Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 18:26
Static task
static1
Behavioral task
behavioral1
Sample
8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe
-
Size
512KB
-
MD5
8b5b4431f6219c2c8bd2d0ab07df3386
-
SHA1
43184e2114ef4256a133123938ba845ace9b63d9
-
SHA256
8062a435db4a4bb89a349bcdbf48ac2c6f6c8c45874105fa8f568f1e1a21137b
-
SHA512
4196e6661396e5eeaf57451521042661e0a51e55565578988de7d34b0669e55dfacff27109065bda2388e707ad34413eac83877d9c5c16cee6b0282d4cefb689
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj65:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm50
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ievqqtaext.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ievqqtaext.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ievqqtaext.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ievqqtaext.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ievqqtaext.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ievqqtaext.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ievqqtaext.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ievqqtaext.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1432 ievqqtaext.exe 2604 tsvaavdjqrwcosc.exe 572 rmkrjscs.exe 2268 sjwfuvzfpdvsc.exe 2140 rmkrjscs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ievqqtaext.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ievqqtaext.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ievqqtaext.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ievqqtaext.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ievqqtaext.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ievqqtaext.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccluyuvv = "ievqqtaext.exe" tsvaavdjqrwcosc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmiqtewb = "tsvaavdjqrwcosc.exe" tsvaavdjqrwcosc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "sjwfuvzfpdvsc.exe" tsvaavdjqrwcosc.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: rmkrjscs.exe File opened (read-only) \??\i: rmkrjscs.exe File opened (read-only) \??\j: ievqqtaext.exe File opened (read-only) \??\w: ievqqtaext.exe File opened (read-only) \??\r: ievqqtaext.exe File opened (read-only) \??\x: rmkrjscs.exe File opened (read-only) \??\b: rmkrjscs.exe File opened (read-only) \??\g: rmkrjscs.exe File opened (read-only) \??\s: rmkrjscs.exe File opened (read-only) \??\x: ievqqtaext.exe File opened (read-only) \??\y: ievqqtaext.exe File opened (read-only) \??\g: rmkrjscs.exe File opened (read-only) \??\k: rmkrjscs.exe File opened (read-only) \??\v: rmkrjscs.exe File opened (read-only) \??\h: rmkrjscs.exe File opened (read-only) \??\w: rmkrjscs.exe File opened (read-only) \??\y: rmkrjscs.exe File opened (read-only) \??\k: ievqqtaext.exe File opened (read-only) \??\z: ievqqtaext.exe File opened (read-only) \??\l: rmkrjscs.exe File opened (read-only) \??\n: rmkrjscs.exe File opened (read-only) \??\e: ievqqtaext.exe File opened (read-only) \??\a: rmkrjscs.exe File opened (read-only) \??\z: rmkrjscs.exe File opened (read-only) \??\p: rmkrjscs.exe File opened (read-only) \??\q: rmkrjscs.exe File opened (read-only) \??\t: rmkrjscs.exe File opened (read-only) \??\k: rmkrjscs.exe File opened (read-only) \??\u: rmkrjscs.exe File opened (read-only) \??\p: ievqqtaext.exe File opened (read-only) \??\a: ievqqtaext.exe File opened (read-only) \??\g: ievqqtaext.exe File opened (read-only) \??\j: rmkrjscs.exe File opened (read-only) \??\q: rmkrjscs.exe File opened (read-only) \??\t: rmkrjscs.exe File opened (read-only) \??\x: rmkrjscs.exe File opened (read-only) \??\z: rmkrjscs.exe File opened (read-only) \??\o: rmkrjscs.exe File opened (read-only) \??\r: rmkrjscs.exe File opened (read-only) \??\u: rmkrjscs.exe File opened (read-only) \??\r: rmkrjscs.exe File opened (read-only) \??\b: ievqqtaext.exe File opened (read-only) \??\a: rmkrjscs.exe File opened (read-only) \??\o: rmkrjscs.exe File opened (read-only) \??\i: ievqqtaext.exe File opened (read-only) \??\u: ievqqtaext.exe File opened (read-only) \??\s: ievqqtaext.exe File opened (read-only) \??\l: rmkrjscs.exe File opened (read-only) \??\s: rmkrjscs.exe File opened (read-only) \??\w: rmkrjscs.exe File opened (read-only) \??\e: rmkrjscs.exe File opened (read-only) \??\l: ievqqtaext.exe File opened (read-only) \??\m: ievqqtaext.exe File opened (read-only) \??\v: ievqqtaext.exe File opened (read-only) \??\e: rmkrjscs.exe File opened (read-only) \??\p: rmkrjscs.exe File opened (read-only) \??\h: ievqqtaext.exe File opened (read-only) \??\n: ievqqtaext.exe File opened (read-only) \??\j: rmkrjscs.exe File opened (read-only) \??\b: rmkrjscs.exe File opened (read-only) \??\i: rmkrjscs.exe File opened (read-only) \??\m: rmkrjscs.exe File opened (read-only) \??\v: rmkrjscs.exe File opened (read-only) \??\m: rmkrjscs.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ievqqtaext.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ievqqtaext.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3640-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023265-5.dat autoit_exe behavioral2/files/0x0008000000023262-18.dat autoit_exe behavioral2/files/0x0008000000023267-26.dat autoit_exe behavioral2/files/0x0007000000023268-32.dat autoit_exe behavioral2/files/0x0004000000022d12-46.dat autoit_exe behavioral2/files/0x000700000002326e-52.dat autoit_exe behavioral2/files/0x0007000000023282-90.dat autoit_exe behavioral2/files/0x0007000000023283-97.dat autoit_exe behavioral2/files/0x0003000000000733-128.dat autoit_exe behavioral2/files/0x0003000000000733-132.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ievqqtaext.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rmkrjscs.exe File opened for modification C:\Windows\SysWOW64\ievqqtaext.exe 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe File created C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rmkrjscs.exe 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe File created C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rmkrjscs.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rmkrjscs.exe File created C:\Windows\SysWOW64\ievqqtaext.exe 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe File created C:\Windows\SysWOW64\rmkrjscs.exe 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rmkrjscs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rmkrjscs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rmkrjscs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rmkrjscs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rmkrjscs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rmkrjscs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rmkrjscs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rmkrjscs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rmkrjscs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rmkrjscs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rmkrjscs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rmkrjscs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rmkrjscs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rmkrjscs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rmkrjscs.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F26BB6FE6822DDD179D1D28B7F9017" 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ievqqtaext.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ievqqtaext.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ievqqtaext.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8F9CEFE6BF198830E3A47869F39E2B38E038F4216033AE1B8459C08A9" 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ievqqtaext.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ievqqtaext.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ievqqtaext.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352C7D9D5682276D4677D470272CDB7C8665DD" 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC67C1590DBC5B9C07CE1ECE034CB" 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ievqqtaext.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ievqqtaext.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ievqqtaext.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B15C47E5389953C4B9D132EFD4C5" 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFF8D4F278568903DD6217EE6BD92E632594366416246D7EE" 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ievqqtaext.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ievqqtaext.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ievqqtaext.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 216 WINWORD.EXE 216 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 1432 ievqqtaext.exe 1432 ievqqtaext.exe 1432 ievqqtaext.exe 1432 ievqqtaext.exe 1432 ievqqtaext.exe 1432 ievqqtaext.exe 1432 ievqqtaext.exe 1432 ievqqtaext.exe 1432 ievqqtaext.exe 1432 ievqqtaext.exe 572 rmkrjscs.exe 572 rmkrjscs.exe 572 rmkrjscs.exe 572 rmkrjscs.exe 572 rmkrjscs.exe 572 rmkrjscs.exe 572 rmkrjscs.exe 572 rmkrjscs.exe 2604 tsvaavdjqrwcosc.exe 2604 tsvaavdjqrwcosc.exe 2604 tsvaavdjqrwcosc.exe 2604 tsvaavdjqrwcosc.exe 2604 tsvaavdjqrwcosc.exe 2604 tsvaavdjqrwcosc.exe 2604 tsvaavdjqrwcosc.exe 2604 tsvaavdjqrwcosc.exe 2604 tsvaavdjqrwcosc.exe 2604 tsvaavdjqrwcosc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2604 tsvaavdjqrwcosc.exe 2604 tsvaavdjqrwcosc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2604 tsvaavdjqrwcosc.exe 2604 tsvaavdjqrwcosc.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 1432 ievqqtaext.exe 1432 ievqqtaext.exe 1432 ievqqtaext.exe 572 rmkrjscs.exe 2604 tsvaavdjqrwcosc.exe 572 rmkrjscs.exe 2604 tsvaavdjqrwcosc.exe 572 rmkrjscs.exe 2604 tsvaavdjqrwcosc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2140 rmkrjscs.exe 2140 rmkrjscs.exe 2140 rmkrjscs.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 1432 ievqqtaext.exe 1432 ievqqtaext.exe 1432 ievqqtaext.exe 572 rmkrjscs.exe 2604 tsvaavdjqrwcosc.exe 572 rmkrjscs.exe 2604 tsvaavdjqrwcosc.exe 572 rmkrjscs.exe 2604 tsvaavdjqrwcosc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2268 sjwfuvzfpdvsc.exe 2140 rmkrjscs.exe 2140 rmkrjscs.exe 2140 rmkrjscs.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 216 WINWORD.EXE 216 WINWORD.EXE 216 WINWORD.EXE 216 WINWORD.EXE 216 WINWORD.EXE 216 WINWORD.EXE 216 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3640 wrote to memory of 1432 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 89 PID 3640 wrote to memory of 1432 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 89 PID 3640 wrote to memory of 1432 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 89 PID 3640 wrote to memory of 2604 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 90 PID 3640 wrote to memory of 2604 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 90 PID 3640 wrote to memory of 2604 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 90 PID 3640 wrote to memory of 572 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 91 PID 3640 wrote to memory of 572 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 91 PID 3640 wrote to memory of 572 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 91 PID 3640 wrote to memory of 2268 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 92 PID 3640 wrote to memory of 2268 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 92 PID 3640 wrote to memory of 2268 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 92 PID 1432 wrote to memory of 2140 1432 ievqqtaext.exe 93 PID 1432 wrote to memory of 2140 1432 ievqqtaext.exe 93 PID 1432 wrote to memory of 2140 1432 ievqqtaext.exe 93 PID 3640 wrote to memory of 216 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 94 PID 3640 wrote to memory of 216 3640 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\ievqqtaext.exeievqqtaext.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\rmkrjscs.exeC:\Windows\system32\rmkrjscs.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2140
-
-
-
C:\Windows\SysWOW64\tsvaavdjqrwcosc.exetsvaavdjqrwcosc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2604
-
-
C:\Windows\SysWOW64\rmkrjscs.exermkrjscs.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:572
-
-
C:\Windows\SysWOW64\sjwfuvzfpdvsc.exesjwfuvzfpdvsc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2268
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4756 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:2288
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD52b1d7d265e8563ce7704d0a3594c10e8
SHA1db2d6547ac66fccc991e255e459a2ed3601b7626
SHA2564fdb9d87f28a2e6b11dee7ef029f4c69104940c82934a614bd47838dc905d7a5
SHA5128048aee8d486c8d8b1ec7d6f0205d83b8851c2c5e530f42d786d82b1335a098db2089fdd384a11804a597f96ae3ec17d58d2d0506e7c10e046512c3e66b76aaf
-
Filesize
512KB
MD524675de10e75a97ad49af794c99dddb7
SHA1958325e02e4343178d1ff745ff3dea6a18ad0da0
SHA2568e40ebca5d3f15f5ce40d986149f66597a701e3ff9ecfada7cca4565d0b5a786
SHA512c090bd979e0935323dd01ac6c566e3308da4f9183b3e3ed579a74c496e41e9e6e224a4dd6f0a0c78e91cdff5f530b7c6aabdf12a666246770788425cb474510d
-
Filesize
512KB
MD59e715088d1697f1bca03a700dd659e63
SHA1eaf97a07c0753e69b80031cedbe1ffadec3c30d6
SHA256f98b9a97937ed570ce48ca1c6e466daa23351cf00e6d25f531ce5c8f42ee5f37
SHA512f29a841d7946c205cdb4e4863bc5d023f87407e33e2072d733768e99e9cc7b44b4d34dbcf2a228ba49028c031c1238d8e7db433ae8979fbcd455b1a7cf84205e
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a8fc029397eea94631ad75a604df5fc3
SHA13721f8c8930368f66e3f185f0d9f47836f0bd13d
SHA25686deeb8adc5320cf69a9abb1ae9963fb363beb36cec56a81f565bd253ae74cc9
SHA5125ed4c5b7e507dc6056f03965e96fa613164c7abb8b2c71a1fd7c48699e2110b34756027011c13d4a5f1f92410c4ed98acd66759c29293e0ce882ae690ee3e246
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52d37dd58ea16348b4631aef1940c12b0
SHA1f7b7c7c0dd79fa193e312fde4a9e86e94829636a
SHA256c4b143e4b2dad9958c2a8267a90af690b99e988a567e628659e7ccb8ba0858fd
SHA51257cdac35c0bdd5f50be03f2a691d8cd628d2fe49982c5abec8373cb79388b5eac55c77ae9caf26796c4a9bf387cc79c9ec9bca671af666834fe4a4d0762ef739
-
Filesize
512KB
MD5f7e1dbb77943e0412c65a771f54b5f9a
SHA124f66926080efe3251d4c01853572ec48738b6ed
SHA256030884636b70923a39c1ee2fdf79108e55fb0bc069aa0171c7360bbc5e634968
SHA512be5eb9ab31a8bd50efbd6a4bf098f507494484f86d9f0ba1396e02d21c8c763edc6dd7a5487c355e8a8be31576b8b30cf7234b22b082dfad514230854890ba17
-
Filesize
512KB
MD52f388e4afbaf7d2a8e2bbc6f3fd74337
SHA15a8425df0f11674d7407b825f461c47b5bfaaf57
SHA256caee0c63e3ef9d621b76a343ba223dc0a0cdea51f9c37509020a9f58156f551e
SHA5124870bfd0f3dd21014ccd4d4718b0d0d188e5d1859a53cfd1c3699b8b2458ccccd2195563abce38f3466062406fc198e96cccdd32534e15721d3152dd38f21919
-
Filesize
512KB
MD512ae4a3eea0f77aab0c9de36ff3adbb0
SHA1372eddb719b9e9082daf7b03f5b222189eb2edc3
SHA256edc67754cd3f98ea7be3c932d2a4a00146a447c1e571f96e4a94fbe1a806c184
SHA5122033f70e106890109bfb5bda95f74ab820569fd480264ae2196fb00547543a68df81dd7442c78167d8892813045c133b50bc7630cb04d2441d30f717a0a9475c
-
Filesize
512KB
MD57496a4d6ca80098c1bd1bae5414e1454
SHA14b85b05dbb392db2b40628920257e270b0db0c42
SHA256dc0a3a6dccb018eab430a1d06ffb8c1242beef15aae52263d8104e917b3cee25
SHA512369296d0e9a6e92c962102641d83b25b54bff04d22ed8190ea0712b465a9c81c543cbaaad063c4a95b4736639ba28e89be8f19a245bbf1b897784be340db2eab
-
Filesize
512KB
MD5c025ee65631ac6b11d15735904c4cad9
SHA1a989b9372927ae8428406adc13fa284d76cde534
SHA256fdbe0dfb3d182683d1b558f3a9ddb97d5ff673511cacb4ad4c7c5d9c986f2068
SHA5120390a11bc6b7b611d6d8a39456997805a0112d07d67c40e64d721b5693943690e817595b42f40d717c12f51d3e994ed9f51c1ba427924746105779979c4a7efc
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD513b8b5c75e6e542e1962989a83e56042
SHA1b033721b7da5cdc6ba0a24f96f7bafcb14004492
SHA25676018c87a8f5dad5d4dc81ba171baf542f38597b240a5cd34391f540b2b9c1e9
SHA512bbc11db570ff247ad9ebe5e3db168af415e636fe9e82fd7d8aac70ba5fb914e2546871ebcbcbe21fb7052173acccc3940200551cef64c89f450bafec5dfc2e79
-
Filesize
512KB
MD56e85f786c2fde4d057f4e32f5f88634c
SHA11fe254a018ce0d4e0b723f6b0ade8793777bed21
SHA2561fd02d315d1e1278657702b203c479bf9d656a193dc3330062714e44fb429fe3
SHA512398130f396b712588e8a88bade1d4346f1f834838aa17b7aa2530afa3a70f8b99260b10f5eb371254112807be990134f86414252ef9f5e20f6fc737af80e5100