Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 13:16
Static task
static1
Behavioral task
behavioral1
Sample
8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe
-
Size
512KB
-
MD5
8446c3639a6f4ec5a9935ce446ae2728
-
SHA1
9cc04840fadd4d6591ad87e40163ec9e571b7e27
-
SHA256
5e5cfe9f55fd36f4c0bab6ebad0d7e5dfa7749c94dcaed927697f3394fa1f933
-
SHA512
9466103187a0a1c857977cd5fefd342faea23ef287e332bb6b980a204b229f99f0adec80da801a4fd6675566952e62660d9935e02edd1dd952eeeff678ab70ca
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6w:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm57
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pjfwyfudrg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pjfwyfudrg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pjfwyfudrg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pjfwyfudrg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pjfwyfudrg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pjfwyfudrg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pjfwyfudrg.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pjfwyfudrg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 5040 pjfwyfudrg.exe 4928 adinvvodyymxraw.exe 3788 wfofyuon.exe 800 umynkhngvsyxj.exe 5044 wfofyuon.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pjfwyfudrg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pjfwyfudrg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pjfwyfudrg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pjfwyfudrg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pjfwyfudrg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pjfwyfudrg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjkwvcpr = "pjfwyfudrg.exe" adinvvodyymxraw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\osbmeplu = "adinvvodyymxraw.exe" adinvvodyymxraw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "umynkhngvsyxj.exe" adinvvodyymxraw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: wfofyuon.exe File opened (read-only) \??\v: wfofyuon.exe File opened (read-only) \??\y: wfofyuon.exe File opened (read-only) \??\o: pjfwyfudrg.exe File opened (read-only) \??\z: pjfwyfudrg.exe File opened (read-only) \??\y: wfofyuon.exe File opened (read-only) \??\s: wfofyuon.exe File opened (read-only) \??\b: pjfwyfudrg.exe File opened (read-only) \??\t: wfofyuon.exe File opened (read-only) \??\u: wfofyuon.exe File opened (read-only) \??\w: wfofyuon.exe File opened (read-only) \??\a: pjfwyfudrg.exe File opened (read-only) \??\a: wfofyuon.exe File opened (read-only) \??\r: wfofyuon.exe File opened (read-only) \??\g: wfofyuon.exe File opened (read-only) \??\p: wfofyuon.exe File opened (read-only) \??\p: pjfwyfudrg.exe File opened (read-only) \??\r: pjfwyfudrg.exe File opened (read-only) \??\e: wfofyuon.exe File opened (read-only) \??\q: wfofyuon.exe File opened (read-only) \??\t: wfofyuon.exe File opened (read-only) \??\w: wfofyuon.exe File opened (read-only) \??\i: pjfwyfudrg.exe File opened (read-only) \??\j: pjfwyfudrg.exe File opened (read-only) \??\m: wfofyuon.exe File opened (read-only) \??\r: wfofyuon.exe File opened (read-only) \??\e: wfofyuon.exe File opened (read-only) \??\k: wfofyuon.exe File opened (read-only) \??\g: pjfwyfudrg.exe File opened (read-only) \??\j: wfofyuon.exe File opened (read-only) \??\h: wfofyuon.exe File opened (read-only) \??\x: wfofyuon.exe File opened (read-only) \??\h: pjfwyfudrg.exe File opened (read-only) \??\k: pjfwyfudrg.exe File opened (read-only) \??\g: wfofyuon.exe File opened (read-only) \??\o: wfofyuon.exe File opened (read-only) \??\v: wfofyuon.exe File opened (read-only) \??\z: wfofyuon.exe File opened (read-only) \??\l: pjfwyfudrg.exe File opened (read-only) \??\j: wfofyuon.exe File opened (read-only) \??\u: wfofyuon.exe File opened (read-only) \??\y: pjfwyfudrg.exe File opened (read-only) \??\x: wfofyuon.exe File opened (read-only) \??\q: pjfwyfudrg.exe File opened (read-only) \??\s: pjfwyfudrg.exe File opened (read-only) \??\b: wfofyuon.exe File opened (read-only) \??\n: wfofyuon.exe File opened (read-only) \??\m: pjfwyfudrg.exe File opened (read-only) \??\n: pjfwyfudrg.exe File opened (read-only) \??\w: pjfwyfudrg.exe File opened (read-only) \??\x: pjfwyfudrg.exe File opened (read-only) \??\k: wfofyuon.exe File opened (read-only) \??\l: wfofyuon.exe File opened (read-only) \??\z: wfofyuon.exe File opened (read-only) \??\b: wfofyuon.exe File opened (read-only) \??\t: pjfwyfudrg.exe File opened (read-only) \??\v: pjfwyfudrg.exe File opened (read-only) \??\p: wfofyuon.exe File opened (read-only) \??\i: wfofyuon.exe File opened (read-only) \??\m: wfofyuon.exe File opened (read-only) \??\e: pjfwyfudrg.exe File opened (read-only) \??\i: wfofyuon.exe File opened (read-only) \??\l: wfofyuon.exe File opened (read-only) \??\n: wfofyuon.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pjfwyfudrg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pjfwyfudrg.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2560-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023443-5.dat autoit_exe behavioral2/files/0x000900000002343b-18.dat autoit_exe behavioral2/files/0x0007000000023444-26.dat autoit_exe behavioral2/files/0x0007000000023445-32.dat autoit_exe behavioral2/files/0x0007000000023451-75.dat autoit_exe behavioral2/files/0x000800000002336b-73.dat autoit_exe behavioral2/files/0x001900000002295c-79.dat autoit_exe behavioral2/files/0x0003000000022994-86.dat autoit_exe behavioral2/files/0x000a00000002348d-575.dat autoit_exe behavioral2/files/0x000a00000002348d-586.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\adinvvodyymxraw.exe 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wfofyuon.exe 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\umynkhngvsyxj.exe 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll pjfwyfudrg.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wfofyuon.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wfofyuon.exe File created C:\Windows\SysWOW64\pjfwyfudrg.exe 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pjfwyfudrg.exe 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\adinvvodyymxraw.exe 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe File created C:\Windows\SysWOW64\wfofyuon.exe 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe File created C:\Windows\SysWOW64\umynkhngvsyxj.exe 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wfofyuon.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wfofyuon.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wfofyuon.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wfofyuon.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wfofyuon.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wfofyuon.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wfofyuon.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wfofyuon.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wfofyuon.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wfofyuon.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wfofyuon.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wfofyuon.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wfofyuon.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wfofyuon.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wfofyuon.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wfofyuon.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wfofyuon.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wfofyuon.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wfofyuon.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wfofyuon.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wfofyuon.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wfofyuon.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wfofyuon.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wfofyuon.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wfofyuon.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wfofyuon.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wfofyuon.exe File opened for modification C:\Windows\mydoc.rtf 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wfofyuon.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wfofyuon.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wfofyuon.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wfofyuon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pjfwyfudrg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pjfwyfudrg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FF8A4F29851F9133D72F7DE2BD95E6345844664E6236D79E" 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC70B15E0DAB6B8C17FE4ED9237CC" 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pjfwyfudrg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pjfwyfudrg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C0D9C5682586D3576D677232CDA7CF564DE" 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pjfwyfudrg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pjfwyfudrg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pjfwyfudrg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pjfwyfudrg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pjfwyfudrg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4FAB0F964F197840F3A4786ED3995B3FD03FD43650248E2CC429A09D4" 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B12C47E1399D52BEB9D7329AD7C8" 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pjfwyfudrg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0816BC6FE6F22DFD109D0D48B799013" 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pjfwyfudrg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pjfwyfudrg.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2400 WINWORD.EXE 2400 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 5040 pjfwyfudrg.exe 5040 pjfwyfudrg.exe 5040 pjfwyfudrg.exe 5040 pjfwyfudrg.exe 5040 pjfwyfudrg.exe 5040 pjfwyfudrg.exe 5040 pjfwyfudrg.exe 5040 pjfwyfudrg.exe 5040 pjfwyfudrg.exe 5040 pjfwyfudrg.exe 4928 adinvvodyymxraw.exe 4928 adinvvodyymxraw.exe 4928 adinvvodyymxraw.exe 4928 adinvvodyymxraw.exe 4928 adinvvodyymxraw.exe 4928 adinvvodyymxraw.exe 4928 adinvvodyymxraw.exe 4928 adinvvodyymxraw.exe 3788 wfofyuon.exe 3788 wfofyuon.exe 3788 wfofyuon.exe 3788 wfofyuon.exe 3788 wfofyuon.exe 3788 wfofyuon.exe 3788 wfofyuon.exe 3788 wfofyuon.exe 4928 adinvvodyymxraw.exe 4928 adinvvodyymxraw.exe 800 umynkhngvsyxj.exe 800 umynkhngvsyxj.exe 800 umynkhngvsyxj.exe 800 umynkhngvsyxj.exe 800 umynkhngvsyxj.exe 800 umynkhngvsyxj.exe 800 umynkhngvsyxj.exe 800 umynkhngvsyxj.exe 800 umynkhngvsyxj.exe 800 umynkhngvsyxj.exe 800 umynkhngvsyxj.exe 800 umynkhngvsyxj.exe 5044 wfofyuon.exe 5044 wfofyuon.exe 5044 wfofyuon.exe 5044 wfofyuon.exe 5044 wfofyuon.exe 5044 wfofyuon.exe 5044 wfofyuon.exe 5044 wfofyuon.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 5040 pjfwyfudrg.exe 4928 adinvvodyymxraw.exe 5040 pjfwyfudrg.exe 5040 pjfwyfudrg.exe 4928 adinvvodyymxraw.exe 4928 adinvvodyymxraw.exe 3788 wfofyuon.exe 3788 wfofyuon.exe 3788 wfofyuon.exe 800 umynkhngvsyxj.exe 800 umynkhngvsyxj.exe 800 umynkhngvsyxj.exe 5044 wfofyuon.exe 5044 wfofyuon.exe 5044 wfofyuon.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 5040 pjfwyfudrg.exe 4928 adinvvodyymxraw.exe 5040 pjfwyfudrg.exe 5040 pjfwyfudrg.exe 4928 adinvvodyymxraw.exe 4928 adinvvodyymxraw.exe 3788 wfofyuon.exe 3788 wfofyuon.exe 3788 wfofyuon.exe 800 umynkhngvsyxj.exe 800 umynkhngvsyxj.exe 800 umynkhngvsyxj.exe 5044 wfofyuon.exe 5044 wfofyuon.exe 5044 wfofyuon.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2400 WINWORD.EXE 2400 WINWORD.EXE 2400 WINWORD.EXE 2400 WINWORD.EXE 2400 WINWORD.EXE 2400 WINWORD.EXE 2400 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2560 wrote to memory of 5040 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 82 PID 2560 wrote to memory of 5040 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 82 PID 2560 wrote to memory of 5040 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 82 PID 2560 wrote to memory of 4928 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 83 PID 2560 wrote to memory of 4928 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 83 PID 2560 wrote to memory of 4928 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 83 PID 2560 wrote to memory of 3788 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 84 PID 2560 wrote to memory of 3788 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 84 PID 2560 wrote to memory of 3788 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 84 PID 2560 wrote to memory of 800 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 85 PID 2560 wrote to memory of 800 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 85 PID 2560 wrote to memory of 800 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 85 PID 5040 wrote to memory of 5044 5040 pjfwyfudrg.exe 86 PID 5040 wrote to memory of 5044 5040 pjfwyfudrg.exe 86 PID 5040 wrote to memory of 5044 5040 pjfwyfudrg.exe 86 PID 2560 wrote to memory of 2400 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 87 PID 2560 wrote to memory of 2400 2560 8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8446c3639a6f4ec5a9935ce446ae2728_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\pjfwyfudrg.exepjfwyfudrg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\wfofyuon.exeC:\Windows\system32\wfofyuon.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5044
-
-
-
C:\Windows\SysWOW64\adinvvodyymxraw.exeadinvvodyymxraw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4928
-
-
C:\Windows\SysWOW64\wfofyuon.exewfofyuon.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3788
-
-
C:\Windows\SysWOW64\umynkhngvsyxj.exeumynkhngvsyxj.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:800
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2400
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5e5bb41c30caa3757ff99fecbd8ab0650
SHA153c6c14f9114d4bf9f203182c0646adeda67aeb6
SHA2564003cb5eaa110e4d6d512b9df9840acffefe1c8808fb576ab77f5f977859549f
SHA51294f13b4a9e42e9b9af7d766a5e436d5da6dac8f46569e6304b4eb274884de7a99723e5b072ba4bae6a0df3e3d526b1fdd2a1b4fb802071389a64c7ec2c433570
-
Filesize
512KB
MD52d7665f0f2b12f30326913a5f6cfeac5
SHA1461b263f93cabbc356cd6e56e9e72e3b0e90f90b
SHA256d702607e7539d47908e11f9e51a168f555337f5ad568d70bbba8e1310bb290fe
SHA51278e507d17888cb96150724bfab056b84b90b8d971f520f13c187d88353830f292702f114ac8c33276e1ced032b604bbce3a29b83984efc2495564ca79dab2b92
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5594ad1ff4dfa1e95be01dc288bcc115d
SHA1dc4549ae523f7289276131789ae3484e196d330e
SHA25609a2d33f4d346420e22fcaf484b9a746c7c56a81fdc2e529d52cd5c5521691f0
SHA5121c7d198d374dd5f812d5cc7c3e3c572962d497dd41c1d7161c2db5db46182581db824b6a306967729f23f71bc6d8419e6e7f69d5e4a865944a4986ac796d4b49
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD53ca6f369647deca4e9dd8820d76629cf
SHA1a2bc8f17db965a63e936495c7162a4c88996ebf5
SHA25673d25fdeb00b06ec80d071aa1436bfe46c0f7a62c501b6d37abfb58ee8c719ab
SHA51209f5cb7aaa01b93fd7ba9a0daa55c5c9eeb8d5e349b19feaaaa115e1e4b56a93bb6873d9ddefbc37eee7064b12ff003bdf9a254522e6d8a2145c04b38c41820a
-
Filesize
512KB
MD576f120767dda4870d2f70a0cc36eb1ed
SHA10c0f177afd006fb7c881d7c2ae69342bde3cbf87
SHA2565a0e686675f54411f0eaa50e9ed1878e070d85c3e72430892219625040cef9e1
SHA512e9945bd0c9a9994dc57311f3572ccd9e5629dd2dd623134d6cbd6e312bd074fb1c87a00cefcccc18fef2b5a023e04b4695861f3c11ce431467d6caeb501b0e7b
-
Filesize
512KB
MD575891ff33505abd63e1d817fcc6b2203
SHA13ed0b3d67627930063e1fb20779b35a3e83f5c0f
SHA2565c1f27118d72577fc1d94af952a98effd79cc9f5e61b239829c6810f471593fe
SHA5123cc7c09b8de9877b6cf7c9ea72379146801393c8b0a11598a8d3d2cecd6d3b64da67d4a7a9a7df11d562e6f58c46ffb8a6d200ab230899809bdfe0b9a7bd653a
-
Filesize
512KB
MD53b7ecebd45af6f5d36e9b02db9730bc8
SHA1c04a0c3f770c782e5592ad623d5675d337159d66
SHA256e3d46217de88932da2f3352ba561e868036241665191752c8ab92bc6e5c70525
SHA512eb59bf11745edf9b1cb799c3ae538a88397a02a36000a7162c064515ab2603356b9b043a9b4c27a7a9f4f60b21b76e05f1beff412cb3e2a506b2fab90b327b8a
-
Filesize
512KB
MD5816e3c3b5a8d48232cfd37e9920195b8
SHA158327415e300ab33aab75a6a08f3d2a3e06bc872
SHA256dc21bd75c220d3c4b163e596a35acda5c49bc3697af7023df4ee6e5b8f0004f4
SHA512550208a0c38bf146c568c22c18ecfb91b1d07146bbc55ecefc2ce51327071fbfb1b2be73999eb82eff47d3117967f433f9a6101b110bb09fd4a639d07092a872
-
Filesize
512KB
MD53630b8327ef7583c7d3f307c9dcff27f
SHA19d7192260a78038c343d52dd0010e1b42a3e9d08
SHA2568588b60f9bc752a85cfe43432315fa6a42616f6750e9d2a4bf876a757a22c9bd
SHA512b42d55496f4aaee58fb01da3b452821db3a5ea3ba757137efb99fec1604dc6156323740fa7e3c2b1d3184d07012217dfe099eac1048c3ee9b2af350eea4c4c6f
-
Filesize
512KB
MD5c3abbce300cdc35909cf86c3e4dd1c68
SHA13fbb952df6accb8e158f6d4909f5ecd140b89dd0
SHA256b8de81be4b53ad63f662b9a7cecc302c0b56b84e055f2db56e73c95174dd5d19
SHA51236fed33385b630c0a516b26344f0c80186ba833f7659d1e36cf0105fedc02740c6693368e39e61458fbf8dff7a623a971e7e5cb1dd26e0afdf26cdc12ffdfa33
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5dfc4889f7fb60fc651a87056093f85e6
SHA1132272f00a8a990a0b8319cd22d84ba7868718d8
SHA256aac8b3deafa10d3957622fa8341fe0bc7c6bc858cb5d1fd158e5019b84ef2899
SHA5121a38ae9be1aaabfde99402c8b410b24c4bf31ac7f90aca3d3b9543b743b6506935400b428fc3fe2605a9882635d3cacbf68d61ece3cd0d05bfd4a5d928d466d5
-
Filesize
512KB
MD506d6215360624cfb5210394a02bca60b
SHA166b835e2c15a1e60309a342731c597caf4d03e58
SHA256a0ad7db387d678eb0c7f95d44d5706b89927ebaed3133b8c503bdd6720c537fb
SHA51236a64dd17d8b5bd312e99d011409ab81fc460f795d071e06ef8681fe7a21fa5dfee9981f626bd642519648b2e4d5bdaeccebb6011374245f77c5cf372da0c0c0