Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 15:56
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe
-
Size
512KB
-
MD5
84b89e99ec7c94ec19537c8ffc9792cd
-
SHA1
3bceef768d3db52a9f82c76c551504dc2dee53b9
-
SHA256
1231fa461e42fd8a6b9f6474fed95f0b44e05f7f2c277212bd73662a00d88a8e
-
SHA512
6814dcf9cbaf19dbb2ce7b4e4f881821621566ead756a71952ff22d6f86e34fe47d169df95e86f708c6c5333c6b06668a394e86e2f9d915ba2192c0c9524897d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6s:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5H
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mozvyrjdqd.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mozvyrjdqd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mozvyrjdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mozvyrjdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mozvyrjdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mozvyrjdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mozvyrjdqd.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mozvyrjdqd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2968 mozvyrjdqd.exe 2200 wpjcitvqmjonfoq.exe 2616 ogwgqlkp.exe 3616 xcwwgdxwzgkyl.exe 5020 ogwgqlkp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mozvyrjdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mozvyrjdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mozvyrjdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mozvyrjdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mozvyrjdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mozvyrjdqd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\atgmpcyx = "mozvyrjdqd.exe" wpjcitvqmjonfoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kfxzmrph = "wpjcitvqmjonfoq.exe" wpjcitvqmjonfoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xcwwgdxwzgkyl.exe" wpjcitvqmjonfoq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: ogwgqlkp.exe File opened (read-only) \??\l: mozvyrjdqd.exe File opened (read-only) \??\i: ogwgqlkp.exe File opened (read-only) \??\s: ogwgqlkp.exe File opened (read-only) \??\h: ogwgqlkp.exe File opened (read-only) \??\k: ogwgqlkp.exe File opened (read-only) \??\u: ogwgqlkp.exe File opened (read-only) \??\h: mozvyrjdqd.exe File opened (read-only) \??\b: ogwgqlkp.exe File opened (read-only) \??\p: ogwgqlkp.exe File opened (read-only) \??\o: ogwgqlkp.exe File opened (read-only) \??\r: ogwgqlkp.exe File opened (read-only) \??\b: mozvyrjdqd.exe File opened (read-only) \??\e: mozvyrjdqd.exe File opened (read-only) \??\k: mozvyrjdqd.exe File opened (read-only) \??\q: mozvyrjdqd.exe File opened (read-only) \??\h: ogwgqlkp.exe File opened (read-only) \??\n: ogwgqlkp.exe File opened (read-only) \??\a: mozvyrjdqd.exe File opened (read-only) \??\y: mozvyrjdqd.exe File opened (read-only) \??\m: ogwgqlkp.exe File opened (read-only) \??\w: ogwgqlkp.exe File opened (read-only) \??\g: mozvyrjdqd.exe File opened (read-only) \??\p: mozvyrjdqd.exe File opened (read-only) \??\r: ogwgqlkp.exe File opened (read-only) \??\y: ogwgqlkp.exe File opened (read-only) \??\z: ogwgqlkp.exe File opened (read-only) \??\n: ogwgqlkp.exe File opened (read-only) \??\j: mozvyrjdqd.exe File opened (read-only) \??\u: ogwgqlkp.exe File opened (read-only) \??\s: ogwgqlkp.exe File opened (read-only) \??\x: ogwgqlkp.exe File opened (read-only) \??\y: ogwgqlkp.exe File opened (read-only) \??\j: ogwgqlkp.exe File opened (read-only) \??\i: mozvyrjdqd.exe File opened (read-only) \??\o: mozvyrjdqd.exe File opened (read-only) \??\t: mozvyrjdqd.exe File opened (read-only) \??\k: ogwgqlkp.exe File opened (read-only) \??\t: ogwgqlkp.exe File opened (read-only) \??\g: ogwgqlkp.exe File opened (read-only) \??\x: ogwgqlkp.exe File opened (read-only) \??\a: ogwgqlkp.exe File opened (read-only) \??\z: ogwgqlkp.exe File opened (read-only) \??\l: ogwgqlkp.exe File opened (read-only) \??\q: ogwgqlkp.exe File opened (read-only) \??\m: mozvyrjdqd.exe File opened (read-only) \??\r: mozvyrjdqd.exe File opened (read-only) \??\s: mozvyrjdqd.exe File opened (read-only) \??\v: mozvyrjdqd.exe File opened (read-only) \??\x: mozvyrjdqd.exe File opened (read-only) \??\a: ogwgqlkp.exe File opened (read-only) \??\n: mozvyrjdqd.exe File opened (read-only) \??\b: ogwgqlkp.exe File opened (read-only) \??\w: ogwgqlkp.exe File opened (read-only) \??\e: ogwgqlkp.exe File opened (read-only) \??\t: ogwgqlkp.exe File opened (read-only) \??\v: ogwgqlkp.exe File opened (read-only) \??\g: ogwgqlkp.exe File opened (read-only) \??\p: ogwgqlkp.exe File opened (read-only) \??\m: ogwgqlkp.exe File opened (read-only) \??\z: mozvyrjdqd.exe File opened (read-only) \??\q: ogwgqlkp.exe File opened (read-only) \??\v: ogwgqlkp.exe File opened (read-only) \??\u: mozvyrjdqd.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mozvyrjdqd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mozvyrjdqd.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3992-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000233e5-5.dat autoit_exe behavioral2/files/0x00080000000233e4-18.dat autoit_exe behavioral2/files/0x00070000000233e6-27.dat autoit_exe behavioral2/files/0x00070000000233e7-31.dat autoit_exe behavioral2/files/0x0002000000022999-68.dat autoit_exe behavioral2/files/0x00080000000233d7-73.dat autoit_exe behavioral2/files/0x0008000000022971-79.dat autoit_exe behavioral2/files/0x000f000000023369-100.dat autoit_exe behavioral2/files/0x000f000000023369-327.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll mozvyrjdqd.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ogwgqlkp.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ogwgqlkp.exe File created C:\Windows\SysWOW64\mozvyrjdqd.exe 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mozvyrjdqd.exe 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wpjcitvqmjonfoq.exe 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ogwgqlkp.exe 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe File created C:\Windows\SysWOW64\xcwwgdxwzgkyl.exe 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ogwgqlkp.exe File created C:\Windows\SysWOW64\wpjcitvqmjonfoq.exe 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe File created C:\Windows\SysWOW64\ogwgqlkp.exe 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xcwwgdxwzgkyl.exe 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ogwgqlkp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ogwgqlkp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ogwgqlkp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ogwgqlkp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ogwgqlkp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ogwgqlkp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ogwgqlkp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ogwgqlkp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ogwgqlkp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ogwgqlkp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ogwgqlkp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ogwgqlkp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ogwgqlkp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ogwgqlkp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ogwgqlkp.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ogwgqlkp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ogwgqlkp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ogwgqlkp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ogwgqlkp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ogwgqlkp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ogwgqlkp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ogwgqlkp.exe File opened for modification C:\Windows\mydoc.rtf 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ogwgqlkp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ogwgqlkp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ogwgqlkp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ogwgqlkp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ogwgqlkp.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ogwgqlkp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ogwgqlkp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ogwgqlkp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ogwgqlkp.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mozvyrjdqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mozvyrjdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mozvyrjdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9F9CBF967F1E383793A45819D3E90B0F902FE4367034EE1C842EF09D2" 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B12D4490399E52CFBAA5329ED4BF" 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF9FFFF4F27826F9146D7587E9DBC95E641594067356237D798" 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F068B1FE1A21ACD10BD0D48B099062" 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mozvyrjdqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mozvyrjdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2C779D2382596D3577D270552CDA7C8F64DD" 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC60C1493DBB1B8C97FE6EC9E34BA" 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mozvyrjdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mozvyrjdqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mozvyrjdqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mozvyrjdqd.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mozvyrjdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mozvyrjdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mozvyrjdqd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 452 WINWORD.EXE 452 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 2968 mozvyrjdqd.exe 2968 mozvyrjdqd.exe 2968 mozvyrjdqd.exe 2968 mozvyrjdqd.exe 2968 mozvyrjdqd.exe 2968 mozvyrjdqd.exe 2968 mozvyrjdqd.exe 2968 mozvyrjdqd.exe 2968 mozvyrjdqd.exe 2968 mozvyrjdqd.exe 2200 wpjcitvqmjonfoq.exe 2200 wpjcitvqmjonfoq.exe 2200 wpjcitvqmjonfoq.exe 2200 wpjcitvqmjonfoq.exe 2200 wpjcitvqmjonfoq.exe 2200 wpjcitvqmjonfoq.exe 2200 wpjcitvqmjonfoq.exe 2200 wpjcitvqmjonfoq.exe 2200 wpjcitvqmjonfoq.exe 2200 wpjcitvqmjonfoq.exe 3616 xcwwgdxwzgkyl.exe 3616 xcwwgdxwzgkyl.exe 3616 xcwwgdxwzgkyl.exe 3616 xcwwgdxwzgkyl.exe 3616 xcwwgdxwzgkyl.exe 3616 xcwwgdxwzgkyl.exe 3616 xcwwgdxwzgkyl.exe 3616 xcwwgdxwzgkyl.exe 3616 xcwwgdxwzgkyl.exe 3616 xcwwgdxwzgkyl.exe 3616 xcwwgdxwzgkyl.exe 3616 xcwwgdxwzgkyl.exe 2616 ogwgqlkp.exe 2616 ogwgqlkp.exe 2616 ogwgqlkp.exe 2616 ogwgqlkp.exe 2616 ogwgqlkp.exe 2616 ogwgqlkp.exe 2616 ogwgqlkp.exe 2616 ogwgqlkp.exe 5020 ogwgqlkp.exe 5020 ogwgqlkp.exe 5020 ogwgqlkp.exe 5020 ogwgqlkp.exe 5020 ogwgqlkp.exe 5020 ogwgqlkp.exe 5020 ogwgqlkp.exe 5020 ogwgqlkp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 2968 mozvyrjdqd.exe 2968 mozvyrjdqd.exe 2968 mozvyrjdqd.exe 2200 wpjcitvqmjonfoq.exe 2200 wpjcitvqmjonfoq.exe 2200 wpjcitvqmjonfoq.exe 3616 xcwwgdxwzgkyl.exe 2616 ogwgqlkp.exe 3616 xcwwgdxwzgkyl.exe 2616 ogwgqlkp.exe 3616 xcwwgdxwzgkyl.exe 2616 ogwgqlkp.exe 5020 ogwgqlkp.exe 5020 ogwgqlkp.exe 5020 ogwgqlkp.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 2968 mozvyrjdqd.exe 2968 mozvyrjdqd.exe 2968 mozvyrjdqd.exe 2200 wpjcitvqmjonfoq.exe 2200 wpjcitvqmjonfoq.exe 2200 wpjcitvqmjonfoq.exe 3616 xcwwgdxwzgkyl.exe 2616 ogwgqlkp.exe 3616 xcwwgdxwzgkyl.exe 2616 ogwgqlkp.exe 3616 xcwwgdxwzgkyl.exe 2616 ogwgqlkp.exe 5020 ogwgqlkp.exe 5020 ogwgqlkp.exe 5020 ogwgqlkp.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE 452 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3992 wrote to memory of 2968 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 83 PID 3992 wrote to memory of 2968 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 83 PID 3992 wrote to memory of 2968 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 83 PID 3992 wrote to memory of 2200 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 84 PID 3992 wrote to memory of 2200 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 84 PID 3992 wrote to memory of 2200 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 84 PID 3992 wrote to memory of 2616 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 85 PID 3992 wrote to memory of 2616 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 85 PID 3992 wrote to memory of 2616 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 85 PID 3992 wrote to memory of 3616 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 86 PID 3992 wrote to memory of 3616 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 86 PID 3992 wrote to memory of 3616 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 86 PID 3992 wrote to memory of 452 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 87 PID 3992 wrote to memory of 452 3992 84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe 87 PID 2968 wrote to memory of 5020 2968 mozvyrjdqd.exe 89 PID 2968 wrote to memory of 5020 2968 mozvyrjdqd.exe 89 PID 2968 wrote to memory of 5020 2968 mozvyrjdqd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\84b89e99ec7c94ec19537c8ffc9792cd_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\mozvyrjdqd.exemozvyrjdqd.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\ogwgqlkp.exeC:\Windows\system32\ogwgqlkp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5020
-
-
-
C:\Windows\SysWOW64\wpjcitvqmjonfoq.exewpjcitvqmjonfoq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2200
-
-
C:\Windows\SysWOW64\ogwgqlkp.exeogwgqlkp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2616
-
-
C:\Windows\SysWOW64\xcwwgdxwzgkyl.exexcwwgdxwzgkyl.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3616
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:452
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD588b5d2ca25fdf21469e2c8b076039edc
SHA1bd17effa32d7dd1c76246b77faad160e1d200db3
SHA256af35d8cef81536734ff6c7f0e150487a8a515854ccabe1a02bc17093f3985ad6
SHA512fa56ddf60126e9676d1f75edaf0d81e8fe7b4c7a1d508ed57e646480817d3ac10e4584cb3fd2177c7c0250071147654d8f7a529be7edb41d4f92b4481d7966aa
-
Filesize
512KB
MD5655c9a19a10f8656e014495afa488cf5
SHA192ed81629332357dea03d3b3a8b340bfce95d799
SHA2561091cc08740e73c65428fd550c37f2d566f664886355678239e000092c8d7898
SHA512be3861849ec9e98ee21c7d7c638fad809786a2cf7fb4817c9a036653d1b492c6fba293eb1973584a0ec62704dc9647dc3664442d3106c1a6ada4692e11371eaf
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
239B
MD549cb7e42e96246112deafefe11d534b1
SHA127d12e47a95b587790ad980cca2db9ffdfa79caa
SHA256ec903863f323d8efec74a708b93951e7e0bb12faa5fc73b4ac295e7d094d17fb
SHA5129a744593b72eb0c5b0b0548e67beb1676fb4d4ca9750a5d72b8d2a3846ca3e6ebe50ead4f45df68736c4a3779ad9dbb7aed2a7ccf6cab08275a780c6f264376d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a31aae4008f6f654508e8cd454f20463
SHA1faf8a8929aa5e3ba3003ccd9ecc6e9ca03a9475e
SHA256ed0f53bf285d4747633dd2c0588122682187bc26f063594b79c08872f2308288
SHA5122334d7cc9263eb33500a77aa1db0323e5d2e7160aece82bc1f29c7624167a4003ae11b969e973c63022d9c9373d127377602e6dc38585b2d66ebcc2227d71f5b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5bf80cdb74a7b717d2588f2ebfc593f72
SHA10b4fbef281dc0fced0766fd1666a40e5de353d66
SHA256d37b8809ea8880ff4d8eac7e5ee902923449cb1647be47a30be8f087dda512f0
SHA512a06dccdf737c019e241c38e27402466605b6342d7df586f6f97a6822f08cc715ec545ceccb158b4266c915c80d93030170394cbe8d8ca548bbd2875d9ef89dd5
-
Filesize
512KB
MD5dd9d8ee0b5d18ea9605dda29f3e98b23
SHA132f2c973940a695bea51e3aa3da6927eb7a4ba2c
SHA256ed7e86b0dc86a9af706d014fee50cf30270b7aae751f71ea568ee4304a05056f
SHA512f8bf186083264aadd1cd38ae1f7c6afc04762e3ff37fa3628d7ecea6727e37ec29ed6982bb6b706aa1f6a60bedba14e590fb117f40b6ba4cf48b749700bd085d
-
Filesize
512KB
MD5158c8eab19e93d020c84e1c127193a9a
SHA1d928c4025f9ebad7a2334f49bd89807beb7b442c
SHA2561c6e69e611bb35183cb4adad2dd03240858f6adac27e5ac34572b39b4c3a9ebf
SHA512e0e148a5cc70a9a05b1249c7d773b9646a2e3c8149d4c15948478998961e635d41564fd556fb918649cf2543422cfc2d1cd22f3b3ebef94ad78711142bbac1f8
-
Filesize
512KB
MD5d16ad2251bc4284b87b60e60bf3dea61
SHA14ea8a441aeb31f815bdfb2d8e8401192540689bf
SHA2560d518be5077eb564276eca7278aef0c1cfbf24b3ca7bf6ea0c2891d1a43b0cac
SHA512508e1e38f1699a08ea8670cb84c471cdf88573d45b80aaa6b2219138c0dda5bf44934536a7ee3d9451f67c0cefe267056051f5e647fe924977b757d5209e71dc
-
Filesize
512KB
MD5424ced54949661ddf4af802b47701a4c
SHA19bfd80699184290e950c55eff594024a16447503
SHA25653b2f0b59355ac7e369e8552a2097e8917c20840ff46e4b6a97e7e6769c20d52
SHA51204d4df3b802c52752f2edf262909c00110a7c521679e6b57ef7d0a8168e3da883a7edaec4f03608bfeed299335e76e3e2b3ab17394f94b615d3b1d4f0b089f2d
-
Filesize
512KB
MD5b580105195d7058bc1aca5bb0b207417
SHA13739acc03115aa64fc4e6eabb63b3dbb55b29914
SHA256bc45a739aa40dc5211d74ec86023d8e470022965f4f9d1b77def0b99fb2ce579
SHA512b1053921fd30ca40e2ada47e1b88a3bc292951d7c36d3dd043c8996c3f3029d0c933ca67131491230e178aa475790205f8979fcba2171b37524d52b428ff8d4a
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD56b0f4922ace9e600d269d41aab5cfd4f
SHA1cdee9d7893fa952c17e5f51ed420a63ce69a20f2
SHA25668e6e18d5d1fc95a400ab9fbd5deda02a2c5eae3f9ad70e58ca698a1999eaecc
SHA51221a048f5bfaa9f1c33a362043c4120ad93e7bfbc1f678f08e4099c01dc5d8e4e3a7061ed4bcd6a1fddda2e4355e82d12546ba28cb8e3ac0e5ec4e741363e7549
-
Filesize
512KB
MD519ef4f78d57795674954a7e024483a46
SHA1f16dd4e1cc1b90e98f69e6f182392241e1653c6d
SHA256b291f26f3341d3b31c21a84445372c435f6eb59151acc7c2a7d7ddd199633829
SHA51288891f96c0377d3f969c00ba6c2921b5630b487121e59969c6282979379821b017e8398f3969ae66db26f3f070bbda749f57d1e5a759f5a006f25870b5e274e5