Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 08:10
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe
-
Size
512KB
-
MD5
8d69ae68dba254e7ec4b378cb8abf1e5
-
SHA1
573f9da6b42a6365f9bd0432e31c0e4c9fe6b68e
-
SHA256
3ffa32eb09dbeae0bee48f445a00866cba405e5918d92b9154c6d19240b1f836
-
SHA512
a2954453918d724d3432b55bef5c2e4a1f17ece35ce61d22781c630356dca6d615eb6843ccc9c60fecc5fea9522a3f1c88a11b30a46084e799405ac1a627fc7b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6n:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5q
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" sklljovjzi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" sklljovjzi.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sklljovjzi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sklljovjzi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sklljovjzi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sklljovjzi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sklljovjzi.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sklljovjzi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4624 sklljovjzi.exe 3748 vvabfvxhskjnqcd.exe 4732 ilwuhexg.exe 4708 dfbmxrqsrflal.exe 3944 ilwuhexg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sklljovjzi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sklljovjzi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sklljovjzi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" sklljovjzi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sklljovjzi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sklljovjzi.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zgwxvyft = "sklljovjzi.exe" vvabfvxhskjnqcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ofwybygo = "vvabfvxhskjnqcd.exe" vvabfvxhskjnqcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dfbmxrqsrflal.exe" vvabfvxhskjnqcd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: ilwuhexg.exe File opened (read-only) \??\u: ilwuhexg.exe File opened (read-only) \??\g: ilwuhexg.exe File opened (read-only) \??\o: ilwuhexg.exe File opened (read-only) \??\v: ilwuhexg.exe File opened (read-only) \??\i: ilwuhexg.exe File opened (read-only) \??\o: sklljovjzi.exe File opened (read-only) \??\p: sklljovjzi.exe File opened (read-only) \??\q: sklljovjzi.exe File opened (read-only) \??\i: ilwuhexg.exe File opened (read-only) \??\b: sklljovjzi.exe File opened (read-only) \??\b: ilwuhexg.exe File opened (read-only) \??\w: ilwuhexg.exe File opened (read-only) \??\l: ilwuhexg.exe File opened (read-only) \??\y: ilwuhexg.exe File opened (read-only) \??\j: sklljovjzi.exe File opened (read-only) \??\k: ilwuhexg.exe File opened (read-only) \??\z: ilwuhexg.exe File opened (read-only) \??\h: ilwuhexg.exe File opened (read-only) \??\v: ilwuhexg.exe File opened (read-only) \??\h: sklljovjzi.exe File opened (read-only) \??\y: sklljovjzi.exe File opened (read-only) \??\a: ilwuhexg.exe File opened (read-only) \??\e: ilwuhexg.exe File opened (read-only) \??\z: sklljovjzi.exe File opened (read-only) \??\n: ilwuhexg.exe File opened (read-only) \??\t: ilwuhexg.exe File opened (read-only) \??\x: ilwuhexg.exe File opened (read-only) \??\v: sklljovjzi.exe File opened (read-only) \??\l: ilwuhexg.exe File opened (read-only) \??\g: ilwuhexg.exe File opened (read-only) \??\m: ilwuhexg.exe File opened (read-only) \??\e: sklljovjzi.exe File opened (read-only) \??\r: ilwuhexg.exe File opened (read-only) \??\k: sklljovjzi.exe File opened (read-only) \??\u: sklljovjzi.exe File opened (read-only) \??\p: ilwuhexg.exe File opened (read-only) \??\o: ilwuhexg.exe File opened (read-only) \??\j: ilwuhexg.exe File opened (read-only) \??\s: ilwuhexg.exe File opened (read-only) \??\z: ilwuhexg.exe File opened (read-only) \??\g: sklljovjzi.exe File opened (read-only) \??\j: ilwuhexg.exe File opened (read-only) \??\s: ilwuhexg.exe File opened (read-only) \??\y: ilwuhexg.exe File opened (read-only) \??\l: sklljovjzi.exe File opened (read-only) \??\r: ilwuhexg.exe File opened (read-only) \??\x: ilwuhexg.exe File opened (read-only) \??\e: ilwuhexg.exe File opened (read-only) \??\t: ilwuhexg.exe File opened (read-only) \??\b: ilwuhexg.exe File opened (read-only) \??\k: ilwuhexg.exe File opened (read-only) \??\q: ilwuhexg.exe File opened (read-only) \??\m: sklljovjzi.exe File opened (read-only) \??\s: sklljovjzi.exe File opened (read-only) \??\h: ilwuhexg.exe File opened (read-only) \??\n: ilwuhexg.exe File opened (read-only) \??\w: ilwuhexg.exe File opened (read-only) \??\a: ilwuhexg.exe File opened (read-only) \??\i: sklljovjzi.exe File opened (read-only) \??\w: sklljovjzi.exe File opened (read-only) \??\m: ilwuhexg.exe File opened (read-only) \??\q: ilwuhexg.exe File opened (read-only) \??\r: sklljovjzi.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" sklljovjzi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" sklljovjzi.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3004-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00090000000233ee-3.dat autoit_exe behavioral2/files/0x00070000000233f5-23.dat autoit_exe behavioral2/files/0x00070000000233f6-26.dat autoit_exe behavioral2/files/0x00070000000233f7-31.dat autoit_exe behavioral2/files/0x00080000000233e1-69.dat autoit_exe behavioral2/files/0x0007000000023403-74.dat autoit_exe behavioral2/files/0x000c00000002346f-515.dat autoit_exe behavioral2/files/0x000c00000002346f-574.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\sklljovjzi.exe 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sklljovjzi.exe 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe File created C:\Windows\SysWOW64\vvabfvxhskjnqcd.exe 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe File created C:\Windows\SysWOW64\ilwuhexg.exe 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ilwuhexg.exe File opened for modification C:\Windows\SysWOW64\vvabfvxhskjnqcd.exe 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ilwuhexg.exe 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe File created C:\Windows\SysWOW64\dfbmxrqsrflal.exe 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dfbmxrqsrflal.exe 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll sklljovjzi.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ilwuhexg.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ilwuhexg.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ilwuhexg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ilwuhexg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ilwuhexg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ilwuhexg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ilwuhexg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ilwuhexg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ilwuhexg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ilwuhexg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ilwuhexg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ilwuhexg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ilwuhexg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ilwuhexg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ilwuhexg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ilwuhexg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ilwuhexg.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ilwuhexg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ilwuhexg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ilwuhexg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ilwuhexg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ilwuhexg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ilwuhexg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ilwuhexg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ilwuhexg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ilwuhexg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ilwuhexg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ilwuhexg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ilwuhexg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ilwuhexg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ilwuhexg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ilwuhexg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ilwuhexg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402C0A9C2583536A3676A677202CAD7C8464AB" 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAF9C9F917F1E0830F3A4781EC3999B38C02FF4362034EE2CF429C08D5" 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf sklljovjzi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" sklljovjzi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0806BB2FF1A22D0D109D1A78A7F9011" 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh sklljovjzi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" sklljovjzi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs sklljovjzi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" sklljovjzi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B15F4490389853BDBAD7339DD7BE" 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FFF8485D851C9030D65A7E94BCEEE63059416734633FD798" 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat sklljovjzi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" sklljovjzi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg sklljovjzi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC60C14E5DBB2B8BD7F92EDE034C6" 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" sklljovjzi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc sklljovjzi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" sklljovjzi.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2736 WINWORD.EXE 2736 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 4624 sklljovjzi.exe 4624 sklljovjzi.exe 4624 sklljovjzi.exe 4624 sklljovjzi.exe 4624 sklljovjzi.exe 4624 sklljovjzi.exe 4624 sklljovjzi.exe 4624 sklljovjzi.exe 4624 sklljovjzi.exe 4624 sklljovjzi.exe 3748 vvabfvxhskjnqcd.exe 3748 vvabfvxhskjnqcd.exe 3748 vvabfvxhskjnqcd.exe 3748 vvabfvxhskjnqcd.exe 3748 vvabfvxhskjnqcd.exe 3748 vvabfvxhskjnqcd.exe 3748 vvabfvxhskjnqcd.exe 3748 vvabfvxhskjnqcd.exe 4708 dfbmxrqsrflal.exe 4708 dfbmxrqsrflal.exe 4708 dfbmxrqsrflal.exe 4708 dfbmxrqsrflal.exe 4708 dfbmxrqsrflal.exe 4708 dfbmxrqsrflal.exe 4708 dfbmxrqsrflal.exe 4708 dfbmxrqsrflal.exe 4708 dfbmxrqsrflal.exe 4708 dfbmxrqsrflal.exe 4708 dfbmxrqsrflal.exe 4708 dfbmxrqsrflal.exe 3748 vvabfvxhskjnqcd.exe 3748 vvabfvxhskjnqcd.exe 4732 ilwuhexg.exe 4732 ilwuhexg.exe 4732 ilwuhexg.exe 4732 ilwuhexg.exe 4732 ilwuhexg.exe 4732 ilwuhexg.exe 4732 ilwuhexg.exe 4732 ilwuhexg.exe 3944 ilwuhexg.exe 3944 ilwuhexg.exe 3944 ilwuhexg.exe 3944 ilwuhexg.exe 3944 ilwuhexg.exe 3944 ilwuhexg.exe 3944 ilwuhexg.exe 3944 ilwuhexg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 4624 sklljovjzi.exe 4624 sklljovjzi.exe 4624 sklljovjzi.exe 3748 vvabfvxhskjnqcd.exe 3748 vvabfvxhskjnqcd.exe 3748 vvabfvxhskjnqcd.exe 4732 ilwuhexg.exe 4708 dfbmxrqsrflal.exe 4732 ilwuhexg.exe 4708 dfbmxrqsrflal.exe 4732 ilwuhexg.exe 4708 dfbmxrqsrflal.exe 3944 ilwuhexg.exe 3944 ilwuhexg.exe 3944 ilwuhexg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 4624 sklljovjzi.exe 4624 sklljovjzi.exe 4624 sklljovjzi.exe 3748 vvabfvxhskjnqcd.exe 3748 vvabfvxhskjnqcd.exe 3748 vvabfvxhskjnqcd.exe 4732 ilwuhexg.exe 4708 dfbmxrqsrflal.exe 4732 ilwuhexg.exe 4708 dfbmxrqsrflal.exe 4732 ilwuhexg.exe 4708 dfbmxrqsrflal.exe 3944 ilwuhexg.exe 3944 ilwuhexg.exe 3944 ilwuhexg.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE 2736 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3004 wrote to memory of 4624 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 82 PID 3004 wrote to memory of 4624 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 82 PID 3004 wrote to memory of 4624 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 82 PID 3004 wrote to memory of 3748 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 83 PID 3004 wrote to memory of 3748 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 83 PID 3004 wrote to memory of 3748 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 83 PID 3004 wrote to memory of 4732 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 84 PID 3004 wrote to memory of 4732 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 84 PID 3004 wrote to memory of 4732 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 84 PID 3004 wrote to memory of 4708 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 85 PID 3004 wrote to memory of 4708 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 85 PID 3004 wrote to memory of 4708 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 85 PID 3004 wrote to memory of 2736 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 86 PID 3004 wrote to memory of 2736 3004 8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe 86 PID 4624 wrote to memory of 3944 4624 sklljovjzi.exe 88 PID 4624 wrote to memory of 3944 4624 sklljovjzi.exe 88 PID 4624 wrote to memory of 3944 4624 sklljovjzi.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8d69ae68dba254e7ec4b378cb8abf1e5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\sklljovjzi.exesklljovjzi.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\ilwuhexg.exeC:\Windows\system32\ilwuhexg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3944
-
-
-
C:\Windows\SysWOW64\vvabfvxhskjnqcd.exevvabfvxhskjnqcd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3748
-
-
C:\Windows\SysWOW64\ilwuhexg.exeilwuhexg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4732
-
-
C:\Windows\SysWOW64\dfbmxrqsrflal.exedfbmxrqsrflal.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4708
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5354d4db935dec2eb02ef63302069186e
SHA1e695bcea31ef74534bb16505363979c0e5dd39de
SHA2561cf681144daa13852b5a08c9c77e57beedcf46462147801c794e3bb1b37f35d3
SHA512b4ef8ba03d69ea6e1774f713a018810ad89742dab5e6b0ca4c82abc9b416035833d2567196e6b9279afaa2989e10fa809a4cbc72e0bf13e44b2eadacd1f9452a
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5758cf499b39784c5a22d7ba2ebdb6cdd
SHA14cc09cae65bc16559b7f6233be65a82ebd57ff91
SHA2563dd66d483a55ff9cd9fd13762e014463d53a19e08b5b4ae0ae4c497b1bcfa3ca
SHA5127efe763d6e49dba7050f23d9d069f390037f3affb05ac02f217c6e364f06dd3222b2c929b4d0783016622d16d6a4603fa76f030633c00ff36b0dea34c1305904
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5dec0f6f54b494f7dd7b010f12991a811
SHA14b896f92060a16d8e29057ef6f0cb07ba5ac90f5
SHA25644fbf0579718a0cbe560e4ebc64b7cd6a9065c337b9d17eff2d1a875f9d9fd70
SHA5128aac1d16edf13786c47d69b4743cd0399494ee2186a2bcc32eeb222bcb8761ef8196a4cffb063f436f5df207700685e00c91aebfcdaa3215f8666b485ad22341
-
Filesize
512KB
MD59694fa5176c35e02759aa8178a8c5cf5
SHA18dd8974b4bf5a12ea049ee8af82e030200a33575
SHA256c7cd5dbde60de00639c53746e306cac413d576d5afaf6de4c10cd114bfd44d77
SHA512f374490c8e77bd65a22760acdb7669da686663e9ded97cac8b8287164ea44fb03330e072de47fc80cf77433d097b0d16934e347a5044dccab4e767888f729e36
-
Filesize
512KB
MD50bf97b68b716d3610fa3b2364131cf74
SHA16429cf1344313d44a0ea4c73c0dc2b525581297b
SHA256a5294ee285e3b7bc34191b716b8f420953e21884a3a2206f5c0862b66bf455ae
SHA512e4686630410732ce5b258ec11d09da3a40d7381736f88fb30dabaf0204472ddb732589dd6b8fb2056a3b7212ef6bbb612799eec49974357ca901b4cfaa011640
-
Filesize
512KB
MD552bbd6065f07c5002bb2286de1596449
SHA10ca51f266fa37874f9efb293e8b8087f97758986
SHA256d15f26199a32735459892d9906e2b1874339dd78e07cbccd16b4fa66d801eaac
SHA51228a0d2a86240ba13c42dece69c3919a16a7d919d819ba1d09f65e676e56bce02ae94a8ea888fa8b567106b6c6e676ea7187b4c2ba256124456dd0c9ab91297b8
-
Filesize
512KB
MD51972af0bcf58e472432b8573f876584c
SHA19703bc28fcf1d3d6787ece6a9a2912e256eee056
SHA256d9f08f5e454f517df52ea8c961d4809825c9504bcc1b81ee42979dce555b53f8
SHA51278ae6a8d44716c784a62361525c05caa32868618edce7b0fbe08c32a6c68f9f1873480708285bef6c9d49a5e01f21e0f0ceb5d46a155481673d14c78bd5cc4bf
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD53d48ad2e4cd9fe9b22738e02935a8527
SHA1fedba553e43cd2c588a3a090f5114600485686af
SHA2564147e27c721b9fcda3cd90317348e2f59f940b9e0b7ec9a3e45fd49fe541a37c
SHA512e0b9fa20102005640f0ffa441e0aa93a8a216ffbeaf4a9175f23346c29d3d04565a9ed45a134bb0edb832a8ff4a7dde82a345c75582e82e259eba93644b07140
-
Filesize
512KB
MD5bb6853444c0eab5c16e4deed3fe71a2b
SHA12ec93633e3b28b793ac954a497cada1270fa1a7f
SHA2561b9088f456d429ea1b35c47ca18b212bda468e5c6213bc76427236ac324aba5f
SHA5129b70657ed6586070441284d6c2cc38cb8668044f4557280ed7d75de80897c6cb13b77314fc92a35efd2b511f37d408169413399173d1449203d5e3df3847f1be
-
Filesize
512KB
MD5fee6bb4749ca0e2d52c938c3ae9b79b8
SHA190c9b639b51d0e4ff776efd31edccce250b08c02
SHA256b7d9c5f3b910ea74b103d39e6bdae62f8a1388be0ef3dd753d8dac124bf44751
SHA512366ef2d729ccd3ad3b5641e2989f6c7771947ca90aaa976edd0e66e28e4a7443164a71cc6b5ca015f0ecced7da5195a7d1bb65f85c747342736ba331112faea0