giwnkswz.exe 4972 giwnkswz.exe 4972 giwnkswz.exe 4972 giwnkswz.exe 1924 ybavqkfdygqgvxf.exe 1924 ybavqkfdygqgvxf.exe 1952 ikdwvmjcjissv.exe 1952 ikdwvmjcjissv.exe 1952 ikdwvmjcjissv.exe 1952 ikdwvmjcjissv.exe 1952 ikdwvmjcjissv.exe 1952 ikdwvmjcjissv.exe 1952 ikdwvmjcjissv.exe 1952 ikdwvmjcjissv.exe 1952 ikdwvmjcjissv.exe 1952 ikdwvmjcjissv.exe 1952 ikdwvmjcjissv.exe 1952 ikdwvmjcjissv.exe 1924 ybavqkfdygqgvxf.exe 1924 ybavqkfdygqgvxf.exe 1952 ikdwvmjcjissv.exe 1952 ikdwvmjcjissv.exe 1952 ikdwvmjcjissv.exe 1952 ikdwvmjcjissv.exe 5432 giwnkswz.exe 5432 giwnkswz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4596 vsmwemrjig.exe 4596 vsmwemrjig.exe 4596 vsmwemrjig.exe 1924 ybavqkfdygqgvxf.exe 4972 giwnkswz.exe 1952 ikdwvmjcjissv.exe 1924 ybavqkfdygqgvxf.exe 4972 giwnkswz.exe 1952 ikdwvmjcjissv.exe 1924 ybavqkfdygqgvxf.exe 4972 giwnkswz.exe 1952 ikdwvmjcjissv.exe 5432 giwnkswz.exe 5432 giwnkswz.exe 5432 giwnkswz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 4596 vsmwemrjig.exe 4596 vsmwemrjig.exe 4596 vsmwemrjig.exe 1924 ybavqkfdygqgvxf.exe 4972 giwnkswz.exe 1952 ikdwvmjcjissv.exe 1924 ybavqkfdygqgvxf.exe 4972 giwnkswz.exe 1952 ikdwvmjcjissv.exe 1924 ybavqkfdygqgvxf.exe 4972 giwnkswz.exe 1952 ikdwvmjcjissv.exe 5432 giwnkswz.exe 5432 giwnkswz.exe 5432 giwnkswz.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5424 WINWORD.EXE 5424 WINWORD.EXE 5424 WINWORD.EXE 5424 WINWORD.EXE 5424 WINWORD.EXE 5424 WINWORD.EXE 5424 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4620 wrote to memory of 4596 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 91 PID 4620 wrote to memory of 4596 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 91 PID 4620 wrote to memory of 4596 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 91 PID 4620 wrote to memory of 1924 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 92 PID 4620 wrote to memory of 1924 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 92 PID 4620 wrote to memory of 1924 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 92 PID 4620 wrote to memory of 4972 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 93 PID 4620 wrote to memory of 4972 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 93 PID 4620 wrote to memory of 4972 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 93 PID 4620 wrote to memory of 1952 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 94 PID 4620 wrote to memory of 1952 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 94 PID 4620 wrote to memory of 1952 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 94 PID 4596 wrote to memory of 5432 4596 vsmwemrjig.exe 95 PID 4596 wrote to memory of 5432 4596 vsmwemrjig.exe 95 PID 4596 wrote to memory of 5432 4596 vsmwemrjig.exe 95 PID 4620 wrote to memory of 5424 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 96 PID 4620 wrote to memory of 5424 4620 7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7d48f64289fcefd49eed1118d6aecd46_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\vsmwemrjig.exevsmwemrjig.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\giwnkswz.exeC:\Windows\system32\giwnkswz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5432
-
-
-
C:\Windows\SysWOW64\ybavqkfdygqgvxf.exeybavqkfdygqgvxf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1924
-
-
C:\Windows\SysWOW64\giwnkswz.exegiwnkswz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4972
-
-
C:\Windows\SysWOW64\ikdwvmjcjissv.exeikdwvmjcjissv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1952
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:5124
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD554371674915ed187aa61230630049da2
SHA18d49a23f521bc2149f3a6963688ecb3bd2782f1d
SHA2565bd38df66ea7263555c24250b3b9f9584e1e2e823752606be07ecfe5ead96c86
SHA512f730a49e1290e09b4a7362cb4e1e8768dcfc976b5b4bfae13a930d0ab199f6568eda7347bf18a655240d788d11c74605f6f4655e6ab519acdf31c78f2dc43180
-
Filesize
512KB
MD5c76c084eee2c4444609b23b7ff96b537
SHA158575e5a3ca5a1e82929a9503a1e9e6553c93c56
SHA256c0c3ce20dd7bd02654d154b1c4b9704c02006ba65f5415e3a8dfab62df6e18dd
SHA512263a612b0bc3f5a490800326b0730343b5de19452fda5b1af6752ed36d0e57f3b7d0800f967eb3b0dae81dfecd46e61f81dcccb9ea162ba9ccd15600cd95194e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD58a9b2cb3aa36ff16e6403847ec43fb68
SHA11942f2446d8997322f26c09cb13fe6bec6f04016
SHA256aab0c146c274f465e1639c8dc665cf6185a33d2673ff872df7634e3f2b8e6c48
SHA512307ed49fb85ef434ae561890d931f61b6c5c93470b65b8a2559523146b6019cb767c46c3eec406e68d7f8699ea0d311e568c659315018ad61373419e8fff4f29
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52e14127e2080d276d116321cc334a81b
SHA1247b3b64008617c308eaf183cb6d44795ab82946
SHA256e477c6d63190f0bc6cb0e0a057feaa9013bb888696e988974b79bd2eeb60f333
SHA5126113478ef45b4e4480a762e59920d1be0953dca511da0552910ce86d5846ef536d444c88d4236bc2a90119a602f21cad33573ea79229d401f54d8e41f287d071
-
Filesize
512KB
MD546834b12023290d8e1cb06bed3841777
SHA19e1fdc9bf5fd79b8513f225dc4dc4f25bebef06f
SHA2560f550134fb32e4ad76144290c7bce69de02636cefcc5e14801a9ea72298a703d
SHA512075d1664e4dd51b817487c1f81a81a876f99e96971aa125f40d0d8821bebfd003a3eb1644f52849ded1ed8b94cd158e2526486e24c95043b303278d872bf78ea
-
Filesize
512KB
MD5d3584fedec48c87555561ac02eebcaa2
SHA1d69951e7cf3993a01998d20d8e3b6b901507efe1
SHA256bfa1a9e7460e7aa3cce26189409e75d2ecead72edf2c808920a478da2119480b
SHA5124a716e99c29b1786eea610aa5ceda480c5d4242cae1f31cfa373359623b9111a7c964e0c472af3663075e794c1d6f7d3694405148f837b925358a9d31e413282
-
Filesize
512KB
MD56db4edd5259c91ac4e9d0e18701c75da
SHA1d35a2de2f81fdec1970465bce86303c009bcf491
SHA256a86a5dd0854f7a116aa121b76dfd5120a6d70bd605ddf3b5cd4207a1da2fe50b
SHA51254fbf6733f636767fdbdf851bf12614d8146a870ae633ef56956a5bb6ff8bb9449d78dfc2073af1cba4588e428a486c9421f1b0c92bb74411d8e88029ce5ccc5
-
Filesize
512KB
MD5b2b02bd1c6729b2e7adf2035477177b4
SHA179b6199598e51bd09b7bff38b1f839e89a70fd1d
SHA256299376fbfb9a06319d0c7a224f1c8e28a87655fee725eaf5951452e83323fb95
SHA512a4b00f2ce32c7b36ab30c0c369d4b95a6f19329672a9e0ff72019c306d9ab46c79886a8d990eb46cc782a5a2b5e21022eddf196d2088c7fbf682275affe88c75
-
Filesize
512KB
MD5f1c7e8b4dc2c1ab41129e32980f58151
SHA1edfade2ea84a94f32a388614faf1a14ff0a778b5
SHA256389a9dbb9483fea7eab4012a799fbd4b1e72f9e5b5b9a17956fc3b056e9eab5f
SHA5125bea08884edba9334e883c8d4df31f9f935458010f4a4bc2a89fcda697587a69cf1ade80900902fa8bac62ff2e54b22c2c39e8940950683c155a2a85ca93ecfd
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5e0977a803dbcb4a7656750788ce171f5
SHA1d7c867a40e534a9d84c36c0f561a0eb691787237
SHA2563372c79a11a210ffaa41af501d873a19c9aa2fe6696484bb55644ecd59cbadec
SHA51225c67a959a21df721597c39792d7d91a7f219981140cefb5f6fc0539eafeb78c8880e106b25d8b755d3de624fc1f60cac0df7d2d30918bde3984388f7fe0ed1c
-
Filesize
512KB
MD5f43ba663b9b9eec3cf1e5717dfed0cff
SHA1a4828c64ef96fa0e0539584efd9470f88f4fb9eb
SHA2560bd13120aa20a957385fb802eeb3f2465c3c728c283ce38f1df3c7637f260954
SHA512b1a18f65dc6a93645c927582c56b4b48f500e24d61f00e5e87f41dd3be139b2135fc48cd1b36dad7206ebeed49ec4e76a920a40bb94274e00ce7759c0dc0f959