Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 12:54
Static task
static1
Behavioral task
behavioral1
Sample
8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe
-
Size
512KB
-
MD5
8437023424e0f53e8a652d88701e7240
-
SHA1
483e53ba37d5904e305a12200d7f0c5a720553bc
-
SHA256
7f9e9988c9257e0df31fa171726cb48a574652ee52440d75496d7c3855da0cbe
-
SHA512
4b2d9546854a34649da34dc32c6a32a072920c92538dae9fba4aa8c058829d59f03faf666ad217ea31cf2665102e3eac33fa6666c1a359bcd4c1e3f0d2a3261d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6A:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5P
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" iqtgexxklp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" iqtgexxklp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" iqtgexxklp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iqtgexxklp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" iqtgexxklp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iqtgexxklp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" iqtgexxklp.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iqtgexxklp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2476 iqtgexxklp.exe 5100 zhrfbugblvgfoiq.exe 2260 dfqtwfku.exe 4800 xcqlitvmysmlr.exe 1744 dfqtwfku.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" iqtgexxklp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" iqtgexxklp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iqtgexxklp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" iqtgexxklp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iqtgexxklp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" iqtgexxklp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gremjysl = "iqtgexxklp.exe" zhrfbugblvgfoiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qankfnhv = "zhrfbugblvgfoiq.exe" zhrfbugblvgfoiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xcqlitvmysmlr.exe" zhrfbugblvgfoiq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: dfqtwfku.exe File opened (read-only) \??\b: iqtgexxklp.exe File opened (read-only) \??\e: iqtgexxklp.exe File opened (read-only) \??\b: dfqtwfku.exe File opened (read-only) \??\z: dfqtwfku.exe File opened (read-only) \??\j: dfqtwfku.exe File opened (read-only) \??\k: iqtgexxklp.exe File opened (read-only) \??\q: dfqtwfku.exe File opened (read-only) \??\x: dfqtwfku.exe File opened (read-only) \??\h: iqtgexxklp.exe File opened (read-only) \??\q: dfqtwfku.exe File opened (read-only) \??\r: iqtgexxklp.exe File opened (read-only) \??\h: dfqtwfku.exe File opened (read-only) \??\m: dfqtwfku.exe File opened (read-only) \??\t: iqtgexxklp.exe File opened (read-only) \??\l: dfqtwfku.exe File opened (read-only) \??\i: iqtgexxklp.exe File opened (read-only) \??\j: iqtgexxklp.exe File opened (read-only) \??\o: iqtgexxklp.exe File opened (read-only) \??\v: iqtgexxklp.exe File opened (read-only) \??\l: dfqtwfku.exe File opened (read-only) \??\p: dfqtwfku.exe File opened (read-only) \??\i: dfqtwfku.exe File opened (read-only) \??\x: iqtgexxklp.exe File opened (read-only) \??\k: dfqtwfku.exe File opened (read-only) \??\t: dfqtwfku.exe File opened (read-only) \??\g: dfqtwfku.exe File opened (read-only) \??\l: iqtgexxklp.exe File opened (read-only) \??\p: iqtgexxklp.exe File opened (read-only) \??\o: dfqtwfku.exe File opened (read-only) \??\u: dfqtwfku.exe File opened (read-only) \??\v: dfqtwfku.exe File opened (read-only) \??\a: dfqtwfku.exe File opened (read-only) \??\p: dfqtwfku.exe File opened (read-only) \??\o: dfqtwfku.exe File opened (read-only) \??\y: dfqtwfku.exe File opened (read-only) \??\z: dfqtwfku.exe File opened (read-only) \??\n: dfqtwfku.exe File opened (read-only) \??\e: dfqtwfku.exe File opened (read-only) \??\s: dfqtwfku.exe File opened (read-only) \??\n: iqtgexxklp.exe File opened (read-only) \??\z: iqtgexxklp.exe File opened (read-only) \??\i: dfqtwfku.exe File opened (read-only) \??\b: dfqtwfku.exe File opened (read-only) \??\g: iqtgexxklp.exe File opened (read-only) \??\u: iqtgexxklp.exe File opened (read-only) \??\y: iqtgexxklp.exe File opened (read-only) \??\w: dfqtwfku.exe File opened (read-only) \??\w: dfqtwfku.exe File opened (read-only) \??\y: dfqtwfku.exe File opened (read-only) \??\u: dfqtwfku.exe File opened (read-only) \??\g: dfqtwfku.exe File opened (read-only) \??\r: dfqtwfku.exe File opened (read-only) \??\m: iqtgexxklp.exe File opened (read-only) \??\v: dfqtwfku.exe File opened (read-only) \??\a: iqtgexxklp.exe File opened (read-only) \??\s: iqtgexxklp.exe File opened (read-only) \??\a: dfqtwfku.exe File opened (read-only) \??\s: dfqtwfku.exe File opened (read-only) \??\t: dfqtwfku.exe File opened (read-only) \??\k: dfqtwfku.exe File opened (read-only) \??\n: dfqtwfku.exe File opened (read-only) \??\x: dfqtwfku.exe File opened (read-only) \??\q: iqtgexxklp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" iqtgexxklp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" iqtgexxklp.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2648-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023245-5.dat autoit_exe behavioral2/files/0x0008000000023243-19.dat autoit_exe behavioral2/files/0x0007000000023246-26.dat autoit_exe behavioral2/files/0x0007000000023247-31.dat autoit_exe behavioral2/files/0x0008000000022fe7-52.dat autoit_exe behavioral2/files/0x0008000000023100-58.dat autoit_exe behavioral2/files/0x000200000001e6f6-90.dat autoit_exe behavioral2/files/0x000a000000016fa5-96.dat autoit_exe behavioral2/files/0x000a000000016fa5-102.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll iqtgexxklp.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dfqtwfku.exe File opened for modification C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dfqtwfku.exe File created C:\Windows\SysWOW64\xcqlitvmysmlr.exe 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\iqtgexxklp.exe 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe File created C:\Windows\SysWOW64\zhrfbugblvgfoiq.exe 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe File created C:\Windows\SysWOW64\dfqtwfku.exe 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dfqtwfku.exe 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dfqtwfku.exe File created C:\Windows\SysWOW64\iqtgexxklp.exe 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dfqtwfku.exe File opened for modification C:\Windows\SysWOW64\xcqlitvmysmlr.exe 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dfqtwfku.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dfqtwfku.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dfqtwfku.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dfqtwfku.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dfqtwfku.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dfqtwfku.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dfqtwfku.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dfqtwfku.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dfqtwfku.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dfqtwfku.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dfqtwfku.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dfqtwfku.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dfqtwfku.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dfqtwfku.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352D799D2D83586A4277A7772E2CAE7D8265D9" 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B12C44EF389F52C9BAD4329ED4B8" 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat iqtgexxklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" iqtgexxklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF9FFFF4F58851D9131D6587E93BDE0E640584467336332D6ED" 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C60915ECDAB0B8B97C93ED9637CF" 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" iqtgexxklp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf iqtgexxklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" iqtgexxklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" iqtgexxklp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F668B7FE1821ACD27AD1A78B7A9166" 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" iqtgexxklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" iqtgexxklp.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFABCFE16F1E4830B3A44869C3993B0FA038B4316033FE1B842E909D2" 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh iqtgexxklp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc iqtgexxklp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs iqtgexxklp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg iqtgexxklp.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4284 WINWORD.EXE 4284 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2476 iqtgexxklp.exe 2476 iqtgexxklp.exe 2476 iqtgexxklp.exe 2476 iqtgexxklp.exe 2476 iqtgexxklp.exe 2476 iqtgexxklp.exe 2476 iqtgexxklp.exe 2476 iqtgexxklp.exe 2476 iqtgexxklp.exe 2476 iqtgexxklp.exe 2260 dfqtwfku.exe 2260 dfqtwfku.exe 2260 dfqtwfku.exe 2260 dfqtwfku.exe 2260 dfqtwfku.exe 2260 dfqtwfku.exe 2260 dfqtwfku.exe 2260 dfqtwfku.exe 5100 zhrfbugblvgfoiq.exe 5100 zhrfbugblvgfoiq.exe 5100 zhrfbugblvgfoiq.exe 5100 zhrfbugblvgfoiq.exe 5100 zhrfbugblvgfoiq.exe 5100 zhrfbugblvgfoiq.exe 5100 zhrfbugblvgfoiq.exe 5100 zhrfbugblvgfoiq.exe 5100 zhrfbugblvgfoiq.exe 5100 zhrfbugblvgfoiq.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 5100 zhrfbugblvgfoiq.exe 5100 zhrfbugblvgfoiq.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 5100 zhrfbugblvgfoiq.exe 5100 zhrfbugblvgfoiq.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2260 dfqtwfku.exe 2476 iqtgexxklp.exe 2260 dfqtwfku.exe 2476 iqtgexxklp.exe 2260 dfqtwfku.exe 2476 iqtgexxklp.exe 5100 zhrfbugblvgfoiq.exe 5100 zhrfbugblvgfoiq.exe 5100 zhrfbugblvgfoiq.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 1744 dfqtwfku.exe 1744 dfqtwfku.exe 1744 dfqtwfku.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 2260 dfqtwfku.exe 2476 iqtgexxklp.exe 2260 dfqtwfku.exe 2476 iqtgexxklp.exe 2260 dfqtwfku.exe 2476 iqtgexxklp.exe 5100 zhrfbugblvgfoiq.exe 5100 zhrfbugblvgfoiq.exe 5100 zhrfbugblvgfoiq.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 4800 xcqlitvmysmlr.exe 1744 dfqtwfku.exe 1744 dfqtwfku.exe 1744 dfqtwfku.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4284 WINWORD.EXE 4284 WINWORD.EXE 4284 WINWORD.EXE 4284 WINWORD.EXE 4284 WINWORD.EXE 4284 WINWORD.EXE 4284 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2476 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 91 PID 2648 wrote to memory of 2476 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 91 PID 2648 wrote to memory of 2476 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 91 PID 2648 wrote to memory of 5100 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 92 PID 2648 wrote to memory of 5100 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 92 PID 2648 wrote to memory of 5100 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 92 PID 2648 wrote to memory of 2260 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 93 PID 2648 wrote to memory of 2260 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 93 PID 2648 wrote to memory of 2260 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 93 PID 2648 wrote to memory of 4800 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 94 PID 2648 wrote to memory of 4800 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 94 PID 2648 wrote to memory of 4800 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 94 PID 2476 wrote to memory of 1744 2476 iqtgexxklp.exe 95 PID 2476 wrote to memory of 1744 2476 iqtgexxklp.exe 95 PID 2476 wrote to memory of 1744 2476 iqtgexxklp.exe 95 PID 2648 wrote to memory of 4284 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 96 PID 2648 wrote to memory of 4284 2648 8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8437023424e0f53e8a652d88701e7240_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\iqtgexxklp.exeiqtgexxklp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\dfqtwfku.exeC:\Windows\system32\dfqtwfku.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1744
-
-
-
C:\Windows\SysWOW64\zhrfbugblvgfoiq.exezhrfbugblvgfoiq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5100
-
-
C:\Windows\SysWOW64\dfqtwfku.exedfqtwfku.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2260
-
-
C:\Windows\SysWOW64\xcqlitvmysmlr.exexcqlitvmysmlr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4800
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3152 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵PID:3860
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD54c15b0ec6ee1fce770dcb12af769af88
SHA1e32cb6e5b8ac194fb341b1472ff4a7bdb2107c60
SHA256e2f9235910a891b780803758762d841c0531550eea41971567902f3043cd11ce
SHA51278e1227cd4f0e6ae636de7d19de0630d935375b6da2168c672d0312c498bfa1574e9b5273151b3d20936ec5288887ebf4657cf80faa4ac0fbf0aa13ca4fe8fc7
-
Filesize
512KB
MD517c65ec724213361fdc4182b01ba3f40
SHA1f2cf1dab104bd7792389087f870eae0afd812104
SHA25694782d1aaa4efcf1c440d407868ec804e0db31e8810395f37db6ea62143d853b
SHA5122c835d4f558336ebf81de67e989db5fbd7048a0e6e0acfea79fc7ec9df3501b35ab06d27c05ff971b7c2ecb51c4c9d8d0cc9818e5feaf119b067d9ca7510979a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5de043d6349d8bf9a68bf067e38967165
SHA12e3a0e71228d3ac41a1939d0517d669aa35594cd
SHA256c4b209d921e1256e4864b2ee1350dd9749dbb7a8f7f00e88f90b04e3fb59f31d
SHA5124419a5a8ecfe04e7576817293ee81570b8f92c0b593b3ffe9aea94058526c29dda2386370fa8cb5b777d01cc2f4db6b44c5fdc647564edc6dd4f6f4056fc496d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD542ab566fbe3fb4a30496c6d92a8bb870
SHA18890ff7aa504939db56ec82e7dc5d534de7add87
SHA2566b6856f79a9669aaf8f3f13d2dac1b4c74a85f7e46c5945b5b74a73cc67d828d
SHA512a107a00f8b1d662ab556881bb32d2c25f94ec7494d3113c8a351fd3d8684cd7a640e3532569f25f4a5fa7fc811f3b986aeb71537854612c7f5e1a234c6d9ff21
-
Filesize
512KB
MD5704915b4ed3a37643f6cf9e96724b9ea
SHA1bbade51f5ef0e6c76b948be6821b910a76648a95
SHA2563eeb6d2343800c52ea039668ac00d7cd4597b3cd732bd7a31b01c1eeaf8d03ad
SHA5126148787e00c09f27e1b9dc85684b43d381571b112522ea49272d190a94b9ea436c4b88e461e31095315ef922d44f3759110412f54ad580b47e58fed2bfb82841
-
Filesize
512KB
MD507787174eb434eaed20fb484b4a75a18
SHA16703cc510120de90b4581cec07562fcdee2c6910
SHA25620ad72aa4605e135475df4a53d422621775cbf3497f623afb08616aa88b71c10
SHA5127da2d73ccd2d8877ef557350c0de743ba73fbd721fee2c77b55d374e2aa7244e1ff548845c21e410ac0a480eefcc8bc429ac368d067d3dca91958bcd63e0c89d
-
Filesize
512KB
MD58f3566eecfda4006ac6be000e175a670
SHA16773bc4f2a9aed877e43940098f7ec45dc9d9808
SHA2563f939c2717371a38ac7f3b09cf6a0cd664f87dfa30555e956284113cf220478c
SHA512d09f4ee01639c5c6ffb82be082acbd32caf0a011f3dce4f401454dc45342ddfd2212c64f20b54096599bc52f980b8b755b4676b588eb0646472660cc0d05d50a
-
Filesize
512KB
MD55ac5654796d298d09bde9e7d4ea3f2bb
SHA1ef1a652aebaaa5a1ed1d636e18f1c1c9c69f62e2
SHA2562951a3fa9b825e28fb52e8fac21f0430b3a0d3f4dc77e6a39af8599267e35b5f
SHA512c6beb55f55f3a444a4908e9de7a65f84fe2b8aef7df6d5354f2d2f47da0bd63e0d32f1c586593e563eb71e20d7e99ab7386557fa3e6f56ae14789d50f4a782c1
-
Filesize
512KB
MD50a350ff4abbefaf2603faeca84236b6e
SHA16b7288c98d4d102296720d2e3662761bb5143fa1
SHA2566decad53eb8a51689dbd0d749bb9c55184a447e5ad83cd8c5f093b3a397053c2
SHA51274b68bd44690e0a919e26bb443b67c3822d19b03777e3278c91248e92af28a6db26ee0411adcaa89c88ef415b04bf0d3756fb2ba5878124001ac7620cfe6fcc4
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5c3e32e2389baef05fffa7e595f51c6d5
SHA19a5be35f4fd2a908ffb09464fba4a23df9caafe6
SHA256553eb8549d47d8d48f3050946fd76b6f3690a48b7039a95bf1c1a25f6e608fc5
SHA512fc922a48fd5ea7f68d932d42bc33863b8c2e030e0a8a259e2611231df68578986a1e0714552ffc176f307b2771285114654adc17f72fb47323c4c666e31fc618
-
Filesize
512KB
MD58a5e24a996073af870d06dea6ab497db
SHA1fae431d1e9899f606974fd62d6113356f9ecb8ef
SHA256005f8a114d32aec5413872613db49cd6cf512286ef65086937f00d8401ff5876
SHA512f599879948a453596cff6743c1e2e0d84fc82cf267ed1b3cd363f9b26a8acc0e1d5d2386573b270d6dbab536f35c5ce163fb3c6e6337653f87c0a6817063c40b