Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 07:03
Static task
static1
Behavioral task
behavioral1
Sample
89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe
-
Size
512KB
-
MD5
89b0694e89982148fb33ce9cc419001b
-
SHA1
2ac9b4db6c1f0d96f20f969e6fcdf3d73e95d60c
-
SHA256
38ae795cc25d24b2ec10f7bef5f44bec744511e20cbda8b081d9bf36c25a2b60
-
SHA512
a52d72978c3db1ce3f24724d59fc8e5082e775136981613c3bc12bdeecb0d93bf00f7eea74a7d902866b17bc5876512b669433fef1ceb8fb09ad450379af16eb
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5P
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
bsasbbinzb.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bsasbbinzb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
bsasbbinzb.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bsasbbinzb.exe -
Processes:
bsasbbinzb.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bsasbbinzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bsasbbinzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bsasbbinzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bsasbbinzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bsasbbinzb.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
bsasbbinzb.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bsasbbinzb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
bsasbbinzb.exehqeztvcrvvpqmom.exedjiezbpf.exefggimspiafatk.exedjiezbpf.exepid Process 3200 bsasbbinzb.exe 1060 hqeztvcrvvpqmom.exe 4112 djiezbpf.exe 3612 fggimspiafatk.exe 1980 djiezbpf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
bsasbbinzb.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bsasbbinzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bsasbbinzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bsasbbinzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bsasbbinzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bsasbbinzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bsasbbinzb.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
hqeztvcrvvpqmom.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dalcueqa = "bsasbbinzb.exe" hqeztvcrvvpqmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\maunkrob = "hqeztvcrvvpqmom.exe" hqeztvcrvvpqmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fggimspiafatk.exe" hqeztvcrvvpqmom.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
bsasbbinzb.exedjiezbpf.exedjiezbpf.exedescription ioc Process File opened (read-only) \??\u: bsasbbinzb.exe File opened (read-only) \??\w: bsasbbinzb.exe File opened (read-only) \??\n: bsasbbinzb.exe File opened (read-only) \??\n: djiezbpf.exe File opened (read-only) \??\y: bsasbbinzb.exe File opened (read-only) \??\y: djiezbpf.exe File opened (read-only) \??\g: djiezbpf.exe File opened (read-only) \??\m: djiezbpf.exe File opened (read-only) \??\z: djiezbpf.exe File opened (read-only) \??\l: bsasbbinzb.exe File opened (read-only) \??\b: djiezbpf.exe File opened (read-only) \??\a: bsasbbinzb.exe File opened (read-only) \??\n: djiezbpf.exe File opened (read-only) \??\p: djiezbpf.exe File opened (read-only) \??\z: djiezbpf.exe File opened (read-only) \??\t: djiezbpf.exe File opened (read-only) \??\p: djiezbpf.exe File opened (read-only) \??\q: djiezbpf.exe File opened (read-only) \??\e: bsasbbinzb.exe File opened (read-only) \??\j: bsasbbinzb.exe File opened (read-only) \??\q: djiezbpf.exe File opened (read-only) \??\l: djiezbpf.exe File opened (read-only) \??\b: bsasbbinzb.exe File opened (read-only) \??\q: bsasbbinzb.exe File opened (read-only) \??\g: djiezbpf.exe File opened (read-only) \??\l: djiezbpf.exe File opened (read-only) \??\e: djiezbpf.exe File opened (read-only) \??\k: bsasbbinzb.exe File opened (read-only) \??\o: bsasbbinzb.exe File opened (read-only) \??\t: bsasbbinzb.exe File opened (read-only) \??\m: djiezbpf.exe File opened (read-only) \??\t: djiezbpf.exe File opened (read-only) \??\r: djiezbpf.exe File opened (read-only) \??\h: djiezbpf.exe File opened (read-only) \??\g: bsasbbinzb.exe File opened (read-only) \??\i: bsasbbinzb.exe File opened (read-only) \??\x: bsasbbinzb.exe File opened (read-only) \??\h: djiezbpf.exe File opened (read-only) \??\a: djiezbpf.exe File opened (read-only) \??\y: djiezbpf.exe File opened (read-only) \??\r: djiezbpf.exe File opened (read-only) \??\o: djiezbpf.exe File opened (read-only) \??\a: djiezbpf.exe File opened (read-only) \??\j: djiezbpf.exe File opened (read-only) \??\s: djiezbpf.exe File opened (read-only) \??\v: djiezbpf.exe File opened (read-only) \??\m: bsasbbinzb.exe File opened (read-only) \??\k: djiezbpf.exe File opened (read-only) \??\x: djiezbpf.exe File opened (read-only) \??\s: bsasbbinzb.exe File opened (read-only) \??\z: bsasbbinzb.exe File opened (read-only) \??\i: djiezbpf.exe File opened (read-only) \??\o: djiezbpf.exe File opened (read-only) \??\k: djiezbpf.exe File opened (read-only) \??\s: djiezbpf.exe File opened (read-only) \??\h: bsasbbinzb.exe File opened (read-only) \??\j: djiezbpf.exe File opened (read-only) \??\u: djiezbpf.exe File opened (read-only) \??\w: djiezbpf.exe File opened (read-only) \??\p: bsasbbinzb.exe File opened (read-only) \??\v: bsasbbinzb.exe File opened (read-only) \??\b: djiezbpf.exe File opened (read-only) \??\e: djiezbpf.exe File opened (read-only) \??\i: djiezbpf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
bsasbbinzb.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bsasbbinzb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bsasbbinzb.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/684-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023421-5.dat autoit_exe behavioral2/files/0x0007000000023426-31.dat autoit_exe behavioral2/files/0x0007000000023425-29.dat autoit_exe behavioral2/files/0x0007000000023298-21.dat autoit_exe behavioral2/files/0x0004000000016971-67.dat autoit_exe behavioral2/files/0x000600000001d8b9-75.dat autoit_exe behavioral2/files/0x000300000001e42a-81.dat autoit_exe behavioral2/files/0x000300000001e639-99.dat autoit_exe behavioral2/files/0x000300000001e639-473.dat autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exedjiezbpf.exedjiezbpf.exebsasbbinzb.exedescription ioc Process File created C:\Windows\SysWOW64\bsasbbinzb.exe 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bsasbbinzb.exe 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fggimspiafatk.exe 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe djiezbpf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe djiezbpf.exe File created C:\Windows\SysWOW64\hqeztvcrvvpqmom.exe 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe File created C:\Windows\SysWOW64\djiezbpf.exe 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\djiezbpf.exe 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe File created C:\Windows\SysWOW64\fggimspiafatk.exe 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bsasbbinzb.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe djiezbpf.exe -
Drops file in Program Files directory 14 IoCs
Processes:
djiezbpf.exedjiezbpf.exedescription ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe djiezbpf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal djiezbpf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe djiezbpf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe djiezbpf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe djiezbpf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal djiezbpf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe djiezbpf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal djiezbpf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe djiezbpf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe djiezbpf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe djiezbpf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal djiezbpf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe djiezbpf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe djiezbpf.exe -
Drops file in Windows directory 19 IoCs
Processes:
djiezbpf.exedjiezbpf.exe89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exeWINWORD.EXEdescription ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe djiezbpf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe djiezbpf.exe File opened for modification C:\Windows\mydoc.rtf 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe djiezbpf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe djiezbpf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe djiezbpf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe djiezbpf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe djiezbpf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe djiezbpf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe djiezbpf.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe djiezbpf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe djiezbpf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe djiezbpf.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe djiezbpf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe djiezbpf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe djiezbpf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe djiezbpf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exebsasbbinzb.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC60914E7DAB5B8CF7FE6ED9134CB" 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bsasbbinzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bsasbbinzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFFFB482785189135D65D7E95BDE4E133594167466243D79F" 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BB4FE6821DBD10CD0D28B78916B" 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bsasbbinzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bsasbbinzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bsasbbinzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412D7B9C5782256A3E76D2702F2CA97C8464DB" 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDF9CCF913F29384743A4786983E93B389038B42680238E1BA42EF08A7" 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B12047E7399852C4BAD033EED7B9" 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bsasbbinzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bsasbbinzb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bsasbbinzb.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bsasbbinzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bsasbbinzb.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bsasbbinzb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bsasbbinzb.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid Process 2272 WINWORD.EXE 2272 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exehqeztvcrvvpqmom.exedjiezbpf.exebsasbbinzb.exefggimspiafatk.exedjiezbpf.exepid Process 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 1060 hqeztvcrvvpqmom.exe 1060 hqeztvcrvvpqmom.exe 1060 hqeztvcrvvpqmom.exe 1060 hqeztvcrvvpqmom.exe 4112 djiezbpf.exe 1060 hqeztvcrvvpqmom.exe 4112 djiezbpf.exe 1060 hqeztvcrvvpqmom.exe 1060 hqeztvcrvvpqmom.exe 1060 hqeztvcrvvpqmom.exe 4112 djiezbpf.exe 4112 djiezbpf.exe 4112 djiezbpf.exe 4112 djiezbpf.exe 4112 djiezbpf.exe 4112 djiezbpf.exe 3200 bsasbbinzb.exe 3200 bsasbbinzb.exe 3200 bsasbbinzb.exe 3200 bsasbbinzb.exe 3200 bsasbbinzb.exe 3200 bsasbbinzb.exe 3200 bsasbbinzb.exe 3200 bsasbbinzb.exe 3200 bsasbbinzb.exe 3200 bsasbbinzb.exe 1060 hqeztvcrvvpqmom.exe 1060 hqeztvcrvvpqmom.exe 3612 fggimspiafatk.exe 3612 fggimspiafatk.exe 3612 fggimspiafatk.exe 3612 fggimspiafatk.exe 3612 fggimspiafatk.exe 3612 fggimspiafatk.exe 3612 fggimspiafatk.exe 3612 fggimspiafatk.exe 3612 fggimspiafatk.exe 3612 fggimspiafatk.exe 3612 fggimspiafatk.exe 3612 fggimspiafatk.exe 1060 hqeztvcrvvpqmom.exe 1060 hqeztvcrvvpqmom.exe 1980 djiezbpf.exe 1980 djiezbpf.exe 1980 djiezbpf.exe 1980 djiezbpf.exe 1980 djiezbpf.exe 1980 djiezbpf.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exedjiezbpf.exebsasbbinzb.exehqeztvcrvvpqmom.exefggimspiafatk.exedjiezbpf.exepid Process 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 4112 djiezbpf.exe 3200 bsasbbinzb.exe 4112 djiezbpf.exe 3200 bsasbbinzb.exe 4112 djiezbpf.exe 3200 bsasbbinzb.exe 1060 hqeztvcrvvpqmom.exe 1060 hqeztvcrvvpqmom.exe 1060 hqeztvcrvvpqmom.exe 3612 fggimspiafatk.exe 3612 fggimspiafatk.exe 3612 fggimspiafatk.exe 1980 djiezbpf.exe 1980 djiezbpf.exe 1980 djiezbpf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exedjiezbpf.exebsasbbinzb.exehqeztvcrvvpqmom.exefggimspiafatk.exedjiezbpf.exepid Process 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 4112 djiezbpf.exe 3200 bsasbbinzb.exe 4112 djiezbpf.exe 3200 bsasbbinzb.exe 4112 djiezbpf.exe 3200 bsasbbinzb.exe 1060 hqeztvcrvvpqmom.exe 1060 hqeztvcrvvpqmom.exe 1060 hqeztvcrvvpqmom.exe 3612 fggimspiafatk.exe 3612 fggimspiafatk.exe 3612 fggimspiafatk.exe 1980 djiezbpf.exe 1980 djiezbpf.exe 1980 djiezbpf.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid Process 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exebsasbbinzb.exedescription pid Process procid_target PID 684 wrote to memory of 3200 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 82 PID 684 wrote to memory of 3200 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 82 PID 684 wrote to memory of 3200 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 82 PID 684 wrote to memory of 1060 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 83 PID 684 wrote to memory of 1060 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 83 PID 684 wrote to memory of 1060 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 83 PID 684 wrote to memory of 4112 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 84 PID 684 wrote to memory of 4112 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 84 PID 684 wrote to memory of 4112 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 84 PID 684 wrote to memory of 3612 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 85 PID 684 wrote to memory of 3612 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 85 PID 684 wrote to memory of 3612 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 85 PID 684 wrote to memory of 2272 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 87 PID 684 wrote to memory of 2272 684 89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe 87 PID 3200 wrote to memory of 1980 3200 bsasbbinzb.exe 89 PID 3200 wrote to memory of 1980 3200 bsasbbinzb.exe 89 PID 3200 wrote to memory of 1980 3200 bsasbbinzb.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\89b0694e89982148fb33ce9cc419001b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\bsasbbinzb.exebsasbbinzb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\djiezbpf.exeC:\Windows\system32\djiezbpf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1980
-
-
-
C:\Windows\SysWOW64\hqeztvcrvvpqmom.exehqeztvcrvvpqmom.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1060
-
-
C:\Windows\SysWOW64\djiezbpf.exedjiezbpf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4112
-
-
C:\Windows\SysWOW64\fggimspiafatk.exefggimspiafatk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3612
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2272
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5211531205ea688b4e1081fdfd2f8db68
SHA1b3ead4cd873066bf7d5202c3cc5e4a7d2dfd6ef5
SHA2569fa9178a8f48a944bd9368e9790ce096736d091d50b9153458a57a7d2d2daba0
SHA512465767f2421041b89032c9f82649a319c0fb2330aa5e4fc6656e27604453d742b9d903f04650b8b218161a586de2f6881759e86ffae64cdf416b1055a3fe3a43
-
Filesize
512KB
MD5cefc9cc071475f832b45ba2c343b2250
SHA109f5e6058c4c0b669efb724233af143a88121339
SHA256f2ff4308823c151d55118894a3feff98ef532b8a7ae56f4d2adfdd23e6282ab8
SHA512b2833612bdc310724a9bd240343ed251810cd8cbe49d82dff387eaecd0b670f403de55d2c043ebed26d94834f317eac309ea3b38dc42dd5adca316d6dd2b3663
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
239B
MD521a601493a4c53e30182d3ff93d198ac
SHA108018a3011585d01f34f2b968ba98266a47ad978
SHA2567d77c3cb9ccdfc50f76e0ed2438a65241b69aed65a2e4c05a5398e9512bb06fa
SHA512c077f807e628ce77639da1927b5807dcb15f48a8432128d83537e5102645caf3f072cbf131e2638948782c6c2bd7acf9c6fde3458dfab6f278a91d1f0a3a0c70
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5b463c9221bc751a1610ad7f23cbab1ce
SHA16c5749e02e11a31e02ee00e25060cb661c61de32
SHA256b603fd0d878c4b00318b20d825715a953aa8c953b0663c34d57bd80107265409
SHA5121a9642da462f7256788acfe5dd82ee2ebdc0d1cc7e09e5867890a3f532c6b7103201b5939c145337faa131a3c0baded52796b029655ee628862eff6e94836b20
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5243c47a9ce61b4c773956a364f182b43
SHA1cdc799e890b6d2d26a37d2609a25709994f7080c
SHA2569da27a6987f2d3be7b7323d5a98ce9769d7f1ec614bb988d166236ea95d6c9f1
SHA512f1bc5e840b78fd8dde995ee18e6ab771904c1b365f41078acb8bbd6bef40b095012c00978b9d044f23a86654921f096880075b4061bdaf37a432b48375810a12
-
Filesize
512KB
MD5e363458352ddefdb2173b0c899571428
SHA12d2ea6215fe06c11c7113d8c73f5b0fa35c1d2ff
SHA2566db6b9aebe7ea71e72ccebf2e648cb2cfa675caf92300ff99b3292db432edac6
SHA512a2f9ad7a22dd3227184be4c14907c27760a7a467e4534f1ed24e487da73d611ede6369624448fcf718a10176885249e773a0cba0c0fdcf82934edf0eeb9bf47c
-
Filesize
512KB
MD56de3210a63d51ed66a532e459a7f38b7
SHA11e85e3fdd4190957920954afe33e8e3f8b2d5783
SHA2566315d4313dec30894441f3ea1df5e8eaa8bd49919ff2d5e4a9a3d768ef292913
SHA512380308a57a453e69f17b9bdcb832767e529360cd9d6f4e6275ac849f9a322ae5b767c266d9d0576d65bfc24830a30da1927f84e27be137013cf088415384a145
-
Filesize
512KB
MD5d72ba72f7e2865c55c061ad476b7c09b
SHA1cef1958ca4e28894629e30afcc9a917e233c4d21
SHA256b200941375039741486d1b8618043a17b09de7d27965744e396509a69ea4a59f
SHA5125d104e727e451a4d05fb702e8780f4e9efa757df77f265e3cc09e52a5eed34eea55a7b285c1003f80afc1619d9b920955dacefbda9748b541470bbef630c1bda
-
Filesize
512KB
MD5596cd9ac87826a855b9839e789b7980b
SHA13c1425945a4899ed2ec15bdb5fc0ca2de2a8d49c
SHA256c8c6938058a09078a5d5e5fd77d38556108ee44536870f5ce7fcb9decda8cde5
SHA5121d48211c2ffbb0138f82c6b72511fbdc000670f9e46ff724b7b47d8d3cddaced1635bc343ab207a4325e45a19fb7ff1546fdd288e788b06a7a3f0222574f0eb1
-
Filesize
512KB
MD55967099882bc66025d225ed10535c840
SHA1239f637d1af9c33878ceb7fc2ae9dda1fdc2e729
SHA256c7a9314959485e09ea9fb2258ab76fc8a3ca17bab105e88cda8861809db20a1e
SHA51277fd583c1020e8774ce4c7d4fdd97edf543ed5103fe0a494817f3610b919015635e97ec65bedf9f40d724ab0443db286b15241818df81799b853f76fd8d4b42b
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD520c9d05f808c1ce43f9f020777003f80
SHA1d94c13439647ed94d5d4815263cca38dcdbf873d
SHA256106245a45614809d531402ca03c0b123f64ccce2b3f52ac6f982e3269c72e60a
SHA5123f62320df489042cbe3565bf121ce5c3e5d4641a81dcb02e5ce2eedfb2d896ca245b2014a1b649be377ff3396ecb2f1e83f06956361b9f41f3d46f49baf4933a
-
Filesize
512KB
MD5eea2c99390e324618d092d500c25913b
SHA1986ca4b0887084dc392cb379061fe6425da3287f
SHA2566e336a29add21baaa0b9445dfaa0278f1d05041062d3e519e3c27887ebd1d694
SHA5124248ea9cdd4e2d02fc2621c0af8e228b626aef557647458ecfa43f32b3e436382ffbd8e4b06cca35de1d1eec0c8305a34fce56458d5ddf5b32f061c699209f27