Analysis
-
max time kernel
155s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 01:02
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe
-
Size
512KB
-
MD5
88ecfae8c38444a02f18843dda44b79f
-
SHA1
ef52b97c1fae4b039f85a909121be3657abc0766
-
SHA256
9738ac56d8a00bd4f7a87140d846e3750f239b52c64f3149c654b0a022d83691
-
SHA512
cfadaf7a2f26ea3154cb15614f52a205f926642bd8ba7bbf5ba9b9324b386bb09034baa197cc9a38d0db1bcbd3e6d8bac3901746c9e1308f16d26c336b4e55c0
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6l:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ulmahbkptu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ulmahbkptu.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ulmahbkptu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ulmahbkptu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ulmahbkptu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ulmahbkptu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ulmahbkptu.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ulmahbkptu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2324 ulmahbkptu.exe 3656 vsqqfdvlwunxwmo.exe 1964 arssqxga.exe 3812 vyyixnjpdslfh.exe 2096 arssqxga.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ulmahbkptu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ulmahbkptu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ulmahbkptu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ulmahbkptu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ulmahbkptu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ulmahbkptu.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vyyixnjpdslfh.exe" vsqqfdvlwunxwmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gxgvrbol = "ulmahbkptu.exe" vsqqfdvlwunxwmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgxdlish = "vsqqfdvlwunxwmo.exe" vsqqfdvlwunxwmo.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: ulmahbkptu.exe File opened (read-only) \??\o: ulmahbkptu.exe File opened (read-only) \??\r: arssqxga.exe File opened (read-only) \??\h: arssqxga.exe File opened (read-only) \??\n: arssqxga.exe File opened (read-only) \??\z: arssqxga.exe File opened (read-only) \??\g: ulmahbkptu.exe File opened (read-only) \??\k: ulmahbkptu.exe File opened (read-only) \??\s: arssqxga.exe File opened (read-only) \??\m: arssqxga.exe File opened (read-only) \??\s: arssqxga.exe File opened (read-only) \??\k: arssqxga.exe File opened (read-only) \??\w: arssqxga.exe File opened (read-only) \??\g: arssqxga.exe File opened (read-only) \??\m: arssqxga.exe File opened (read-only) \??\w: ulmahbkptu.exe File opened (read-only) \??\l: arssqxga.exe File opened (read-only) \??\q: arssqxga.exe File opened (read-only) \??\z: arssqxga.exe File opened (read-only) \??\b: arssqxga.exe File opened (read-only) \??\u: arssqxga.exe File opened (read-only) \??\b: ulmahbkptu.exe File opened (read-only) \??\h: ulmahbkptu.exe File opened (read-only) \??\a: arssqxga.exe File opened (read-only) \??\i: arssqxga.exe File opened (read-only) \??\p: arssqxga.exe File opened (read-only) \??\r: arssqxga.exe File opened (read-only) \??\r: ulmahbkptu.exe File opened (read-only) \??\u: arssqxga.exe File opened (read-only) \??\j: arssqxga.exe File opened (read-only) \??\o: arssqxga.exe File opened (read-only) \??\s: ulmahbkptu.exe File opened (read-only) \??\v: ulmahbkptu.exe File opened (read-only) \??\g: arssqxga.exe File opened (read-only) \??\m: ulmahbkptu.exe File opened (read-only) \??\j: arssqxga.exe File opened (read-only) \??\x: arssqxga.exe File opened (read-only) \??\a: arssqxga.exe File opened (read-only) \??\e: arssqxga.exe File opened (read-only) \??\y: arssqxga.exe File opened (read-only) \??\e: ulmahbkptu.exe File opened (read-only) \??\y: ulmahbkptu.exe File opened (read-only) \??\t: arssqxga.exe File opened (read-only) \??\v: arssqxga.exe File opened (read-only) \??\n: arssqxga.exe File opened (read-only) \??\v: arssqxga.exe File opened (read-only) \??\u: ulmahbkptu.exe File opened (read-only) \??\x: ulmahbkptu.exe File opened (read-only) \??\i: arssqxga.exe File opened (read-only) \??\h: arssqxga.exe File opened (read-only) \??\k: arssqxga.exe File opened (read-only) \??\o: arssqxga.exe File opened (read-only) \??\q: arssqxga.exe File opened (read-only) \??\t: arssqxga.exe File opened (read-only) \??\y: arssqxga.exe File opened (read-only) \??\p: ulmahbkptu.exe File opened (read-only) \??\z: ulmahbkptu.exe File opened (read-only) \??\w: arssqxga.exe File opened (read-only) \??\e: arssqxga.exe File opened (read-only) \??\l: arssqxga.exe File opened (read-only) \??\t: ulmahbkptu.exe File opened (read-only) \??\p: arssqxga.exe File opened (read-only) \??\n: ulmahbkptu.exe File opened (read-only) \??\q: ulmahbkptu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ulmahbkptu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ulmahbkptu.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3152-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023251-5.dat autoit_exe behavioral2/files/0x000800000002324f-18.dat autoit_exe behavioral2/files/0x0007000000023252-27.dat autoit_exe behavioral2/files/0x0007000000023253-31.dat autoit_exe behavioral2/files/0x0007000000023260-57.dat autoit_exe behavioral2/files/0x000700000002325f-54.dat autoit_exe behavioral2/files/0x000c00000001e6f9-84.dat autoit_exe behavioral2/files/0x000200000001eab3-93.dat autoit_exe behavioral2/files/0x000300000000070d-103.dat autoit_exe behavioral2/files/0x000300000000070d-105.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ulmahbkptu.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe arssqxga.exe File opened for modification C:\Windows\SysWOW64\ulmahbkptu.exe 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vsqqfdvlwunxwmo.exe 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe File created C:\Windows\SysWOW64\arssqxga.exe 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe File created C:\Windows\SysWOW64\vyyixnjpdslfh.exe 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vyyixnjpdslfh.exe 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe File created C:\Windows\SysWOW64\ulmahbkptu.exe 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe arssqxga.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe arssqxga.exe File created C:\Windows\SysWOW64\vsqqfdvlwunxwmo.exe 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\arssqxga.exe 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe arssqxga.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe arssqxga.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe arssqxga.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe arssqxga.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe arssqxga.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe arssqxga.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal arssqxga.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe arssqxga.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe arssqxga.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe arssqxga.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe arssqxga.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal arssqxga.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe arssqxga.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal arssqxga.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal arssqxga.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFC8E4F2985189030D7297DE6BC94E136584467346341D79C" 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F668C4FE1A22DED172D0D38A0F9166" 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ulmahbkptu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ulmahbkptu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ulmahbkptu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAF9CEFE17F298830F3B45819D39E4B38803F143660248E2C942ED08A5" 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ulmahbkptu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ulmahbkptu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ulmahbkptu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB0284494389A52CFB9A13292D7BC" 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ulmahbkptu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ulmahbkptu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ulmahbkptu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ulmahbkptu.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC60F1493DABFB8C87C92ECE434BA" 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ulmahbkptu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ulmahbkptu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462C0F9C2483276A3476D270562DDE7CF365DC" 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3964 WINWORD.EXE 3964 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 2324 ulmahbkptu.exe 2324 ulmahbkptu.exe 2324 ulmahbkptu.exe 2324 ulmahbkptu.exe 2324 ulmahbkptu.exe 2324 ulmahbkptu.exe 2324 ulmahbkptu.exe 2324 ulmahbkptu.exe 2324 ulmahbkptu.exe 2324 ulmahbkptu.exe 3656 vsqqfdvlwunxwmo.exe 3656 vsqqfdvlwunxwmo.exe 1964 arssqxga.exe 1964 arssqxga.exe 3656 vsqqfdvlwunxwmo.exe 3656 vsqqfdvlwunxwmo.exe 1964 arssqxga.exe 3656 vsqqfdvlwunxwmo.exe 1964 arssqxga.exe 3656 vsqqfdvlwunxwmo.exe 1964 arssqxga.exe 3656 vsqqfdvlwunxwmo.exe 1964 arssqxga.exe 3656 vsqqfdvlwunxwmo.exe 1964 arssqxga.exe 1964 arssqxga.exe 3812 vyyixnjpdslfh.exe 3812 vyyixnjpdslfh.exe 3812 vyyixnjpdslfh.exe 3812 vyyixnjpdslfh.exe 3812 vyyixnjpdslfh.exe 3812 vyyixnjpdslfh.exe 3812 vyyixnjpdslfh.exe 3812 vyyixnjpdslfh.exe 3812 vyyixnjpdslfh.exe 3812 vyyixnjpdslfh.exe 3812 vyyixnjpdslfh.exe 3812 vyyixnjpdslfh.exe 3656 vsqqfdvlwunxwmo.exe 3656 vsqqfdvlwunxwmo.exe 2096 arssqxga.exe 2096 arssqxga.exe 2096 arssqxga.exe 2096 arssqxga.exe 2096 arssqxga.exe 2096 arssqxga.exe 2096 arssqxga.exe 2096 arssqxga.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 2324 ulmahbkptu.exe 2324 ulmahbkptu.exe 2324 ulmahbkptu.exe 1964 arssqxga.exe 1964 arssqxga.exe 1964 arssqxga.exe 3656 vsqqfdvlwunxwmo.exe 3812 vyyixnjpdslfh.exe 3656 vsqqfdvlwunxwmo.exe 3812 vyyixnjpdslfh.exe 3656 vsqqfdvlwunxwmo.exe 3812 vyyixnjpdslfh.exe 2096 arssqxga.exe 2096 arssqxga.exe 2096 arssqxga.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 2324 ulmahbkptu.exe 2324 ulmahbkptu.exe 2324 ulmahbkptu.exe 1964 arssqxga.exe 1964 arssqxga.exe 1964 arssqxga.exe 3656 vsqqfdvlwunxwmo.exe 3812 vyyixnjpdslfh.exe 3656 vsqqfdvlwunxwmo.exe 3812 vyyixnjpdslfh.exe 3656 vsqqfdvlwunxwmo.exe 3812 vyyixnjpdslfh.exe 2096 arssqxga.exe 2096 arssqxga.exe 2096 arssqxga.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3964 WINWORD.EXE 3964 WINWORD.EXE 3964 WINWORD.EXE 3964 WINWORD.EXE 3964 WINWORD.EXE 3964 WINWORD.EXE 3964 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3152 wrote to memory of 2324 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 92 PID 3152 wrote to memory of 2324 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 92 PID 3152 wrote to memory of 2324 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 92 PID 3152 wrote to memory of 3656 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 93 PID 3152 wrote to memory of 3656 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 93 PID 3152 wrote to memory of 3656 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 93 PID 3152 wrote to memory of 1964 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 94 PID 3152 wrote to memory of 1964 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 94 PID 3152 wrote to memory of 1964 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 94 PID 3152 wrote to memory of 3812 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 95 PID 3152 wrote to memory of 3812 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 95 PID 3152 wrote to memory of 3812 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 95 PID 2324 wrote to memory of 2096 2324 ulmahbkptu.exe 96 PID 2324 wrote to memory of 2096 2324 ulmahbkptu.exe 96 PID 2324 wrote to memory of 2096 2324 ulmahbkptu.exe 96 PID 3152 wrote to memory of 3964 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 97 PID 3152 wrote to memory of 3964 3152 88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\88ecfae8c38444a02f18843dda44b79f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\ulmahbkptu.exeulmahbkptu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\arssqxga.exeC:\Windows\system32\arssqxga.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2096
-
-
-
C:\Windows\SysWOW64\vsqqfdvlwunxwmo.exevsqqfdvlwunxwmo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3656
-
-
C:\Windows\SysWOW64\arssqxga.exearssqxga.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1964
-
-
C:\Windows\SysWOW64\vyyixnjpdslfh.exevyyixnjpdslfh.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3812
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5084 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:2816
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5e31f0b2cb0c20a22d4c1da7d32a81780
SHA117a6def49a2af89bd425da4c3b0b0d9f58f2018d
SHA256bcf3f0fcd993dedef0af5991a5657e4b6dbe284ae9f4b500dcae55175704b4bf
SHA512bffb6d4777bda84fc7463310e58aa59803fd333f8095753560ea896f33570d30b7b07e108b8a9fdf021bfb3f47b83c334d9b8fc36526fabf2c0c883555db5e90
-
Filesize
512KB
MD51e7047a5f66b044376a3540c10447368
SHA1ba325ebe92c7bbb10e32318fd56e4b47506294ed
SHA256d8319309d162f6dc867987b1ba9694fc50d2c7a8791d23e22fdf3e1b8b940b7a
SHA512b1e01d8fd87a1cebc227687dbc2083a6249e164addc5391187ab0786bd19cb5aca2d95520f3471a34bc7c12f76a502a2fedbd38cf34cc4698242047b7c188d3a
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD505dc19dbab397a6a3f8934d0048ea3f2
SHA153865171fdc8afba28c5030e2a60aa51cd57b7bc
SHA2562a7e470d227acc34d4d2aa76d910d28d35738dd97730cc2c4e97b5c0c4589262
SHA512fce06d434f56838e63e63fb107dc60b686b573e750b64b9d9d4d24254db0cea0a252d9a97681a43c4cdca6f0db56addbb946d283697ea654814a4dcfd1c35046
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD58364430eb125a4aed429900048ac0973
SHA19e986399df7eec1fdb912fb2cbe0352c7d98dcf6
SHA256e0619534ee4e4af0c20731700d0260db5ec1cd3e1a8382e946c145324693564a
SHA512de602378a75679e2b765e1615bb848a51217e6d6a38ec622498edaa7aa7837a37c17528b381e3f5cecfbc31625cfb29c62f46a5f75888930e380be4d9dd6c1a0
-
Filesize
512KB
MD5f58d4ba3d4a66acf64ff39d3173c10f4
SHA12268219342a51f30bd993432f0d4ba0b678f349b
SHA256bfc64a6f2afe4bf6f0b176d487b032fc61ee1741bf7558e44df6f9751e2e0792
SHA512185a2f978ec121218de5481a5e25417531b7e4a8fe3898c0772fff42d23be4ef707aa152b308d6c899fb9f546809787951bf240010d3d5a8d6a356d1e863e1cd
-
Filesize
512KB
MD56b13c46539b4c68273635d9375784754
SHA1211ab1406c7c0370946e6dfc2a63d1e3ab2cde8b
SHA256adeb6d4ead7204dff6306fa4ca3a611e6bfdfc0b7499464b0b91c22605c5e30c
SHA5123261223c1a43e07144992452796239ec5fd30e5ac7df76f23d61959723ffc0fda829a7d70bdd7ca24e10c789758d1609d8c8460b7c1ec8e552f1178970e15b0d
-
Filesize
512KB
MD5ac0834baea9ae0a4dfb22baa72e51402
SHA15f547430b8f087d019eb1a08cc843077ebb25b46
SHA25682da7ea35ab6d512ce4598aae80f1b573a94526c3acba8843c024196622dde87
SHA512300052f9c1d951dd6f86f22cd613e16ebe1eca5dd3da9b63b458c00dbb7246960470f2688c54e5ef78ed56d113e9b64288189ceaa8de729a41b493ed0b79d3d8
-
Filesize
512KB
MD50651bd8f9ea34a32bd308157dda423df
SHA1359423e438cbc288aaf793f010248961f127097e
SHA25689c2a09d2939f4a1b87a584ef2aa9e20f14abdab21a9ad06854f9ef1704483ed
SHA5128f3370cda1d3450fc04c879b3a49b29beddce938607ad84ab6e61222009246574e5e637cdb6b4dec2d3be8cbe628393d9ae56145a85b00c673c02a92b37d6de4
-
Filesize
512KB
MD5cf25450e4ff9b51131ae3afabf30cb14
SHA174741ecba2aa2df5f716195fbae70056a41e5813
SHA256313e238125a196d07648dc7a20daad36dc4695bd7bf5f0516071fa9182e31860
SHA51243cbfd816acb4c8be7ad3163e810d92df9b8c27dd89b9fc9f63750dfbfe9290f80c55f64d79941d8d22be1e6e29248d2821895372cd5d2e6fbb224b3c95be59f
-
Filesize
512KB
MD528c1ffa898b78e81178da28a9078c6ae
SHA1fcdb2ec4bc4b77f03d5a6c629bff519c1d8e5572
SHA2563a7141f271980160e7042df98bfe4954c30778fec12f39aa09186c52d923fbf6
SHA512bcd75955ada05e5f27561828cd5483ca61bcf9b25de4b37ce60afc57fff313cd82f7b542008c879d2d2ff600bd64124d874ca0d9b2a26f61ad59eb1f459ba668
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD538a5b05e272a21e8acbd420cbd9395d7
SHA1407fc212151ddef351061eb5de04477ed2e5d484
SHA256f2632af80391d82ea09a9f593fca801efe8cc6deacf3605de0f681e1d2bed910
SHA512eb0d66e24c26af58081d39a932549b6cf2b97d741238b653d6aecadff8d90cd0288b8c3f5d76cbc7931b700bddfbbf655a5bd445b7fbdc640b662c9863585afc
-
Filesize
512KB
MD5dc7a32f3f02339b14d8909f649541a42
SHA16556b18acba7737f4ea72c17ca1f984ae494d989
SHA2564c9676566552a34f3ea94490f63cc6fa4a0b27700ac6c83aa025ad00e39a1a9e
SHA51203cb335830b4636a236a5e701f2de8a8031681ea007e9975154abd1ac392c22d0f84e1ed26777b52e2f53b3137a0c6d8b1768af85aaa155811a1c62828f2c6f1