Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 03:25
Static task
static1
Behavioral task
behavioral1
Sample
893cea07129af938056f726cdc6c5940_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
893cea07129af938056f726cdc6c5940_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
893cea07129af938056f726cdc6c5940_JaffaCakes118.exe
-
Size
512KB
-
MD5
893cea07129af938056f726cdc6c5940
-
SHA1
bc69405ea6380e33cc28e3e31c456784bb1815f7
-
SHA256
a736f4f4091ec120fba8ecd0cdb1c1058c1ce959d5ae7a8d731bfe5dd83dade6
-
SHA512
9f036eca881953cce748c6cbac62a69f5e754ded712836f3ecf3ca1a6700bbead9b874a3f908f02ca73c1b7c6989c8b4e47bf6044751e5a641a2c05b20a7a57d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6K:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5z
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ubzsqdftcq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ubzsqdftcq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ubzsqdftcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ubzsqdftcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ubzsqdftcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ubzsqdftcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ubzsqdftcq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ubzsqdftcq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1224 ubzsqdftcq.exe 3976 gnybgpxltylqdrg.exe 2284 dcyiirsm.exe 900 jxoskrspcfilp.exe 1964 dcyiirsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ubzsqdftcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ubzsqdftcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ubzsqdftcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ubzsqdftcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ubzsqdftcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ubzsqdftcq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\phvupnqw = "ubzsqdftcq.exe" gnybgpxltylqdrg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gqbhkayu = "gnybgpxltylqdrg.exe" gnybgpxltylqdrg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jxoskrspcfilp.exe" gnybgpxltylqdrg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: ubzsqdftcq.exe File opened (read-only) \??\x: dcyiirsm.exe File opened (read-only) \??\o: dcyiirsm.exe File opened (read-only) \??\s: dcyiirsm.exe File opened (read-only) \??\y: dcyiirsm.exe File opened (read-only) \??\b: ubzsqdftcq.exe File opened (read-only) \??\j: ubzsqdftcq.exe File opened (read-only) \??\r: ubzsqdftcq.exe File opened (read-only) \??\l: dcyiirsm.exe File opened (read-only) \??\i: dcyiirsm.exe File opened (read-only) \??\l: ubzsqdftcq.exe File opened (read-only) \??\m: ubzsqdftcq.exe File opened (read-only) \??\y: dcyiirsm.exe File opened (read-only) \??\h: dcyiirsm.exe File opened (read-only) \??\q: ubzsqdftcq.exe File opened (read-only) \??\y: ubzsqdftcq.exe File opened (read-only) \??\k: dcyiirsm.exe File opened (read-only) \??\m: dcyiirsm.exe File opened (read-only) \??\q: dcyiirsm.exe File opened (read-only) \??\i: dcyiirsm.exe File opened (read-only) \??\s: dcyiirsm.exe File opened (read-only) \??\g: ubzsqdftcq.exe File opened (read-only) \??\i: ubzsqdftcq.exe File opened (read-only) \??\u: ubzsqdftcq.exe File opened (read-only) \??\e: dcyiirsm.exe File opened (read-only) \??\k: dcyiirsm.exe File opened (read-only) \??\u: dcyiirsm.exe File opened (read-only) \??\b: dcyiirsm.exe File opened (read-only) \??\h: dcyiirsm.exe File opened (read-only) \??\j: dcyiirsm.exe File opened (read-only) \??\n: dcyiirsm.exe File opened (read-only) \??\w: dcyiirsm.exe File opened (read-only) \??\o: ubzsqdftcq.exe File opened (read-only) \??\n: ubzsqdftcq.exe File opened (read-only) \??\x: ubzsqdftcq.exe File opened (read-only) \??\o: dcyiirsm.exe File opened (read-only) \??\u: dcyiirsm.exe File opened (read-only) \??\j: dcyiirsm.exe File opened (read-only) \??\z: dcyiirsm.exe File opened (read-only) \??\p: ubzsqdftcq.exe File opened (read-only) \??\q: dcyiirsm.exe File opened (read-only) \??\g: dcyiirsm.exe File opened (read-only) \??\a: dcyiirsm.exe File opened (read-only) \??\r: dcyiirsm.exe File opened (read-only) \??\v: dcyiirsm.exe File opened (read-only) \??\m: dcyiirsm.exe File opened (read-only) \??\n: dcyiirsm.exe File opened (read-only) \??\r: dcyiirsm.exe File opened (read-only) \??\v: dcyiirsm.exe File opened (read-only) \??\s: ubzsqdftcq.exe File opened (read-only) \??\l: dcyiirsm.exe File opened (read-only) \??\p: dcyiirsm.exe File opened (read-only) \??\t: dcyiirsm.exe File opened (read-only) \??\a: dcyiirsm.exe File opened (read-only) \??\a: ubzsqdftcq.exe File opened (read-only) \??\e: ubzsqdftcq.exe File opened (read-only) \??\w: ubzsqdftcq.exe File opened (read-only) \??\z: ubzsqdftcq.exe File opened (read-only) \??\e: dcyiirsm.exe File opened (read-only) \??\x: dcyiirsm.exe File opened (read-only) \??\p: dcyiirsm.exe File opened (read-only) \??\h: ubzsqdftcq.exe File opened (read-only) \??\b: dcyiirsm.exe File opened (read-only) \??\g: dcyiirsm.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ubzsqdftcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ubzsqdftcq.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1748-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002343c-5.dat autoit_exe behavioral2/files/0x0008000000023438-18.dat autoit_exe behavioral2/files/0x000700000002343d-26.dat autoit_exe behavioral2/files/0x000700000002343e-31.dat autoit_exe behavioral2/files/0x000400000001db59-66.dat autoit_exe behavioral2/files/0x000400000001db5b-69.dat autoit_exe behavioral2/files/0x000200000001e5c6-75.dat autoit_exe behavioral2/files/0x000200000001e5c7-81.dat autoit_exe behavioral2/files/0x0003000000022955-99.dat autoit_exe behavioral2/files/0x0003000000022955-437.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\dcyiirsm.exe 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dcyiirsm.exe 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ubzsqdftcq.exe File opened for modification C:\Windows\SysWOW64\gnybgpxltylqdrg.exe 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File created C:\Windows\SysWOW64\jxoskrspcfilp.exe 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jxoskrspcfilp.exe 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dcyiirsm.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dcyiirsm.exe File created C:\Windows\SysWOW64\ubzsqdftcq.exe 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ubzsqdftcq.exe 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File created C:\Windows\SysWOW64\gnybgpxltylqdrg.exe 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dcyiirsm.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dcyiirsm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dcyiirsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dcyiirsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dcyiirsm.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dcyiirsm.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dcyiirsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dcyiirsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dcyiirsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dcyiirsm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dcyiirsm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dcyiirsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dcyiirsm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dcyiirsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dcyiirsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dcyiirsm.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dcyiirsm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dcyiirsm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dcyiirsm.exe File opened for modification C:\Windows\mydoc.rtf 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dcyiirsm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dcyiirsm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dcyiirsm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dcyiirsm.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dcyiirsm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dcyiirsm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dcyiirsm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dcyiirsm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dcyiirsm.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dcyiirsm.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dcyiirsm.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dcyiirsm.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dcyiirsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ubzsqdftcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ubzsqdftcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ubzsqdftcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ubzsqdftcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFC8F482F82129133D65A7E96BC94E1315941674E6332D6EB" 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ubzsqdftcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ubzsqdftcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ubzsqdftcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ubzsqdftcq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9FABAFE64F1E0830C3A4181EC39E4B38B03FD43640238E1CA459B08D4" 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B12944E739EB53BEB9D033EFD7CB" 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ubzsqdftcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ubzsqdftcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ubzsqdftcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462C7A9D2382256D4676D470202DDA7DF665D8" 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F16BC4FF1D22DDD10BD0A08B789014" 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC70915E0DAB3B8CF7CE5EC9737CC" 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ubzsqdftcq.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1192 WINWORD.EXE 1192 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1224 ubzsqdftcq.exe 1224 ubzsqdftcq.exe 1224 ubzsqdftcq.exe 1224 ubzsqdftcq.exe 1224 ubzsqdftcq.exe 1224 ubzsqdftcq.exe 1224 ubzsqdftcq.exe 1224 ubzsqdftcq.exe 1224 ubzsqdftcq.exe 1224 ubzsqdftcq.exe 2284 dcyiirsm.exe 2284 dcyiirsm.exe 2284 dcyiirsm.exe 2284 dcyiirsm.exe 2284 dcyiirsm.exe 2284 dcyiirsm.exe 2284 dcyiirsm.exe 2284 dcyiirsm.exe 3976 gnybgpxltylqdrg.exe 3976 gnybgpxltylqdrg.exe 3976 gnybgpxltylqdrg.exe 3976 gnybgpxltylqdrg.exe 3976 gnybgpxltylqdrg.exe 3976 gnybgpxltylqdrg.exe 3976 gnybgpxltylqdrg.exe 3976 gnybgpxltylqdrg.exe 3976 gnybgpxltylqdrg.exe 3976 gnybgpxltylqdrg.exe 900 jxoskrspcfilp.exe 900 jxoskrspcfilp.exe 900 jxoskrspcfilp.exe 900 jxoskrspcfilp.exe 900 jxoskrspcfilp.exe 900 jxoskrspcfilp.exe 900 jxoskrspcfilp.exe 900 jxoskrspcfilp.exe 900 jxoskrspcfilp.exe 900 jxoskrspcfilp.exe 900 jxoskrspcfilp.exe 900 jxoskrspcfilp.exe 1964 dcyiirsm.exe 1964 dcyiirsm.exe 1964 dcyiirsm.exe 1964 dcyiirsm.exe 1964 dcyiirsm.exe 1964 dcyiirsm.exe 1964 dcyiirsm.exe 1964 dcyiirsm.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1224 ubzsqdftcq.exe 1224 ubzsqdftcq.exe 1224 ubzsqdftcq.exe 2284 dcyiirsm.exe 2284 dcyiirsm.exe 2284 dcyiirsm.exe 3976 gnybgpxltylqdrg.exe 3976 gnybgpxltylqdrg.exe 3976 gnybgpxltylqdrg.exe 900 jxoskrspcfilp.exe 900 jxoskrspcfilp.exe 900 jxoskrspcfilp.exe 1964 dcyiirsm.exe 1964 dcyiirsm.exe 1964 dcyiirsm.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 1224 ubzsqdftcq.exe 1224 ubzsqdftcq.exe 1224 ubzsqdftcq.exe 2284 dcyiirsm.exe 2284 dcyiirsm.exe 2284 dcyiirsm.exe 3976 gnybgpxltylqdrg.exe 3976 gnybgpxltylqdrg.exe 3976 gnybgpxltylqdrg.exe 900 jxoskrspcfilp.exe 900 jxoskrspcfilp.exe 900 jxoskrspcfilp.exe 1964 dcyiirsm.exe 1964 dcyiirsm.exe 1964 dcyiirsm.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1748 wrote to memory of 1224 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 82 PID 1748 wrote to memory of 1224 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 82 PID 1748 wrote to memory of 1224 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 82 PID 1748 wrote to memory of 3976 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 83 PID 1748 wrote to memory of 3976 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 83 PID 1748 wrote to memory of 3976 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 83 PID 1748 wrote to memory of 2284 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 84 PID 1748 wrote to memory of 2284 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 84 PID 1748 wrote to memory of 2284 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 84 PID 1748 wrote to memory of 900 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 85 PID 1748 wrote to memory of 900 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 85 PID 1748 wrote to memory of 900 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 85 PID 1748 wrote to memory of 1192 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 87 PID 1748 wrote to memory of 1192 1748 893cea07129af938056f726cdc6c5940_JaffaCakes118.exe 87 PID 1224 wrote to memory of 1964 1224 ubzsqdftcq.exe 89 PID 1224 wrote to memory of 1964 1224 ubzsqdftcq.exe 89 PID 1224 wrote to memory of 1964 1224 ubzsqdftcq.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\893cea07129af938056f726cdc6c5940_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\893cea07129af938056f726cdc6c5940_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\ubzsqdftcq.exeubzsqdftcq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\dcyiirsm.exeC:\Windows\system32\dcyiirsm.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1964
-
-
-
C:\Windows\SysWOW64\gnybgpxltylqdrg.exegnybgpxltylqdrg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3976
-
-
C:\Windows\SysWOW64\dcyiirsm.exedcyiirsm.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2284
-
-
C:\Windows\SysWOW64\jxoskrspcfilp.exejxoskrspcfilp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:900
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1192
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5611fa7e88ecc4b8c4e5eb6a81906b505
SHA150329b3a21759e0477e6f8ae9d57c13bfc5dc1f3
SHA2565eac9876ce7db89a7caf2d5743f094a4f89696ec5448b5d418d8b8549d31771b
SHA512f5571392b4efc83f45f048d88954a46517ed99da44f69e3bd81867f2b463213fbd0766c370cbf821ae64abb77676a0331e5b51b84b6b94d6b8023d6cc2e4c19f
-
Filesize
512KB
MD5eff59d9177c314e081b4210460ac3bc5
SHA1a7086682e9237ac5ab808316301c9bd1283f17c3
SHA256152981ded86e7df909746b4689edc1a3c4bd44058b1cd2c3de9afd1bce8a2dc7
SHA5124e351454e12b5aba658696f517464410b2c69ca27e552397fb754402133fcf0778b525263afec7258429366510553cf8a56d95be708eda1c3d17a99d39c93177
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
512KB
MD5d408363dfb622d04a2af9a0094179384
SHA1521ef1852610377375e6be8caa68755596b16204
SHA25624973d712a0e902c287d47e0571a5d0eada8ad7863f587666d6d753b694a6302
SHA512deea8e366b2d03b61a2c5def7f045bad258cc1951abef7b7ebd51e4bb4f960c37989fdefd1e65016a1f8ef0bc833f426c7682716e672a0f187d65c23ddd3bede
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD50a3443ed2a6e22c6e64699121d176eac
SHA1e207b038127acdd8bff0fb2fe0b9227a01948056
SHA25670b19f7538904fa274eb855ded00535b3ae87bba372121454961cbdbbe54f519
SHA5121f57016810bbf3fe7b02b7331e5d14524a06621fc126a4dc84e4d011bd20857226db7b47a173d4febb4f0a897e49ae8acb5506730778f298ea156219dbaa8436
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f0e29495d70d1402c41217a2d85fbe59
SHA1931bff1279c07637ceb3e1a1d6e5edce83bad82d
SHA25628cac614ca8c0edeb2433744820f4b0729329c711edd1d41d3a7c94b8e6520b5
SHA512354261ee0c1012fabbce84d3018d4875667352d64e102fa1b9d568b9e8f0fb590de2a0909e13e8df46b862ada3f3acd9a7b4b5caea6bb8dd16aa15ea5011e43e
-
Filesize
512KB
MD5c6d9d83cb39d91a65b7dee35a1f08cd7
SHA1218c78e80eeb4db007f9b246effdb72723685f64
SHA2568e83342a5ecea284c710faf6e86c3e4477ad9f87e0f90ea7f48a699dbb2842ef
SHA512509d31d8890d92b84231fcb517f313346ff8d8c5f3faedd89d05277b031ab924b571ce4366b73b0a46f46fe5837d125fb9a67eb27d7118220b55792012877152
-
Filesize
512KB
MD590f8c29ae0234de0418363493b51244e
SHA13735398577fc7924f210ab61f69ebab5b56a2696
SHA25603cebd5d6c7a9196e02b7185f84f892607bd3b22d2bbc15e7b93154352cce2c4
SHA51238e3f89cc10842c3772110f9c0d935e263bf28cd838e5768494f0d1135cf20ac7ab374c2f6592b1f00a591afa06fe6d4685c5160281b715a1d8647628d17b47e
-
Filesize
512KB
MD511257935860cc9d414c7fa2adff49afe
SHA1d0b052622c1e70bb455d2661f91a667c7a5f1ea9
SHA256fb1bdb3417cd5235562a9a0366cc66f36e1cc5a31ebd2fe593e3249f22294e59
SHA512d710817d9e5fee6a18516bca710809e9b4b514616a0c5d60dc1b9a3d3703cb20c9d6f57f285574d6910e1dc519f9b3d71cdb5c7674a0d72c56daafbbca525ba7
-
Filesize
512KB
MD5c9900c097bb688071897bf0ee5e6d863
SHA11a5541923e29eeacf6769ae38aa5e53af8142032
SHA256cc5a246ae55a6f8f594eef44965a365f054488a03acbb47caebaa2a1c44eae20
SHA5124ab01e6ba12c70a58698c072a41c21d61874141aa8582409cb05aec85a4798ff56b1268fa2596388518b8f8a927459d3e543d12d0178ed1530b6d0d721bdeb96
-
Filesize
512KB
MD5b9fee795311ee3c38cc8d5de0da668f6
SHA19623424e915a3467473307e8072d03ee6bff3fb4
SHA256a686df3a383225f5bb603a693423a0b4597cf1ad54ce77563fde79d74e0f2793
SHA5120351d5c2088809fe308f6f1c754201594a3a17ebc7b6df171410eac688485a9a64b2d21290c38ff68e70e50a8cd7d3a313862afe45cadbb115bd6b5e29f15839
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD52b0f8c2878bf798e0176d6d182b3cb3e
SHA17fe0794d2095ca737c86359923a9c00e7e42ff5e
SHA25682005c03d13e46a3e9680de5adf5bb2af153774c109fb4b19fb33f0cad844c46
SHA51258ab7852cc8a26c18af73f62ccf0cc1d4140b293773b67739d795993800e1d15601fa13e3bb8d979462c988024b281cea84c271d0a0451ba5543bffbcfaacf84
-
Filesize
512KB
MD5893d712ab56c908422ee753d91f475fc
SHA144f868b5d305d553b0974abe9b7f1b89bf965fb5
SHA256fed6e868de078ec9fb63f574c07f6d9a972756a2ac35d28ad5c3d010a45e5a8b
SHA512f55a852271ab345f1d5d511efcc620d2e093ff1877ef6c4554f0df5a4056f99ee92ad161a3d2ed371cc8c9ac3f6c58f157e413edb417166c36123b1e346b9629