Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe
-
Size
512KB
-
MD5
930c33ff94fabe0b19a313d5c36b1243
-
SHA1
bd5bcc8905ad2c876853bf434a90a860a69e0b8e
-
SHA256
f4725b05284b9ad3b6e6be5007795dce59b504d4c6c962cfef2955fac97f952b
-
SHA512
1aaf565607effb18fdf6bdd5f1548c81dda9f0e6d29a0499d466bba55cc6c4f2a86b24a63250bbf769144071397e3a2b169ce68c65252f8545ed00218b84ef72
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6c:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5b
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
wqimvavhcg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wqimvavhcg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
wqimvavhcg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wqimvavhcg.exe -
Processes:
wqimvavhcg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wqimvavhcg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wqimvavhcg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wqimvavhcg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wqimvavhcg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wqimvavhcg.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
wqimvavhcg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wqimvavhcg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
wqimvavhcg.exebihncvjnahjzbnv.exeahfklvua.exeerffyikmsdtfb.exeahfklvua.exepid process 4544 wqimvavhcg.exe 3972 bihncvjnahjzbnv.exe 4616 ahfklvua.exe 1824 erffyikmsdtfb.exe 2732 ahfklvua.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
wqimvavhcg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wqimvavhcg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wqimvavhcg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wqimvavhcg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wqimvavhcg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wqimvavhcg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wqimvavhcg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
bihncvjnahjzbnv.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hlzabffo = "wqimvavhcg.exe" bihncvjnahjzbnv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndhgmley = "bihncvjnahjzbnv.exe" bihncvjnahjzbnv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "erffyikmsdtfb.exe" bihncvjnahjzbnv.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ahfklvua.exewqimvavhcg.exeahfklvua.exedescription ioc process File opened (read-only) \??\z: ahfklvua.exe File opened (read-only) \??\h: wqimvavhcg.exe File opened (read-only) \??\u: wqimvavhcg.exe File opened (read-only) \??\l: ahfklvua.exe File opened (read-only) \??\p: ahfklvua.exe File opened (read-only) \??\n: ahfklvua.exe File opened (read-only) \??\n: wqimvavhcg.exe File opened (read-only) \??\q: wqimvavhcg.exe File opened (read-only) \??\y: wqimvavhcg.exe File opened (read-only) \??\j: ahfklvua.exe File opened (read-only) \??\m: ahfklvua.exe File opened (read-only) \??\r: ahfklvua.exe File opened (read-only) \??\e: ahfklvua.exe File opened (read-only) \??\s: ahfklvua.exe File opened (read-only) \??\a: ahfklvua.exe File opened (read-only) \??\i: ahfklvua.exe File opened (read-only) \??\e: ahfklvua.exe File opened (read-only) \??\u: ahfklvua.exe File opened (read-only) \??\g: wqimvavhcg.exe File opened (read-only) \??\u: ahfklvua.exe File opened (read-only) \??\o: ahfklvua.exe File opened (read-only) \??\a: wqimvavhcg.exe File opened (read-only) \??\p: wqimvavhcg.exe File opened (read-only) \??\j: ahfklvua.exe File opened (read-only) \??\w: ahfklvua.exe File opened (read-only) \??\h: ahfklvua.exe File opened (read-only) \??\r: wqimvavhcg.exe File opened (read-only) \??\s: wqimvavhcg.exe File opened (read-only) \??\t: ahfklvua.exe File opened (read-only) \??\v: ahfklvua.exe File opened (read-only) \??\q: ahfklvua.exe File opened (read-only) \??\x: ahfklvua.exe File opened (read-only) \??\k: wqimvavhcg.exe File opened (read-only) \??\h: ahfklvua.exe File opened (read-only) \??\i: ahfklvua.exe File opened (read-only) \??\s: ahfklvua.exe File opened (read-only) \??\m: ahfklvua.exe File opened (read-only) \??\t: wqimvavhcg.exe File opened (read-only) \??\z: wqimvavhcg.exe File opened (read-only) \??\b: ahfklvua.exe File opened (read-only) \??\g: ahfklvua.exe File opened (read-only) \??\y: ahfklvua.exe File opened (read-only) \??\w: ahfklvua.exe File opened (read-only) \??\b: wqimvavhcg.exe File opened (read-only) \??\i: wqimvavhcg.exe File opened (read-only) \??\l: wqimvavhcg.exe File opened (read-only) \??\y: ahfklvua.exe File opened (read-only) \??\z: ahfklvua.exe File opened (read-only) \??\j: wqimvavhcg.exe File opened (read-only) \??\v: ahfklvua.exe File opened (read-only) \??\t: ahfklvua.exe File opened (read-only) \??\m: wqimvavhcg.exe File opened (read-only) \??\q: ahfklvua.exe File opened (read-only) \??\a: ahfklvua.exe File opened (read-only) \??\k: ahfklvua.exe File opened (read-only) \??\r: ahfklvua.exe File opened (read-only) \??\o: wqimvavhcg.exe File opened (read-only) \??\v: wqimvavhcg.exe File opened (read-only) \??\x: wqimvavhcg.exe File opened (read-only) \??\p: ahfklvua.exe File opened (read-only) \??\n: ahfklvua.exe File opened (read-only) \??\o: ahfklvua.exe File opened (read-only) \??\b: ahfklvua.exe File opened (read-only) \??\g: ahfklvua.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
wqimvavhcg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wqimvavhcg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wqimvavhcg.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/536-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\bihncvjnahjzbnv.exe autoit_exe C:\Windows\SysWOW64\wqimvavhcg.exe autoit_exe C:\Windows\SysWOW64\ahfklvua.exe autoit_exe C:\Windows\SysWOW64\erffyikmsdtfb.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Users\Admin\Documents\JoinMerge.doc.exe autoit_exe C:\Users\Admin\Documents\RequestConfirm.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exewqimvavhcg.exeahfklvua.exeahfklvua.exedescription ioc process File opened for modification C:\Windows\SysWOW64\erffyikmsdtfb.exe 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wqimvavhcg.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ahfklvua.exe File created C:\Windows\SysWOW64\wqimvavhcg.exe 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe File created C:\Windows\SysWOW64\bihncvjnahjzbnv.exe 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bihncvjnahjzbnv.exe 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ahfklvua.exe 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe File created C:\Windows\SysWOW64\erffyikmsdtfb.exe 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wqimvavhcg.exe 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe File created C:\Windows\SysWOW64\ahfklvua.exe 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ahfklvua.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ahfklvua.exe -
Drops file in Program Files directory 14 IoCs
Processes:
ahfklvua.exeahfklvua.exedescription ioc process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ahfklvua.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ahfklvua.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ahfklvua.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ahfklvua.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ahfklvua.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ahfklvua.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ahfklvua.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ahfklvua.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ahfklvua.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ahfklvua.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ahfklvua.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ahfklvua.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ahfklvua.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ahfklvua.exe -
Drops file in Windows directory 19 IoCs
Processes:
930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exeahfklvua.exeahfklvua.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ahfklvua.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ahfklvua.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ahfklvua.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ahfklvua.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ahfklvua.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ahfklvua.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ahfklvua.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ahfklvua.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ahfklvua.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ahfklvua.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ahfklvua.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ahfklvua.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ahfklvua.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ahfklvua.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ahfklvua.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ahfklvua.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
wqimvavhcg.exe930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" wqimvavhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wqimvavhcg.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FCFC482685689031D72E7DE5BDE0E631594366436341D7ED" 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC6751593DAC7B8C97CE8EDE237B9" 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wqimvavhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7866BB9FF6E21D9D272D0A88A7F9165" 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wqimvavhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" wqimvavhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" wqimvavhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFABDF965F19783083A4786EA39E6B08E02FC43620233E1CC42EE09D3" 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf wqimvavhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wqimvavhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" wqimvavhcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh wqimvavhcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wqimvavhcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wqimvavhcg.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442D799C2083526D4376D177202CD67DF664DE" 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB15B479339E953B9B9D433E9D7BC" 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 5088 WINWORD.EXE 5088 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exewqimvavhcg.exebihncvjnahjzbnv.exeerffyikmsdtfb.exeahfklvua.exeahfklvua.exepid process 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 4544 wqimvavhcg.exe 4544 wqimvavhcg.exe 4544 wqimvavhcg.exe 4544 wqimvavhcg.exe 4544 wqimvavhcg.exe 4544 wqimvavhcg.exe 4544 wqimvavhcg.exe 4544 wqimvavhcg.exe 4544 wqimvavhcg.exe 4544 wqimvavhcg.exe 3972 bihncvjnahjzbnv.exe 3972 bihncvjnahjzbnv.exe 3972 bihncvjnahjzbnv.exe 3972 bihncvjnahjzbnv.exe 3972 bihncvjnahjzbnv.exe 3972 bihncvjnahjzbnv.exe 3972 bihncvjnahjzbnv.exe 3972 bihncvjnahjzbnv.exe 3972 bihncvjnahjzbnv.exe 3972 bihncvjnahjzbnv.exe 1824 erffyikmsdtfb.exe 1824 erffyikmsdtfb.exe 1824 erffyikmsdtfb.exe 1824 erffyikmsdtfb.exe 1824 erffyikmsdtfb.exe 1824 erffyikmsdtfb.exe 1824 erffyikmsdtfb.exe 1824 erffyikmsdtfb.exe 4616 ahfklvua.exe 4616 ahfklvua.exe 1824 erffyikmsdtfb.exe 4616 ahfklvua.exe 4616 ahfklvua.exe 1824 erffyikmsdtfb.exe 4616 ahfklvua.exe 4616 ahfklvua.exe 4616 ahfklvua.exe 4616 ahfklvua.exe 1824 erffyikmsdtfb.exe 1824 erffyikmsdtfb.exe 2732 ahfklvua.exe 2732 ahfklvua.exe 2732 ahfklvua.exe 2732 ahfklvua.exe 2732 ahfklvua.exe 2732 ahfklvua.exe 2732 ahfklvua.exe 2732 ahfklvua.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exewqimvavhcg.exebihncvjnahjzbnv.exeerffyikmsdtfb.exeahfklvua.exeahfklvua.exepid process 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 4544 wqimvavhcg.exe 4544 wqimvavhcg.exe 4544 wqimvavhcg.exe 3972 bihncvjnahjzbnv.exe 3972 bihncvjnahjzbnv.exe 3972 bihncvjnahjzbnv.exe 1824 erffyikmsdtfb.exe 1824 erffyikmsdtfb.exe 1824 erffyikmsdtfb.exe 4616 ahfklvua.exe 4616 ahfklvua.exe 4616 ahfklvua.exe 2732 ahfklvua.exe 2732 ahfklvua.exe 2732 ahfklvua.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exewqimvavhcg.exebihncvjnahjzbnv.exeerffyikmsdtfb.exeahfklvua.exeahfklvua.exepid process 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe 4544 wqimvavhcg.exe 4544 wqimvavhcg.exe 4544 wqimvavhcg.exe 3972 bihncvjnahjzbnv.exe 3972 bihncvjnahjzbnv.exe 3972 bihncvjnahjzbnv.exe 1824 erffyikmsdtfb.exe 1824 erffyikmsdtfb.exe 1824 erffyikmsdtfb.exe 4616 ahfklvua.exe 4616 ahfklvua.exe 4616 ahfklvua.exe 2732 ahfklvua.exe 2732 ahfklvua.exe 2732 ahfklvua.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 5088 WINWORD.EXE 5088 WINWORD.EXE 5088 WINWORD.EXE 5088 WINWORD.EXE 5088 WINWORD.EXE 5088 WINWORD.EXE 5088 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exewqimvavhcg.exedescription pid process target process PID 536 wrote to memory of 4544 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe wqimvavhcg.exe PID 536 wrote to memory of 4544 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe wqimvavhcg.exe PID 536 wrote to memory of 4544 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe wqimvavhcg.exe PID 536 wrote to memory of 3972 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe bihncvjnahjzbnv.exe PID 536 wrote to memory of 3972 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe bihncvjnahjzbnv.exe PID 536 wrote to memory of 3972 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe bihncvjnahjzbnv.exe PID 536 wrote to memory of 4616 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe ahfklvua.exe PID 536 wrote to memory of 4616 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe ahfklvua.exe PID 536 wrote to memory of 4616 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe ahfklvua.exe PID 536 wrote to memory of 1824 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe erffyikmsdtfb.exe PID 536 wrote to memory of 1824 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe erffyikmsdtfb.exe PID 536 wrote to memory of 1824 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe erffyikmsdtfb.exe PID 4544 wrote to memory of 2732 4544 wqimvavhcg.exe ahfklvua.exe PID 4544 wrote to memory of 2732 4544 wqimvavhcg.exe ahfklvua.exe PID 4544 wrote to memory of 2732 4544 wqimvavhcg.exe ahfklvua.exe PID 536 wrote to memory of 5088 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe WINWORD.EXE PID 536 wrote to memory of 5088 536 930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\930c33ff94fabe0b19a313d5c36b1243_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\wqimvavhcg.exewqimvavhcg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\ahfklvua.exeC:\Windows\system32\ahfklvua.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2732 -
C:\Windows\SysWOW64\bihncvjnahjzbnv.exebihncvjnahjzbnv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3972 -
C:\Windows\SysWOW64\ahfklvua.exeahfklvua.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4616 -
C:\Windows\SysWOW64\erffyikmsdtfb.exeerffyikmsdtfb.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1824 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5088
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5b34f59b18b5afb684b5c06e605dee700
SHA1e3ed31d11ed85e07edfd5908b0df5f318a3bdd22
SHA256dbb04c5e69792322c08dce865fb851153e249bdf4ad2e2b2f771ad469eca5860
SHA512c150b7334453532273fbb21f128c7afc49f41e6166910326fae56ac72c0d8502d1f1895ad855fa66a7650b8bf83540a03a8696d0f976c5e6ea39bb401eb0b0d5
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD5361ba5cdfe246f4303b0a1638e0daf43
SHA1eced7199b1af3c8e92209a68cb9a925ff3f369a3
SHA256507143acb38e64408d03a0dd98e16bd34ca557294c466ae8ec9c7c763eb3a2a5
SHA51281b9d124396d138717aea4dc71cec59426a3b65b47eaa0d13523adf030c5e3df9fa670ed48f7634d0301812d4b546dd43bc5bf863b58112570a2ab049bc7ab54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD57e1d9ecea49df89930f47693484d3db6
SHA1f91de86d39e949a5a4ce13a33571a5773dd44e1e
SHA25613fa82fb2f37961421c59b8f810d40949cb0b4384ad049a8d47c7d4d05ae7b6b
SHA512bc5b321d5783a5ae632f08de853ce8e177cfa6c2eee48053b7eed7060fd73966b5111eab71356c9ed2cd19ae4cf3081ef44b431ae73a8c965b1224f60d909b0b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD500d8b3cd5fce651eb3126ddf38bfc927
SHA10ae4eba1180c06d439e4614c57126a77b98a096c
SHA256dd6a12371c623dfa374a0373eb72512d52d828021be53e13f735d4c8c6c2bc42
SHA5125379dbcf105aead9b780b84d76fd154f06d864bcd830ef50f267173814eef7e429a0d6383e49af21aa70a46aee61d9bcb28ea94cc93279a2b86b8ad6d3d4c260
-
Filesize
512KB
MD5c6d5169d73678b0c1b047bd149202154
SHA17ecf8922a634005dd6142e18c1748790bf35e8ca
SHA256885bbb7d337db632e2360043f29def73a4d48be3f6f5e55f2a5cc21196ec325d
SHA5121eac0dfb534622ba3a8ffb7ef1976a2a9481ef591fd913a838d49db6ecb2c3205839742610a6915438c170a34576b4fa0e9d482460c3efb3dc3fcd81ca4a3d82
-
Filesize
512KB
MD510a27820e2d4f3e056b474100d0c7c52
SHA14b01991780d4282ad40ee3241c30c115b7589cfc
SHA256a936f68534ff021dd3edec275e1e0b6075d5d91a36fa94ab753416d520d3aa1d
SHA51297fdd0c3dd20feb59ce1514bfa209de192b17bf2883996e0cbcbda9437b5dcac3c09333cac14e9e65c80dfa388555524a5abdd70c56b3081303562e463f3a9d0
-
Filesize
512KB
MD5be02c5accc70e153cd596ca144bceed0
SHA1e39335736b28312e5631afb04a21d3059348f674
SHA2567552b428f53095ca87ffa569602e706798ebe8c921d2287f7d43bf86d20d7ce9
SHA512e6816b59daed1af0e7a769873b787e251c0b1d5b01f6e72f838c8eae2527e2688c5a241048ffe6f94e1e8364c20029dfc7ca1faf93ba8581c12ed24c5dcb9205
-
Filesize
512KB
MD51e3ae845563779a9f92adf2259f3175b
SHA1c13928d7a3a6ff1d136084b5d4d4df81cf9ce83b
SHA256c434f757c6abf53b1b751b80082d58a8a19841c9c76170a25ee8b070636cc8b5
SHA512f33a0b90b31697cb9b84e19fd2af6718feba0a391a4a9c6bc70610c78787db480e80a6181dfd4db015bec9d8d1be44ffd90f2d1effd76ca64a92c52df3a65e9f
-
Filesize
512KB
MD554be701f5de97508d8e5a68a296f5ad1
SHA122b3eae4e9260a4ebe4e611a595c9097c873491f
SHA256fc9186f2da2b447afe40360c01baf5981a409794269355113266cbd6b1d4fba0
SHA512fc83c11dcebf4d6afb6a22a3f80b418d5f448f81562ef93872214b16b59da7b77df340b225bcff6ab5b0290a2e7c336c528c15b991c284eee5ba7db1571d915f
-
Filesize
512KB
MD51e7054d898f195cc849573a3a301e0d3
SHA19a34d07f7743a2162c947da631bc6a94553c689e
SHA256a46f76a5e12457e17c1bf1bbfaa35e166c672b8efccc51ba0a5062c4c2bdc337
SHA5128588f7b4d81103307d5080528ebe8c414e3d556c18f902ec6c417b8c86adcd40e653cd5fd1f282c1c220de68b212e52d39f0f5597afdb9cb36a0a80a1a3a9d49
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD520ec81b3b35cc983a61148dac19b3b24
SHA11c94bd0708553e0bf81aee8327b5ef71cc8ad19e
SHA2566a7f2f82e438391af54e14336ca3622b79f0442655948e3fd80a4968b94f5c60
SHA51270e1b419f98eccb9b0278f31797208380ffeca00ff92a1ff243bde9d59d4c630776d1ac659e84053ae833ed50127c94cbabae2d0cc9bdb9f9ae2dfa9f47d15bc
-
Filesize
512KB
MD5e325ff41d7b676a975f65f5db492271d
SHA1c39b13f4db08fd08c93ef19ecd29258e9a77b81b
SHA256874c72474e30727d513829b8f53754a06f82ba310b0015ca25afeec2f3e89956
SHA512bbb4674e37539e8a8cf5fe5ee5db446658f12e3f4a19b88a95a8deea5c3bdd66c74f328f85ff03f10e42caf24cecdf76780456b21262f750dec66888db68dff9