Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2024, 12:59
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
86c590399455d5a360adc313da2b593fJaffaCakes118.exe
Resource
win7-20240419-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
86c590399455d5a360adc313da2b593fJaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
86c590399455d5a360adc313da2b593fJaffaCakes118.exe
-
Size
512KB
-
MD5
86c590399455d5a360adc313da2b593f
-
SHA1
e2c1ba7214f1d073537d58b6455ad504afc1fc7e
-
SHA256
01e0ad82a8682c0d884c54f0660a17ec61c0edc7868446c6fc85239e6f45d3ca
-
SHA512
a451e7d6c39e976db646699f776bef068bbda3aff66db1ad3587761ec7aca56f29e29ebda8e4e7a7976dd2afa5dc56959410797137785f1551cc19aace97d934
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj60:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5x
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pqfewzmiek.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pqfewzmiek.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pqfewzmiek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pqfewzmiek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pqfewzmiek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pqfewzmiek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pqfewzmiek.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pqfewzmiek.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 86c590399455d5a360adc313da2b593fJaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1844 pqfewzmiek.exe 2684 xwjkeipifbwwywa.exe 4612 zbdwdxvqcsvmm.exe 3292 hbpbbwpo.exe 3252 hbpbbwpo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pqfewzmiek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pqfewzmiek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pqfewzmiek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pqfewzmiek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pqfewzmiek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pqfewzmiek.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\efcbinbw = "xwjkeipifbwwywa.exe" xwjkeipifbwwywa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zbdwdxvqcsvmm.exe" xwjkeipifbwwywa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sinooyqp = "pqfewzmiek.exe" xwjkeipifbwwywa.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: hbpbbwpo.exe File opened (read-only) \??\v: pqfewzmiek.exe File opened (read-only) \??\x: pqfewzmiek.exe File opened (read-only) \??\y: hbpbbwpo.exe File opened (read-only) \??\i: hbpbbwpo.exe File opened (read-only) \??\x: hbpbbwpo.exe File opened (read-only) \??\z: hbpbbwpo.exe File opened (read-only) \??\k: hbpbbwpo.exe File opened (read-only) \??\y: hbpbbwpo.exe File opened (read-only) \??\h: pqfewzmiek.exe File opened (read-only) \??\k: pqfewzmiek.exe File opened (read-only) \??\m: hbpbbwpo.exe File opened (read-only) \??\o: hbpbbwpo.exe File opened (read-only) \??\q: hbpbbwpo.exe File opened (read-only) \??\k: hbpbbwpo.exe File opened (read-only) \??\g: hbpbbwpo.exe File opened (read-only) \??\u: hbpbbwpo.exe File opened (read-only) \??\h: hbpbbwpo.exe File opened (read-only) \??\j: pqfewzmiek.exe File opened (read-only) \??\m: pqfewzmiek.exe File opened (read-only) \??\z: pqfewzmiek.exe File opened (read-only) \??\p: hbpbbwpo.exe File opened (read-only) \??\e: hbpbbwpo.exe File opened (read-only) \??\n: hbpbbwpo.exe File opened (read-only) \??\p: hbpbbwpo.exe File opened (read-only) \??\i: pqfewzmiek.exe File opened (read-only) \??\p: pqfewzmiek.exe File opened (read-only) \??\y: pqfewzmiek.exe File opened (read-only) \??\g: hbpbbwpo.exe File opened (read-only) \??\h: hbpbbwpo.exe File opened (read-only) \??\v: hbpbbwpo.exe File opened (read-only) \??\x: hbpbbwpo.exe File opened (read-only) \??\m: hbpbbwpo.exe File opened (read-only) \??\b: hbpbbwpo.exe File opened (read-only) \??\n: hbpbbwpo.exe File opened (read-only) \??\l: hbpbbwpo.exe File opened (read-only) \??\s: hbpbbwpo.exe File opened (read-only) \??\b: pqfewzmiek.exe File opened (read-only) \??\g: pqfewzmiek.exe File opened (read-only) \??\t: hbpbbwpo.exe File opened (read-only) \??\e: hbpbbwpo.exe File opened (read-only) \??\t: hbpbbwpo.exe File opened (read-only) \??\j: hbpbbwpo.exe File opened (read-only) \??\l: pqfewzmiek.exe File opened (read-only) \??\q: pqfewzmiek.exe File opened (read-only) \??\w: hbpbbwpo.exe File opened (read-only) \??\w: hbpbbwpo.exe File opened (read-only) \??\t: pqfewzmiek.exe File opened (read-only) \??\a: hbpbbwpo.exe File opened (read-only) \??\s: pqfewzmiek.exe File opened (read-only) \??\w: pqfewzmiek.exe File opened (read-only) \??\o: hbpbbwpo.exe File opened (read-only) \??\r: hbpbbwpo.exe File opened (read-only) \??\b: hbpbbwpo.exe File opened (read-only) \??\a: pqfewzmiek.exe File opened (read-only) \??\n: pqfewzmiek.exe File opened (read-only) \??\o: pqfewzmiek.exe File opened (read-only) \??\u: hbpbbwpo.exe File opened (read-only) \??\a: hbpbbwpo.exe File opened (read-only) \??\r: hbpbbwpo.exe File opened (read-only) \??\z: hbpbbwpo.exe File opened (read-only) \??\j: hbpbbwpo.exe File opened (read-only) \??\q: hbpbbwpo.exe File opened (read-only) \??\s: hbpbbwpo.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pqfewzmiek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pqfewzmiek.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1512-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000234a3-5.dat autoit_exe behavioral2/files/0x000800000002349f-18.dat autoit_exe behavioral2/files/0x00070000000234a4-32.dat autoit_exe behavioral2/files/0x00070000000234a5-29.dat autoit_exe behavioral2/files/0x000500000001da42-74.dat autoit_exe behavioral2/files/0x000400000001da4d-80.dat autoit_exe behavioral2/files/0x000d0000000234e5-578.dat autoit_exe behavioral2/files/0x000d0000000234e5-583.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\pqfewzmiek.exe 86c590399455d5a360adc313da2b593fJaffaCakes118.exe File created C:\Windows\SysWOW64\xwjkeipifbwwywa.exe 86c590399455d5a360adc313da2b593fJaffaCakes118.exe File created C:\Windows\SysWOW64\hbpbbwpo.exe 86c590399455d5a360adc313da2b593fJaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hbpbbwpo.exe 86c590399455d5a360adc313da2b593fJaffaCakes118.exe File created C:\Windows\SysWOW64\zbdwdxvqcsvmm.exe 86c590399455d5a360adc313da2b593fJaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hbpbbwpo.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hbpbbwpo.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hbpbbwpo.exe File opened for modification C:\Windows\SysWOW64\pqfewzmiek.exe 86c590399455d5a360adc313da2b593fJaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xwjkeipifbwwywa.exe 86c590399455d5a360adc313da2b593fJaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zbdwdxvqcsvmm.exe 86c590399455d5a360adc313da2b593fJaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll pqfewzmiek.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hbpbbwpo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hbpbbwpo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hbpbbwpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hbpbbwpo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hbpbbwpo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hbpbbwpo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hbpbbwpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hbpbbwpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hbpbbwpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hbpbbwpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hbpbbwpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hbpbbwpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hbpbbwpo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hbpbbwpo.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hbpbbwpo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hbpbbwpo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hbpbbwpo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hbpbbwpo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hbpbbwpo.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hbpbbwpo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hbpbbwpo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hbpbbwpo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hbpbbwpo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hbpbbwpo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hbpbbwpo.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hbpbbwpo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hbpbbwpo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hbpbbwpo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hbpbbwpo.exe File opened for modification C:\Windows\mydoc.rtf 86c590399455d5a360adc313da2b593fJaffaCakes118.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hbpbbwpo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDF9CAF967F19283753B31819B3998B089028F4216023EE2BE45E708D2" 86c590399455d5a360adc313da2b593fJaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFFFC485F826F913CD62F7E93BC97E131584466416333D799" 86c590399455d5a360adc313da2b593fJaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F26BC3FE6A21AED27FD1A78B78906A" 86c590399455d5a360adc313da2b593fJaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pqfewzmiek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pqfewzmiek.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 86c590399455d5a360adc313da2b593fJaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pqfewzmiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pqfewzmiek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pqfewzmiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pqfewzmiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B12844EE399953CCB9D533EED7C9" 86c590399455d5a360adc313da2b593fJaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C60C15E1DAC0B8CD7C93EDE737CE" 86c590399455d5a360adc313da2b593fJaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings 86c590399455d5a360adc313da2b593fJaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pqfewzmiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pqfewzmiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432D799C5683236D4477A170542CD77DF464AD" 86c590399455d5a360adc313da2b593fJaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pqfewzmiek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pqfewzmiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pqfewzmiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pqfewzmiek.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5004 WINWORD.EXE 5004 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1844 pqfewzmiek.exe 1844 pqfewzmiek.exe 1844 pqfewzmiek.exe 1844 pqfewzmiek.exe 1844 pqfewzmiek.exe 1844 pqfewzmiek.exe 1844 pqfewzmiek.exe 1844 pqfewzmiek.exe 1844 pqfewzmiek.exe 1844 pqfewzmiek.exe 4612 zbdwdxvqcsvmm.exe 4612 zbdwdxvqcsvmm.exe 4612 zbdwdxvqcsvmm.exe 4612 zbdwdxvqcsvmm.exe 4612 zbdwdxvqcsvmm.exe 4612 zbdwdxvqcsvmm.exe 4612 zbdwdxvqcsvmm.exe 4612 zbdwdxvqcsvmm.exe 2684 xwjkeipifbwwywa.exe 2684 xwjkeipifbwwywa.exe 2684 xwjkeipifbwwywa.exe 4612 zbdwdxvqcsvmm.exe 2684 xwjkeipifbwwywa.exe 4612 zbdwdxvqcsvmm.exe 2684 xwjkeipifbwwywa.exe 2684 xwjkeipifbwwywa.exe 2684 xwjkeipifbwwywa.exe 2684 xwjkeipifbwwywa.exe 4612 zbdwdxvqcsvmm.exe 4612 zbdwdxvqcsvmm.exe 3292 hbpbbwpo.exe 3292 hbpbbwpo.exe 3292 hbpbbwpo.exe 3292 hbpbbwpo.exe 3292 hbpbbwpo.exe 3292 hbpbbwpo.exe 3292 hbpbbwpo.exe 3292 hbpbbwpo.exe 2684 xwjkeipifbwwywa.exe 2684 xwjkeipifbwwywa.exe 3252 hbpbbwpo.exe 3252 hbpbbwpo.exe 3252 hbpbbwpo.exe 3252 hbpbbwpo.exe 3252 hbpbbwpo.exe 3252 hbpbbwpo.exe 3252 hbpbbwpo.exe 3252 hbpbbwpo.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1844 pqfewzmiek.exe 1844 pqfewzmiek.exe 1844 pqfewzmiek.exe 4612 zbdwdxvqcsvmm.exe 2684 xwjkeipifbwwywa.exe 3292 hbpbbwpo.exe 4612 zbdwdxvqcsvmm.exe 2684 xwjkeipifbwwywa.exe 3292 hbpbbwpo.exe 2684 xwjkeipifbwwywa.exe 4612 zbdwdxvqcsvmm.exe 3292 hbpbbwpo.exe 3252 hbpbbwpo.exe 3252 hbpbbwpo.exe 3252 hbpbbwpo.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 1844 pqfewzmiek.exe 1844 pqfewzmiek.exe 1844 pqfewzmiek.exe 4612 zbdwdxvqcsvmm.exe 2684 xwjkeipifbwwywa.exe 3292 hbpbbwpo.exe 4612 zbdwdxvqcsvmm.exe 2684 xwjkeipifbwwywa.exe 3292 hbpbbwpo.exe 2684 xwjkeipifbwwywa.exe 4612 zbdwdxvqcsvmm.exe 3292 hbpbbwpo.exe 3252 hbpbbwpo.exe 3252 hbpbbwpo.exe 3252 hbpbbwpo.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5004 WINWORD.EXE 5004 WINWORD.EXE 5004 WINWORD.EXE 5004 WINWORD.EXE 5004 WINWORD.EXE 5004 WINWORD.EXE 5004 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1844 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 82 PID 1512 wrote to memory of 1844 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 82 PID 1512 wrote to memory of 1844 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 82 PID 1512 wrote to memory of 2684 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 83 PID 1512 wrote to memory of 2684 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 83 PID 1512 wrote to memory of 2684 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 83 PID 1512 wrote to memory of 3292 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 84 PID 1512 wrote to memory of 3292 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 84 PID 1512 wrote to memory of 3292 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 84 PID 1512 wrote to memory of 4612 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 85 PID 1512 wrote to memory of 4612 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 85 PID 1512 wrote to memory of 4612 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 85 PID 1512 wrote to memory of 5004 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 87 PID 1512 wrote to memory of 5004 1512 86c590399455d5a360adc313da2b593fJaffaCakes118.exe 87 PID 1844 wrote to memory of 3252 1844 pqfewzmiek.exe 89 PID 1844 wrote to memory of 3252 1844 pqfewzmiek.exe 89 PID 1844 wrote to memory of 3252 1844 pqfewzmiek.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\86c590399455d5a360adc313da2b593fJaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\86c590399455d5a360adc313da2b593fJaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\pqfewzmiek.exepqfewzmiek.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\hbpbbwpo.exeC:\Windows\system32\hbpbbwpo.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3252
-
-
-
C:\Windows\SysWOW64\xwjkeipifbwwywa.exexwjkeipifbwwywa.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2684
-
-
C:\Windows\SysWOW64\hbpbbwpo.exehbpbbwpo.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3292
-
-
C:\Windows\SysWOW64\zbdwdxvqcsvmm.exezbdwdxvqcsvmm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4612
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5004
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5dbbef0661860cff121dd1cb598704bfd
SHA1be4a9ff29b6a4727bec24408d115f1624fd2fe1b
SHA25648f5cb9a38636bdf532a38fcccacc1d9d87eb0081e72bab82b1e7856068e6d73
SHA512c4a7e98db7ab2b0a55dd59d3f0079e0126c4e9d87bd78609651df394751c0da243df5a2ebf5a5d8b3aba7e6f64500115c27e7e2313027840d604f30861603afb
-
Filesize
512KB
MD5334d45e5c7875da444bd876420985c85
SHA101aea0b700a1e06d7390a101d63ce33151e12e0b
SHA256d123baa1159dd9c1389eadb703b51be326e2459ceba01a1a554a1e079757e480
SHA512c267b0a8d08459f5e410449819246b7a1beb540db5f65edc0848b35a4c9df548a71f6b329b7e31ab9efa21a818c6822e73c1dc2eeb55546171b7e5c1d19b8b72
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD519bf13e723988b90c8c265a8a491bc73
SHA1d8f41f444dcc4853a05c0fd4fdca77cd63370cd5
SHA256a2056240d3b0c90d7b5440f1a631b6d618332b4441363ac6ac6cb2a61b37596f
SHA512803e998a33372b3ef4450f5014ff0b200fe4d20f871c174c1f5a241e557a1db60947b0dfdf3968fe9f7790148f5426aff841d6fcb676fa48ffb0b45ea3209c49
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5b7a9116ad6b8280f3464a36eca800081
SHA14fefc2d729a7913b7d07632b1c8d720eb81898a0
SHA256b6ea42ccfcb3bd988cb7f0711dcf3b6f902c8e679b49f1ad8ebd342afac9b4a4
SHA512061194c8bb13e69ade62ae2f53a4060187e19baf60a9d3b19307737dd1ee999189baf3885760700367acbc7e768f9f20fa6ecd7988679543813e559c753ca47e
-
Filesize
512KB
MD590df88f591dd4a2fb7f9f7b51bcad7d0
SHA1ec27b7fd3c48fff38daebccae58d23d84b256266
SHA256bbf5539fb43ac23d6349f2ceb4682363b51dbf39a480f99d1f14ee01ec8b0947
SHA512e0df2cff60ea40d728cc1cd921d094b979feec61510f4e09aca0d12e211457ed565d8322d17b86b696b06d57615da8adaa90c29892539373fdf6e180906ea95a
-
Filesize
512KB
MD5087f143c99e7fddd50f3d34bf5a66e83
SHA1d2436f607f52073aa9785ff91625c3e4851370a9
SHA256d7ef178a020115617190bced0bc9a6c83c17cc067cafb430dc5717af87771b70
SHA5124e57522c779ec4075154b2991e10cc485498feef0c69877026de619ab6190eccedfaf3027d5d9e21891f6490b85b3159b7cd2382844fc1bf84ae16ccf413c2c8
-
Filesize
512KB
MD51f7ef3085c0897b37fb4e28c4dff49cc
SHA11e85dc318a32e85a0a9fe41746ee7f1d4a9ca63e
SHA256ed093a3f7a5a620a86c47f00ebd5a96e5c68120309459a76844a76bc6166bccf
SHA512c0b8803716280e422c085cfe10dbf002c90a32ca4dd68dbed8c088fdae82b8161834d7635cf790dca288662789b5d426680ee6c5ab57a42c687a71bf7c80f45b
-
Filesize
512KB
MD5b217667d14a6d5d17c764b8073a6a687
SHA1e4123b8ccaf65bfc97e92a51b1cd81c7c13b27a4
SHA256dc6869ba4a2d533d005ce6fe560d0b787c96d0350888dc9bda0c9380221b02eb
SHA512a9f9f75bfebe69aa7772ba1a21947f1eae8cf4f895c266686ce859c630c4c9b7165242988c07da1aa9081b2ac8c9b0f4882801b5ad57759aac060edae2d76bf0
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD56f788ea8f9dad466d9eba72343f90fd2
SHA1bd80e7701954c249aaab0a13c0aaea0a98f53d65
SHA256266bed96865ac415673c9305cd536d13c1277400597034902932bf2584bcca87
SHA512c6b367ec9035e0d288f15bacb0a93fb3ef6616048fa1ff5566bb90b23d407fd14a7ebea455aad32aee72b0b4026a4f502996e09b8233f03c4fbb821bf277c7bc
-
Filesize
512KB
MD551837bd34ad097b4e538e0894ce17dc4
SHA16543094bb1aaa6a7097c5ee2d6e008cf9002b145
SHA2568e9cddfe9ffbc504de928631d05cb6bb68d8c3c835d13c00e811a3b6c5a4fdd2
SHA51236af19f42a3373d7e14e49c335274cf8a7999c1c7fa9db1558cce9ef3b4b47705167e0f7e7e41b2d9ab7551dc19e2c8ac8aa0a525a5f6dfcbf1386d055be1a2d