Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 03:25
Static task
static1
Behavioral task
behavioral1
Sample
893cea07129af938056f726cdc6c5940_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
893cea07129af938056f726cdc6c5940_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
893cea07129af938056f726cdc6c5940_JaffaCakes118.exe
-
Size
512KB
-
MD5
893cea07129af938056f726cdc6c5940
-
SHA1
bc69405ea6380e33cc28e3e31c456784bb1815f7
-
SHA256
a736f4f4091ec120fba8ecd0cdb1c1058c1ce959d5ae7a8d731bfe5dd83dade6
-
SHA512
9f036eca881953cce748c6cbac62a69f5e754ded712836f3ecf3ca1a6700bbead9b874a3f908f02ca73c1b7c6989c8b4e47bf6044751e5a641a2c05b20a7a57d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6K:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5z
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ywdhaboqrw.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ywdhaboqrw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ywdhaboqrw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ywdhaboqrw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ywdhaboqrw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ywdhaboqrw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ywdhaboqrw.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ywdhaboqrw.exe -
Executes dropped EXE 5 IoCs
pid Process 2844 ywdhaboqrw.exe 2128 tbdhtespwraitta.exe 2488 hnslamjx.exe 2528 djkjurnobrume.exe 2372 hnslamjx.exe -
Loads dropped DLL 5 IoCs
pid Process 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2844 ywdhaboqrw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ywdhaboqrw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ywdhaboqrw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ywdhaboqrw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ywdhaboqrw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ywdhaboqrw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ywdhaboqrw.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ypzuqjkj = "tbdhtespwraitta.exe" tbdhtespwraitta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "djkjurnobrume.exe" tbdhtespwraitta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ufzwecnu = "ywdhaboqrw.exe" tbdhtespwraitta.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: hnslamjx.exe File opened (read-only) \??\i: ywdhaboqrw.exe File opened (read-only) \??\q: ywdhaboqrw.exe File opened (read-only) \??\s: ywdhaboqrw.exe File opened (read-only) \??\j: hnslamjx.exe File opened (read-only) \??\k: hnslamjx.exe File opened (read-only) \??\w: hnslamjx.exe File opened (read-only) \??\e: ywdhaboqrw.exe File opened (read-only) \??\g: ywdhaboqrw.exe File opened (read-only) \??\z: ywdhaboqrw.exe File opened (read-only) \??\w: ywdhaboqrw.exe File opened (read-only) \??\u: hnslamjx.exe File opened (read-only) \??\y: hnslamjx.exe File opened (read-only) \??\a: ywdhaboqrw.exe File opened (read-only) \??\p: ywdhaboqrw.exe File opened (read-only) \??\n: hnslamjx.exe File opened (read-only) \??\s: hnslamjx.exe File opened (read-only) \??\j: hnslamjx.exe File opened (read-only) \??\t: hnslamjx.exe File opened (read-only) \??\h: ywdhaboqrw.exe File opened (read-only) \??\u: ywdhaboqrw.exe File opened (read-only) \??\i: hnslamjx.exe File opened (read-only) \??\b: hnslamjx.exe File opened (read-only) \??\z: hnslamjx.exe File opened (read-only) \??\l: ywdhaboqrw.exe File opened (read-only) \??\t: ywdhaboqrw.exe File opened (read-only) \??\a: hnslamjx.exe File opened (read-only) \??\q: hnslamjx.exe File opened (read-only) \??\g: hnslamjx.exe File opened (read-only) \??\i: hnslamjx.exe File opened (read-only) \??\x: hnslamjx.exe File opened (read-only) \??\s: hnslamjx.exe File opened (read-only) \??\y: hnslamjx.exe File opened (read-only) \??\b: hnslamjx.exe File opened (read-only) \??\z: hnslamjx.exe File opened (read-only) \??\a: hnslamjx.exe File opened (read-only) \??\m: hnslamjx.exe File opened (read-only) \??\r: ywdhaboqrw.exe File opened (read-only) \??\y: ywdhaboqrw.exe File opened (read-only) \??\x: hnslamjx.exe File opened (read-only) \??\e: hnslamjx.exe File opened (read-only) \??\b: ywdhaboqrw.exe File opened (read-only) \??\o: ywdhaboqrw.exe File opened (read-only) \??\v: ywdhaboqrw.exe File opened (read-only) \??\o: hnslamjx.exe File opened (read-only) \??\r: hnslamjx.exe File opened (read-only) \??\e: hnslamjx.exe File opened (read-only) \??\l: hnslamjx.exe File opened (read-only) \??\m: hnslamjx.exe File opened (read-only) \??\p: hnslamjx.exe File opened (read-only) \??\g: hnslamjx.exe File opened (read-only) \??\o: hnslamjx.exe File opened (read-only) \??\p: hnslamjx.exe File opened (read-only) \??\q: hnslamjx.exe File opened (read-only) \??\r: hnslamjx.exe File opened (read-only) \??\v: hnslamjx.exe File opened (read-only) \??\n: ywdhaboqrw.exe File opened (read-only) \??\u: hnslamjx.exe File opened (read-only) \??\j: ywdhaboqrw.exe File opened (read-only) \??\k: ywdhaboqrw.exe File opened (read-only) \??\h: hnslamjx.exe File opened (read-only) \??\v: hnslamjx.exe File opened (read-only) \??\k: hnslamjx.exe File opened (read-only) \??\m: ywdhaboqrw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ywdhaboqrw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ywdhaboqrw.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000015c23-43.dat autoit_exe behavioral1/files/0x0007000000015c2f-40.dat autoit_exe behavioral1/files/0x00090000000155e2-32.dat autoit_exe behavioral1/files/0x000b000000014fe1-27.dat autoit_exe behavioral1/memory/2820-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0006000000016ca9-64.dat autoit_exe behavioral1/files/0x0006000000016cd4-71.dat autoit_exe behavioral1/files/0x0006000000016cf0-73.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ywdhaboqrw.exe File opened for modification C:\Windows\SysWOW64\ywdhaboqrw.exe 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tbdhtespwraitta.exe 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File created C:\Windows\SysWOW64\hnslamjx.exe 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File created C:\Windows\SysWOW64\djkjurnobrume.exe 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File created C:\Windows\SysWOW64\ywdhaboqrw.exe 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File created C:\Windows\SysWOW64\tbdhtespwraitta.exe 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hnslamjx.exe 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\djkjurnobrume.exe 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hnslamjx.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hnslamjx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hnslamjx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hnslamjx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal hnslamjx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal hnslamjx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hnslamjx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hnslamjx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hnslamjx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hnslamjx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal hnslamjx.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hnslamjx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal hnslamjx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hnslamjx.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B15D449439EE53CFBAA6329FD4CE" 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ywdhaboqrw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8FACDF910F19184743B4481983E91B388038F4369034BE2CA459D08D2" 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB3FF6E22DFD20CD0D48A0C9016" 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ywdhaboqrw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C70E1491DBBEB9BC7C97ED9534BC" 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ywdhaboqrw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ywdhaboqrw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2392 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2844 ywdhaboqrw.exe 2844 ywdhaboqrw.exe 2844 ywdhaboqrw.exe 2844 ywdhaboqrw.exe 2844 ywdhaboqrw.exe 2128 tbdhtespwraitta.exe 2128 tbdhtespwraitta.exe 2128 tbdhtespwraitta.exe 2128 tbdhtespwraitta.exe 2128 tbdhtespwraitta.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2488 hnslamjx.exe 2488 hnslamjx.exe 2488 hnslamjx.exe 2488 hnslamjx.exe 2128 tbdhtespwraitta.exe 2372 hnslamjx.exe 2372 hnslamjx.exe 2372 hnslamjx.exe 2372 hnslamjx.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2128 tbdhtespwraitta.exe 2128 tbdhtespwraitta.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2128 tbdhtespwraitta.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2128 tbdhtespwraitta.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2128 tbdhtespwraitta.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2128 tbdhtespwraitta.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2128 tbdhtespwraitta.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2128 tbdhtespwraitta.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2128 tbdhtespwraitta.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2128 tbdhtespwraitta.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2128 tbdhtespwraitta.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2844 ywdhaboqrw.exe 2844 ywdhaboqrw.exe 2844 ywdhaboqrw.exe 2128 tbdhtespwraitta.exe 2128 tbdhtespwraitta.exe 2128 tbdhtespwraitta.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2488 hnslamjx.exe 2488 hnslamjx.exe 2488 hnslamjx.exe 2372 hnslamjx.exe 2372 hnslamjx.exe 2372 hnslamjx.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 2844 ywdhaboqrw.exe 2844 ywdhaboqrw.exe 2844 ywdhaboqrw.exe 2128 tbdhtespwraitta.exe 2128 tbdhtespwraitta.exe 2128 tbdhtespwraitta.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2528 djkjurnobrume.exe 2488 hnslamjx.exe 2488 hnslamjx.exe 2488 hnslamjx.exe 2372 hnslamjx.exe 2372 hnslamjx.exe 2372 hnslamjx.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2392 WINWORD.EXE 2392 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2844 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 28 PID 2820 wrote to memory of 2844 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 28 PID 2820 wrote to memory of 2844 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 28 PID 2820 wrote to memory of 2844 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 28 PID 2820 wrote to memory of 2128 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 29 PID 2820 wrote to memory of 2128 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 29 PID 2820 wrote to memory of 2128 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 29 PID 2820 wrote to memory of 2128 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 29 PID 2820 wrote to memory of 2488 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2488 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2488 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2488 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2528 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 31 PID 2820 wrote to memory of 2528 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 31 PID 2820 wrote to memory of 2528 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 31 PID 2820 wrote to memory of 2528 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 31 PID 2844 wrote to memory of 2372 2844 ywdhaboqrw.exe 32 PID 2844 wrote to memory of 2372 2844 ywdhaboqrw.exe 32 PID 2844 wrote to memory of 2372 2844 ywdhaboqrw.exe 32 PID 2844 wrote to memory of 2372 2844 ywdhaboqrw.exe 32 PID 2820 wrote to memory of 2392 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 33 PID 2820 wrote to memory of 2392 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 33 PID 2820 wrote to memory of 2392 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 33 PID 2820 wrote to memory of 2392 2820 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 33 PID 2392 wrote to memory of 2004 2392 WINWORD.EXE 36 PID 2392 wrote to memory of 2004 2392 WINWORD.EXE 36 PID 2392 wrote to memory of 2004 2392 WINWORD.EXE 36 PID 2392 wrote to memory of 2004 2392 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\893cea07129af938056f726cdc6c5940_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\893cea07129af938056f726cdc6c5940_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\ywdhaboqrw.exeywdhaboqrw.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\hnslamjx.exeC:\Windows\system32\hnslamjx.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2372
-
-
-
C:\Windows\SysWOW64\tbdhtespwraitta.exetbdhtespwraitta.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2128
-
-
C:\Windows\SysWOW64\hnslamjx.exehnslamjx.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2488
-
-
C:\Windows\SysWOW64\djkjurnobrume.exedjkjurnobrume.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2528
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2004
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD55c65347e91044134d70080a9557f4df5
SHA1e04766ff280e6b9f2b0565bd85f47088c8d0d1bb
SHA256486a6406ac674bcca7efeae940fe5cc7bca2c662d532ef357b68a70b1ab46e0c
SHA5128a396543a622d941c5684dca99633f3cf01c29ab580fbc7d5dbb6b457aff7e3db132edb551ce3d6052c57ad0c4d19ea2f288f37de213eeab57566591048115ca
-
Filesize
512KB
MD51cc647df5d2249992c4e4da2269cfd5a
SHA105692006c814b09fceb9b8382bdf89098cb9f8ad
SHA2563e64571aced10247d37f6f611ed8bbdd0da9dce832d9472de85198156fdecb19
SHA5122dc3ca30e428c83c119c983faff1ebe22df65ccb9a87f352b693c08b0c299c8d7b485bd7067cf26b911b484a27e643b70700cbeeed3869afebf4f29bfa1d441d
-
Filesize
20KB
MD51b1fee3d0da7eef237f8e192ef5feaff
SHA1c7c85c360cb4d4285487c5cb18b92dceded6038d
SHA256977ff0c5491035ed6c84c019e189b880360b5d396d03c9981e5bcf8d1d2d5ea3
SHA5129b19bc89eab0e3f3de0fd0d92cdd73805e1a2891269eb3e05b1fd4b956cd9353077382b5a359ff5f6816c0e544447170685089abdcf2c14ddae743f895deff91
-
Filesize
512KB
MD5d80901de6469f39ece0492de1f8cddd0
SHA1778aab8d9a2839f0a6afccc4648a04ebe0e60e79
SHA256cbb5b8c12dca6545d39fc03b5341b2bfd9163af988bd8ade0677d2634f2e4c23
SHA5125d7fdd5e1be67b23f58c08252b85059ac5c27ec1cff808b6a6ed6a4ea7ee88a5eb7898bb3a6f5f80a28719563b2360be990c08ca8379f4dbe82c18a3cbefc4af
-
Filesize
512KB
MD5bc92c4228da79546342c2c3743e8e7d0
SHA1a9d987af051782b77e8b3c2ac10897efc56f13f1
SHA256956bfcb0b457e47818b5bc7281f659dc318ee1b74c10c8fda35fae6a5492ac64
SHA512bd2bd56d2c635b309e3004d3254c696f4aea7fd3e7da16c9c4a5db0382f6b5a02e625232a204b0ce3f79f298e9a5e8f349d2e20694117df9be7555e4c15c263d
-
Filesize
512KB
MD543412d9d61ccc82cac9367c860609144
SHA19fd19ec6f0c0c7e543a3598bf931b0450bd6a44e
SHA256b23efd6ef8a323172e619cd2bfc85a12447a46bee820309ab3a27a1ec3a1ceae
SHA512dd63d4522fbffdc7292626ebf6868f2635076933909590cef499f07c10b2d9834e4fab39118db5f4eeea1fc43f6bb7a258d76ced247688d5d9cacad03b48964f
-
Filesize
512KB
MD549ceb22fa47ceae109b869e77322ccbf
SHA124181a93e88c28e650512f877198243119cc2d3c
SHA2566311cb2f712e22540a528b399eb8cde875a91409c1233b0efdcd8340c3b6c8cb
SHA512b850ae7e9226619b8bbd67549052118cb24c0db3ffc3235b53b846b874ad494ce03a43eb6511ca5e3d3ee97663abc6258d2b9504fdbcd7ebf4969e03b4278ea4
-
Filesize
512KB
MD59bae5ef8bd811775a4ccfd913bcf4132
SHA19c7da8947c5403daf11be933fde7acd94c5a5879
SHA2561e200c8da80ea32bb2b6f8847dd6b7b111b0ab75429dd48499c3bb8f447b65b0
SHA51243fb496ebe6c93c71e554fa82f594f822e74b95b4d9e0141d753059c0135e65e53e739687987369bf314033c27c522dee2b8618440de4a50d8002d59989c39e7
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7