Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2024, 19:19
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe
-
Size
512KB
-
MD5
8811401f94e7d19dba818431f0ab24bb
-
SHA1
9ed6d413f597c67cfeef8f9ae5b715111311a56e
-
SHA256
6ecc954899c3cf33481990966c33cbdc0c5e992d81516f2a1874bcd065aa7c82
-
SHA512
d10c932865d5a8a277f5626ad22da1d8184a9a35507caa6670afb8b0fb0c302d6e16e4d0f92f47920ce1b41e0d2f352ffdeb638dbad41f17f265ff8822048547
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5b
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rfobzyfzpu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rfobzyfzpu.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rfobzyfzpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rfobzyfzpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rfobzyfzpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rfobzyfzpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rfobzyfzpu.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfobzyfzpu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 920 rfobzyfzpu.exe 1704 xtqszypjezndgpw.exe 2948 upmpnkou.exe 1152 jngizpmmbszae.exe 5000 upmpnkou.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rfobzyfzpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rfobzyfzpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rfobzyfzpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rfobzyfzpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rfobzyfzpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rfobzyfzpu.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\brbzogir = "rfobzyfzpu.exe" xtqszypjezndgpw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxubwclr = "xtqszypjezndgpw.exe" xtqszypjezndgpw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jngizpmmbszae.exe" xtqszypjezndgpw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: upmpnkou.exe File opened (read-only) \??\r: upmpnkou.exe File opened (read-only) \??\l: upmpnkou.exe File opened (read-only) \??\e: rfobzyfzpu.exe File opened (read-only) \??\h: rfobzyfzpu.exe File opened (read-only) \??\m: upmpnkou.exe File opened (read-only) \??\b: upmpnkou.exe File opened (read-only) \??\o: upmpnkou.exe File opened (read-only) \??\q: upmpnkou.exe File opened (read-only) \??\g: rfobzyfzpu.exe File opened (read-only) \??\n: upmpnkou.exe File opened (read-only) \??\h: upmpnkou.exe File opened (read-only) \??\y: upmpnkou.exe File opened (read-only) \??\n: upmpnkou.exe File opened (read-only) \??\z: upmpnkou.exe File opened (read-only) \??\i: rfobzyfzpu.exe File opened (read-only) \??\p: rfobzyfzpu.exe File opened (read-only) \??\k: upmpnkou.exe File opened (read-only) \??\o: upmpnkou.exe File opened (read-only) \??\a: rfobzyfzpu.exe File opened (read-only) \??\z: rfobzyfzpu.exe File opened (read-only) \??\e: upmpnkou.exe File opened (read-only) \??\q: rfobzyfzpu.exe File opened (read-only) \??\g: upmpnkou.exe File opened (read-only) \??\q: upmpnkou.exe File opened (read-only) \??\a: upmpnkou.exe File opened (read-only) \??\b: upmpnkou.exe File opened (read-only) \??\l: upmpnkou.exe File opened (read-only) \??\s: upmpnkou.exe File opened (read-only) \??\z: upmpnkou.exe File opened (read-only) \??\k: upmpnkou.exe File opened (read-only) \??\r: rfobzyfzpu.exe File opened (read-only) \??\s: rfobzyfzpu.exe File opened (read-only) \??\u: upmpnkou.exe File opened (read-only) \??\a: upmpnkou.exe File opened (read-only) \??\e: upmpnkou.exe File opened (read-only) \??\p: upmpnkou.exe File opened (read-only) \??\b: rfobzyfzpu.exe File opened (read-only) \??\m: rfobzyfzpu.exe File opened (read-only) \??\x: rfobzyfzpu.exe File opened (read-only) \??\m: upmpnkou.exe File opened (read-only) \??\v: rfobzyfzpu.exe File opened (read-only) \??\w: rfobzyfzpu.exe File opened (read-only) \??\v: upmpnkou.exe File opened (read-only) \??\u: upmpnkou.exe File opened (read-only) \??\y: upmpnkou.exe File opened (read-only) \??\t: rfobzyfzpu.exe File opened (read-only) \??\s: upmpnkou.exe File opened (read-only) \??\t: upmpnkou.exe File opened (read-only) \??\w: upmpnkou.exe File opened (read-only) \??\o: rfobzyfzpu.exe File opened (read-only) \??\u: rfobzyfzpu.exe File opened (read-only) \??\t: upmpnkou.exe File opened (read-only) \??\w: upmpnkou.exe File opened (read-only) \??\i: upmpnkou.exe File opened (read-only) \??\v: upmpnkou.exe File opened (read-only) \??\j: rfobzyfzpu.exe File opened (read-only) \??\n: rfobzyfzpu.exe File opened (read-only) \??\y: rfobzyfzpu.exe File opened (read-only) \??\r: upmpnkou.exe File opened (read-only) \??\l: rfobzyfzpu.exe File opened (read-only) \??\h: upmpnkou.exe File opened (read-only) \??\i: upmpnkou.exe File opened (read-only) \??\g: upmpnkou.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rfobzyfzpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rfobzyfzpu.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4588-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023451-5.dat autoit_exe behavioral2/files/0x000800000002344d-18.dat autoit_exe behavioral2/files/0x0007000000023452-27.dat autoit_exe behavioral2/files/0x0007000000023453-32.dat autoit_exe behavioral2/files/0x000500000001d891-66.dat autoit_exe behavioral2/files/0x000500000001d9e5-69.dat autoit_exe behavioral2/files/0x000400000001db63-79.dat autoit_exe behavioral2/files/0x001800000001e5b8-95.dat autoit_exe behavioral2/files/0x001800000001e5b8-100.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\jngizpmmbszae.exe 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe upmpnkou.exe File created C:\Windows\SysWOW64\xtqszypjezndgpw.exe 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe File created C:\Windows\SysWOW64\upmpnkou.exe 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jngizpmmbszae.exe 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rfobzyfzpu.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe upmpnkou.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe upmpnkou.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe upmpnkou.exe File created C:\Windows\SysWOW64\rfobzyfzpu.exe 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rfobzyfzpu.exe 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xtqszypjezndgpw.exe 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\upmpnkou.exe 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe upmpnkou.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe upmpnkou.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal upmpnkou.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe upmpnkou.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal upmpnkou.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe upmpnkou.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal upmpnkou.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal upmpnkou.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe upmpnkou.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe upmpnkou.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe upmpnkou.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe upmpnkou.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe upmpnkou.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe upmpnkou.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe upmpnkou.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe upmpnkou.exe File opened for modification C:\Windows\mydoc.rtf 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe upmpnkou.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe upmpnkou.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe upmpnkou.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe upmpnkou.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe upmpnkou.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe upmpnkou.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe upmpnkou.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe upmpnkou.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe upmpnkou.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe upmpnkou.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe upmpnkou.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe upmpnkou.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe upmpnkou.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe upmpnkou.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe upmpnkou.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFF89482785189032D65C7DE7BDE0E13058446636633FD791" 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rfobzyfzpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rfobzyfzpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rfobzyfzpu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rfobzyfzpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412C7E9C2683226D3677A070202DAD7C8E65DC" 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rfobzyfzpu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rfobzyfzpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rfobzyfzpu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rfobzyfzpu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rfobzyfzpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B02A47E338E253BFBAA0329AD4B8" 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC77914E7DAC0B9BA7CE7ED9237CB" 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rfobzyfzpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rfobzyfzpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rfobzyfzpu.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDF9B0FE17F2E3847A3A31819B39E2B08A03FE4366033DE1C9459909D4" 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F368B7FE6622A9D27FD0A98A099013" 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4600 WINWORD.EXE 4600 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 920 rfobzyfzpu.exe 920 rfobzyfzpu.exe 920 rfobzyfzpu.exe 920 rfobzyfzpu.exe 920 rfobzyfzpu.exe 920 rfobzyfzpu.exe 920 rfobzyfzpu.exe 920 rfobzyfzpu.exe 920 rfobzyfzpu.exe 920 rfobzyfzpu.exe 1704 xtqszypjezndgpw.exe 1704 xtqszypjezndgpw.exe 1704 xtqszypjezndgpw.exe 1704 xtqszypjezndgpw.exe 1704 xtqszypjezndgpw.exe 1704 xtqszypjezndgpw.exe 1704 xtqszypjezndgpw.exe 1704 xtqszypjezndgpw.exe 1704 xtqszypjezndgpw.exe 1704 xtqszypjezndgpw.exe 2948 upmpnkou.exe 2948 upmpnkou.exe 2948 upmpnkou.exe 2948 upmpnkou.exe 2948 upmpnkou.exe 2948 upmpnkou.exe 2948 upmpnkou.exe 2948 upmpnkou.exe 1152 jngizpmmbszae.exe 1152 jngizpmmbszae.exe 1152 jngizpmmbszae.exe 1152 jngizpmmbszae.exe 1152 jngizpmmbszae.exe 1152 jngizpmmbszae.exe 1152 jngizpmmbszae.exe 1152 jngizpmmbszae.exe 1152 jngizpmmbszae.exe 1152 jngizpmmbszae.exe 1152 jngizpmmbszae.exe 1152 jngizpmmbszae.exe 5000 upmpnkou.exe 5000 upmpnkou.exe 5000 upmpnkou.exe 5000 upmpnkou.exe 5000 upmpnkou.exe 5000 upmpnkou.exe 5000 upmpnkou.exe 5000 upmpnkou.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 920 rfobzyfzpu.exe 920 rfobzyfzpu.exe 920 rfobzyfzpu.exe 1704 xtqszypjezndgpw.exe 1704 xtqszypjezndgpw.exe 1704 xtqszypjezndgpw.exe 2948 upmpnkou.exe 1152 jngizpmmbszae.exe 2948 upmpnkou.exe 1152 jngizpmmbszae.exe 2948 upmpnkou.exe 1152 jngizpmmbszae.exe 5000 upmpnkou.exe 5000 upmpnkou.exe 5000 upmpnkou.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 920 rfobzyfzpu.exe 920 rfobzyfzpu.exe 920 rfobzyfzpu.exe 1704 xtqszypjezndgpw.exe 1704 xtqszypjezndgpw.exe 1704 xtqszypjezndgpw.exe 2948 upmpnkou.exe 1152 jngizpmmbszae.exe 2948 upmpnkou.exe 1152 jngizpmmbszae.exe 2948 upmpnkou.exe 1152 jngizpmmbszae.exe 5000 upmpnkou.exe 5000 upmpnkou.exe 5000 upmpnkou.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4600 WINWORD.EXE 4600 WINWORD.EXE 4600 WINWORD.EXE 4600 WINWORD.EXE 4600 WINWORD.EXE 4600 WINWORD.EXE 4600 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4588 wrote to memory of 920 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 85 PID 4588 wrote to memory of 920 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 85 PID 4588 wrote to memory of 920 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 85 PID 4588 wrote to memory of 1704 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 86 PID 4588 wrote to memory of 1704 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 86 PID 4588 wrote to memory of 1704 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 86 PID 4588 wrote to memory of 2948 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 87 PID 4588 wrote to memory of 2948 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 87 PID 4588 wrote to memory of 2948 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 87 PID 4588 wrote to memory of 1152 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 88 PID 4588 wrote to memory of 1152 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 88 PID 4588 wrote to memory of 1152 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 88 PID 4588 wrote to memory of 4600 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 89 PID 4588 wrote to memory of 4600 4588 8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe 89 PID 920 wrote to memory of 5000 920 rfobzyfzpu.exe 91 PID 920 wrote to memory of 5000 920 rfobzyfzpu.exe 91 PID 920 wrote to memory of 5000 920 rfobzyfzpu.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8811401f94e7d19dba818431f0ab24bb_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\rfobzyfzpu.exerfobzyfzpu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\upmpnkou.exeC:\Windows\system32\upmpnkou.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5000
-
-
-
C:\Windows\SysWOW64\xtqszypjezndgpw.exextqszypjezndgpw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1704
-
-
C:\Windows\SysWOW64\upmpnkou.exeupmpnkou.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2948
-
-
C:\Windows\SysWOW64\jngizpmmbszae.exejngizpmmbszae.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1152
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4600
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD59270881899b8f0baa9618f37efcb88a7
SHA1cf2482f2be271a99ab313a866e21d4d78e70337e
SHA256d626cea72d69709bba2a329ed8f20e761290d21a8a2e922d0adc98c31a5f5964
SHA512233f7b66292110c518dfe56aba444fb12fa1b9269125f34c55a7e364854ec89160d278b465aa81c94fc005d86501234e4d4e964d56e2ca922f3eb2edd9297e85
-
Filesize
512KB
MD508d0134cf1c13845f4d42b902aad7faf
SHA1037f567ed77bc8f14a8f5650383ea8cd7a0f2a04
SHA2568d64d360a713f3a44e28379ed23a309d9aad94a2fbf5798af248d46af872cc94
SHA5126801a8e5461d32608744706f92666a8888d8a17066bc513e16bfdf9ae685b8f7845bd52d0df0ad69b4bab67ac7a0871f696d5e1bab0106b25544d029d581ebe6
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD5506d7890424e69489a5be1afef5580c5
SHA1cba816211e3120c37d2714d61354265337eae683
SHA256d66db9598aaad84b8312523932d2c802eab42979172e4e1c84262688fed362e1
SHA51268f6ca745d8e50478c4ff4d2072e021187b40e94c3be42f17142f22b79d5150cdd6992cfe12a6119b3ad4ce7d43ea193a303fcffeed35ec7b765bb8f9348515c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5d4deefe2805e76bdce6c5e3470f8de55
SHA19fa8b647eea8adefc81431d7de4bf4b1040f0432
SHA25601d83179d527a59dcf45d2c665dbc5b78545eb243a5fa19798bdaf647e2d4115
SHA512981da2534e7d13f93cca23690a7a9c1ea58ff9bda766ba44ae5fc154afb7f86ff486ff222d0f2055ae0a2581636e67acb37e471994c38e874296621f27e43703
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD54bd86eab36495e478ee2e5d9eefd5aca
SHA1d58974ec2df5167dcf932356815bf6cbb7ae9502
SHA2562530adbeb6f7f34eae3ae84466700c62addfc8dd99695260ec8c543d3cde2675
SHA5129c697a5719c4ffe1af6642d25a5e7455fabaa0f62a670de380db45f6930bccc4c7b359f00681ce27cb048e7475db4b36c2eefe9df8e5c29cac0fd36f4f311132
-
Filesize
512KB
MD5ecb8de573f632a321995a52539768e83
SHA14e514ab1d3c4a07a7d4728b5e918b125283c077e
SHA2562ef4abbac54df67644b76fd24cec9a672b13455522ebffd604e8ae23a3c903ab
SHA512549512b9e03567a3830a89a433e78d34e6f2ffb11d96fed105f2c9019aea7ffe7219a47809ea0a1be775247dab0b733f7a7a511e10fa4adaa80a820886f8be5f
-
Filesize
512KB
MD56188357fc51e0d759b3bdbdae2ffd9e3
SHA107b876cc2822d90d1d58bb5c5b79b946b2d81df6
SHA256770a50dc620ec58da3d6485fbfb03bf67c29150db9cd423f9a9a1f413dac4e63
SHA512181bc60405dfaf633b9ac530d6890b7704085d2eb202a81762598504cef161659695a5370c9e1858d98585e667a8144e51b14993d536b23a6ca62fbd63dbfc4a
-
Filesize
512KB
MD57e0395273a24115140e484aa60a0491d
SHA1f6f21fd0e7d450b5bf88458a84acfe55a10d620d
SHA256f2c17c42f9aa98b8d252f326f8d6950a8752a1f3f5861d4300cca4de5d8f3589
SHA512375de2dc80983b22ef6ef2663ef010eaf062b6019f1eda4ebc1e6bfc8610e5ded70bfd01dea013885f90a7d0da3339a7b4e9d96d9f7e9fdf65ac6a723d229969
-
Filesize
512KB
MD59c143947c6ac70d1d10a52cf527e7c55
SHA1e49b761d1b1603c847eb4a22959350166349aa80
SHA25642663313a7aa86a7a4f26f8aacdb75bcb700dde930be86591fae417e4ecf18e1
SHA512873b90b396a952a30fc568bd2cb4b4780706b03e8f77586a5b7a7fcc9b3dae688b77d4c997a95cdca99e8c3dadcdfff2fb4782875a7d65053e1c49302feaef3d
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5a6f3251589e51df2b9585b089b4c1f74
SHA1cfc332daaef4f74d20eeab2870aae2bcf644155e
SHA25609e2b28454989c4140c0a42599ccea684e9eb2f91b95277405619df4534e9acd
SHA512146b6ae6f7438a8eb58b5f172e49a7cb299e4fe99ac65da0e845f955d3633c595ac2187025e042640b8b5d60ab142676d00579d8747eab2d01cb1abdc38013df
-
Filesize
512KB
MD5b57dec37e12a184697ea0f7eba21bca3
SHA128b6553218c46055e39f24e07ceb71f23d0bf85d
SHA25699d3a001a962301326ec387c8c9ac1b55160c105f08293de091c3a86e3b0a946
SHA5123d4a7003543e22f91b2235604733160d452158e2a83b2256c1d598c622507bb33b6ea4e24bc29a68cd4d8fb83eaa19b5ade6ce8eaa31fbbc8f1e7bec8f19ecdc
-
Filesize
512KB
MD5ded5ba6168593c1991379cc07ff088dc
SHA1cd85b8eb00e0444d87ea139556669a234880e2e5
SHA2569140775bb9bfe5006cc983183840c82c43b33d2c6e61d2c8a67ca18e5dec4945
SHA5123ae7990a4961223d13f96779cbfb14fa3d5cfd9b20464aa38192e43f2d8fdd1c7cf853c91d2e21ba3030817083f07cf1b6e60ea72b1ecf4b35e438efaec40cb6