Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 03:43
Static task
static1
Behavioral task
behavioral1
Sample
906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe
-
Size
512KB
-
MD5
906ea6d73fd1bac2633dee29220394da
-
SHA1
a2865d9b082ba59cf89b421f48f6648395f53de1
-
SHA256
bf932df57b55140592c613e69e27217a80c604100a28f01cf088d43d02339930
-
SHA512
2f24dd78066cff91a9442e4ecfb05a5a4dadd522a9b956400ae10838e3e81633ecb537a1e95bce7df70da3a2c428a0ce98c3c0b0bb85db3ffc9d1a55dbe3a6cf
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj67:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" oxjqcvcbrp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" oxjqcvcbrp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" oxjqcvcbrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" oxjqcvcbrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" oxjqcvcbrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" oxjqcvcbrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" oxjqcvcbrp.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oxjqcvcbrp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2400 oxjqcvcbrp.exe 1644 kdzhrugxwgsmosq.exe 712 bbhhwofs.exe 4444 qnpyvoffmvdao.exe 2788 bbhhwofs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" oxjqcvcbrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" oxjqcvcbrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" oxjqcvcbrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" oxjqcvcbrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" oxjqcvcbrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" oxjqcvcbrp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hpwpfbzd = "oxjqcvcbrp.exe" kdzhrugxwgsmosq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gteypjqp = "kdzhrugxwgsmosq.exe" kdzhrugxwgsmosq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qnpyvoffmvdao.exe" kdzhrugxwgsmosq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: bbhhwofs.exe File opened (read-only) \??\w: bbhhwofs.exe File opened (read-only) \??\o: oxjqcvcbrp.exe File opened (read-only) \??\x: oxjqcvcbrp.exe File opened (read-only) \??\n: bbhhwofs.exe File opened (read-only) \??\a: oxjqcvcbrp.exe File opened (read-only) \??\e: bbhhwofs.exe File opened (read-only) \??\b: bbhhwofs.exe File opened (read-only) \??\p: oxjqcvcbrp.exe File opened (read-only) \??\t: oxjqcvcbrp.exe File opened (read-only) \??\v: bbhhwofs.exe File opened (read-only) \??\b: oxjqcvcbrp.exe File opened (read-only) \??\j: oxjqcvcbrp.exe File opened (read-only) \??\k: oxjqcvcbrp.exe File opened (read-only) \??\x: bbhhwofs.exe File opened (read-only) \??\s: bbhhwofs.exe File opened (read-only) \??\u: oxjqcvcbrp.exe File opened (read-only) \??\m: bbhhwofs.exe File opened (read-only) \??\q: bbhhwofs.exe File opened (read-only) \??\g: bbhhwofs.exe File opened (read-only) \??\k: bbhhwofs.exe File opened (read-only) \??\a: bbhhwofs.exe File opened (read-only) \??\i: bbhhwofs.exe File opened (read-only) \??\a: bbhhwofs.exe File opened (read-only) \??\t: bbhhwofs.exe File opened (read-only) \??\z: bbhhwofs.exe File opened (read-only) \??\h: bbhhwofs.exe File opened (read-only) \??\l: oxjqcvcbrp.exe File opened (read-only) \??\s: oxjqcvcbrp.exe File opened (read-only) \??\y: oxjqcvcbrp.exe File opened (read-only) \??\k: bbhhwofs.exe File opened (read-only) \??\l: bbhhwofs.exe File opened (read-only) \??\e: oxjqcvcbrp.exe File opened (read-only) \??\h: bbhhwofs.exe File opened (read-only) \??\s: bbhhwofs.exe File opened (read-only) \??\j: bbhhwofs.exe File opened (read-only) \??\m: bbhhwofs.exe File opened (read-only) \??\y: bbhhwofs.exe File opened (read-only) \??\n: oxjqcvcbrp.exe File opened (read-only) \??\r: oxjqcvcbrp.exe File opened (read-only) \??\g: bbhhwofs.exe File opened (read-only) \??\x: bbhhwofs.exe File opened (read-only) \??\z: bbhhwofs.exe File opened (read-only) \??\b: bbhhwofs.exe File opened (read-only) \??\r: bbhhwofs.exe File opened (read-only) \??\y: bbhhwofs.exe File opened (read-only) \??\g: oxjqcvcbrp.exe File opened (read-only) \??\h: oxjqcvcbrp.exe File opened (read-only) \??\o: bbhhwofs.exe File opened (read-only) \??\r: bbhhwofs.exe File opened (read-only) \??\u: bbhhwofs.exe File opened (read-only) \??\i: oxjqcvcbrp.exe File opened (read-only) \??\i: bbhhwofs.exe File opened (read-only) \??\p: bbhhwofs.exe File opened (read-only) \??\u: bbhhwofs.exe File opened (read-only) \??\o: bbhhwofs.exe File opened (read-only) \??\p: bbhhwofs.exe File opened (read-only) \??\q: bbhhwofs.exe File opened (read-only) \??\m: oxjqcvcbrp.exe File opened (read-only) \??\v: oxjqcvcbrp.exe File opened (read-only) \??\t: bbhhwofs.exe File opened (read-only) \??\w: oxjqcvcbrp.exe File opened (read-only) \??\j: bbhhwofs.exe File opened (read-only) \??\e: bbhhwofs.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" oxjqcvcbrp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" oxjqcvcbrp.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/664-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023433-5.dat autoit_exe behavioral2/files/0x000800000002342f-18.dat autoit_exe behavioral2/files/0x0007000000023434-27.dat autoit_exe behavioral2/files/0x0007000000023435-32.dat autoit_exe behavioral2/files/0x000600000001d8b9-66.dat autoit_exe behavioral2/files/0x000400000001da15-69.dat autoit_exe behavioral2/files/0x000400000001e42e-75.dat autoit_exe behavioral2/files/0x000200000001e712-96.dat autoit_exe behavioral2/files/0x000200000001e712-99.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bbhhwofs.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bbhhwofs.exe File opened for modification C:\Windows\SysWOW64\oxjqcvcbrp.exe 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe File created C:\Windows\SysWOW64\bbhhwofs.exe 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bbhhwofs.exe 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll oxjqcvcbrp.exe File opened for modification C:\Windows\SysWOW64\qnpyvoffmvdao.exe 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bbhhwofs.exe File created C:\Windows\SysWOW64\oxjqcvcbrp.exe 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe File created C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kdzhrugxwgsmosq.exe 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe File created C:\Windows\SysWOW64\qnpyvoffmvdao.exe 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bbhhwofs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bbhhwofs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bbhhwofs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bbhhwofs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bbhhwofs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bbhhwofs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bbhhwofs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bbhhwofs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bbhhwofs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bbhhwofs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bbhhwofs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bbhhwofs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bbhhwofs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bbhhwofs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bbhhwofs.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bbhhwofs.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bbhhwofs.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bbhhwofs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bbhhwofs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bbhhwofs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bbhhwofs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bbhhwofs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bbhhwofs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bbhhwofs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bbhhwofs.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bbhhwofs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bbhhwofs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bbhhwofs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bbhhwofs.exe File opened for modification C:\Windows\mydoc.rtf 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bbhhwofs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bbhhwofs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" oxjqcvcbrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" oxjqcvcbrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33372D0B9C2382276A3F77D670252CDC7CF565D9" 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEFAB0FE67F191840B3A44869C3E99B38802884212034FE1B8459C09D2" 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs oxjqcvcbrp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" oxjqcvcbrp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat oxjqcvcbrp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh oxjqcvcbrp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf oxjqcvcbrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" oxjqcvcbrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FF894F5B82189045D7287D93BD92E14458416743633FD79B" 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC77515E7DBB2B9BB7C97EC9F37C9" 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78668B5FF1A22D8D209D0D38B089111" 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" oxjqcvcbrp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" oxjqcvcbrp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc oxjqcvcbrp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg oxjqcvcbrp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B12847E639EA52C9BADD3293D4C5" 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3672 WINWORD.EXE 3672 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 1644 kdzhrugxwgsmosq.exe 1644 kdzhrugxwgsmosq.exe 1644 kdzhrugxwgsmosq.exe 1644 kdzhrugxwgsmosq.exe 1644 kdzhrugxwgsmosq.exe 1644 kdzhrugxwgsmosq.exe 1644 kdzhrugxwgsmosq.exe 1644 kdzhrugxwgsmosq.exe 712 bbhhwofs.exe 712 bbhhwofs.exe 712 bbhhwofs.exe 712 bbhhwofs.exe 712 bbhhwofs.exe 712 bbhhwofs.exe 712 bbhhwofs.exe 712 bbhhwofs.exe 1644 kdzhrugxwgsmosq.exe 1644 kdzhrugxwgsmosq.exe 2400 oxjqcvcbrp.exe 2400 oxjqcvcbrp.exe 2400 oxjqcvcbrp.exe 2400 oxjqcvcbrp.exe 2400 oxjqcvcbrp.exe 2400 oxjqcvcbrp.exe 2400 oxjqcvcbrp.exe 2400 oxjqcvcbrp.exe 2400 oxjqcvcbrp.exe 2400 oxjqcvcbrp.exe 4444 qnpyvoffmvdao.exe 4444 qnpyvoffmvdao.exe 4444 qnpyvoffmvdao.exe 4444 qnpyvoffmvdao.exe 4444 qnpyvoffmvdao.exe 4444 qnpyvoffmvdao.exe 4444 qnpyvoffmvdao.exe 4444 qnpyvoffmvdao.exe 4444 qnpyvoffmvdao.exe 4444 qnpyvoffmvdao.exe 4444 qnpyvoffmvdao.exe 4444 qnpyvoffmvdao.exe 2788 bbhhwofs.exe 2788 bbhhwofs.exe 2788 bbhhwofs.exe 2788 bbhhwofs.exe 2788 bbhhwofs.exe 2788 bbhhwofs.exe 2788 bbhhwofs.exe 2788 bbhhwofs.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 712 bbhhwofs.exe 1644 kdzhrugxwgsmosq.exe 712 bbhhwofs.exe 1644 kdzhrugxwgsmosq.exe 712 bbhhwofs.exe 1644 kdzhrugxwgsmosq.exe 2400 oxjqcvcbrp.exe 2400 oxjqcvcbrp.exe 2400 oxjqcvcbrp.exe 4444 qnpyvoffmvdao.exe 4444 qnpyvoffmvdao.exe 4444 qnpyvoffmvdao.exe 2788 bbhhwofs.exe 2788 bbhhwofs.exe 2788 bbhhwofs.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 712 bbhhwofs.exe 1644 kdzhrugxwgsmosq.exe 712 bbhhwofs.exe 1644 kdzhrugxwgsmosq.exe 712 bbhhwofs.exe 1644 kdzhrugxwgsmosq.exe 2400 oxjqcvcbrp.exe 2400 oxjqcvcbrp.exe 2400 oxjqcvcbrp.exe 4444 qnpyvoffmvdao.exe 4444 qnpyvoffmvdao.exe 4444 qnpyvoffmvdao.exe 2788 bbhhwofs.exe 2788 bbhhwofs.exe 2788 bbhhwofs.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3672 WINWORD.EXE 3672 WINWORD.EXE 3672 WINWORD.EXE 3672 WINWORD.EXE 3672 WINWORD.EXE 3672 WINWORD.EXE 3672 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 664 wrote to memory of 2400 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 81 PID 664 wrote to memory of 2400 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 81 PID 664 wrote to memory of 2400 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 81 PID 664 wrote to memory of 1644 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 82 PID 664 wrote to memory of 1644 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 82 PID 664 wrote to memory of 1644 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 82 PID 664 wrote to memory of 712 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 83 PID 664 wrote to memory of 712 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 83 PID 664 wrote to memory of 712 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 83 PID 664 wrote to memory of 4444 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 84 PID 664 wrote to memory of 4444 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 84 PID 664 wrote to memory of 4444 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 84 PID 664 wrote to memory of 3672 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 85 PID 664 wrote to memory of 3672 664 906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe 85 PID 2400 wrote to memory of 2788 2400 oxjqcvcbrp.exe 87 PID 2400 wrote to memory of 2788 2400 oxjqcvcbrp.exe 87 PID 2400 wrote to memory of 2788 2400 oxjqcvcbrp.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\906ea6d73fd1bac2633dee29220394da_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\oxjqcvcbrp.exeoxjqcvcbrp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\bbhhwofs.exeC:\Windows\system32\bbhhwofs.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2788
-
-
-
C:\Windows\SysWOW64\kdzhrugxwgsmosq.exekdzhrugxwgsmosq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1644
-
-
C:\Windows\SysWOW64\bbhhwofs.exebbhhwofs.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:712
-
-
C:\Windows\SysWOW64\qnpyvoffmvdao.exeqnpyvoffmvdao.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4444
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3672
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD524946094646d3492abe4cc83d9e677cb
SHA1dafc968f7f7aef1719ddf09bad11c3f7f2e62a6b
SHA2562e9a7761924afbc7b6cdb68f44eed4fe7aa3df4f71098533bbedbc1c288cdd7d
SHA512b5429d19ee9fdddd9da82a01aaeae80936530cba29d2b1136da473b7201ecdd31bedc4d06303ddcbe0142e9746fc38e0dbfecbc42e54f9713c40e20e4a08c426
-
Filesize
512KB
MD583b83a32f84482bb14ca517afef7ceff
SHA110fc7a6f0df9dc15b858087455ab9c62fc19a82e
SHA256ed3521f4f7f8a71d144387cc45d4481231717b88dc30573443a2743cd33c6361
SHA51237baa795c948e4ea397f77a396d4c0844531dc0cb61d4cc652a039d669a496d1311c222a24a59628b5a6f222dd8d31f8c2049fcbcbea88e9dfa742981912019d
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD5602dad6ee0e60cde6698692534ef100b
SHA1c3e20be4cf62746964ff865964f4f354d412bfac
SHA256596069f7c5d4c9cea8266af60fcc730fbaec42eb5dd0c6f4203e463b742fb598
SHA512bc1fdcc479d9d46977847557985ca1744f1d4f135da27d82dd2f131419c16fbc70968eb27458a1769e59a9a166847be39aa81b82936e39e753d578ee13df8669
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5ebf523115d010091cf000962f60d1b10
SHA1c17e3e505f6e4c202fa9861ec4192a04bfef81a8
SHA25623c60f3c7d3760669fdc7a6a403978ba4f5785ee9893cfec3c2550129e62ee06
SHA512711f191bb5a50011774403861ff3f7cc3b831fd7540c341a05569405bfd04fba2ead21873627a360cd6e30faf50a10d0fa2e3b0513f8a9b27ef58bd83339bb17
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD544867d23fff38ed63b1ed9d00210b563
SHA19e567eef68b9719645d96a7b3e1881503044b504
SHA256824616f45cfeb8712d593c0ed7a77884e7c8ff9d2886a5c3438ab3224da16cf6
SHA5125e4ae9cb82825846ea775d5179c32b80778552222d9a468fd2c0201f06810601f4e8b9375fd32a041a0d3d43b2c20e35cbc6680df56cf654ad6fda35778628da
-
Filesize
512KB
MD503c2d8c137313e05bc86bdf3123de41f
SHA18e1ec6bd1ffbba40a2f2bba199aeedb94b4486a1
SHA2565195357b326b3d259b4f038a16ab1db4bb95f969f8037524c3798bd182c11b27
SHA512378ca42a4ed4c55a7c85bc8ef2238f6902487538546a2c7a279ffbc7387fa772d8f7ae6847b86805daa95d03b7830637e30debd35ecca6a40f2295587fbb41cc
-
Filesize
512KB
MD5780262bb760c6173829216141acc4a4e
SHA150b43ab6cf449c60f9cb3846e4116aa82f982cf7
SHA256051fcc6c6dd7d1bb0b3e855d4db344b624873ccb8d4ecbee8f71e4319d86f63a
SHA5124ce38ff6b357f001c93ebb5172ff85a2d4d750df51bb74554857551495f1f1d3f1bddcdfe929d496f8d2e3663d8e4bb1756bfc000b298bd6b9e79db8a1d86cc4
-
Filesize
512KB
MD5a1398bdaa42d613d56d225fa4dee4497
SHA107953157b1a267b8f5809021a2b3998c820fcdaa
SHA256c69a4e1f2f165c9dbdc08f1b8365af5ad8e3d89cb75f2497bc722882cea87bc9
SHA512d1c75f844607d0ee09046dec5a6f4eb8a49e0a775e1f545f3c25524e0bf2995391b4d720ad9faae2ef3d38240128e99a337130b585cdf8c6225e28aa84c5c3d0
-
Filesize
512KB
MD5d6834389b66feafc9b5886f8e1e654c4
SHA105049e72eba176f4824218545508e1771d87adc4
SHA2560189923802fb02cc63796aa185aee09a9a91417760f0e68c348d7e5bb5a0bdfe
SHA5127a30bf0ea9768e837bfb000375c5fcfb05c6d19e5a4984327c6ac8b3a8de026ffe8dd9c7c6decc536c19e6f322bbdc0bd26eb2bd850fbdee5f36128fefc2e5f9
-
Filesize
512KB
MD56a5d7fdbc9533e7287cece6edec59bcb
SHA19dc87334d42b9b30bb035b10e0783a6f0436f059
SHA256a4e1f06cb16ffa11dc3fa2f7386021823a250332d6c5535bc4037668b1118dc5
SHA51260210309a7e50d790124bc93a0dd6f384f3e182a145babe67f2aae4e3695d62bf7a2ab4d437965ac44b96a0665eee827afa7ac399c0907449f394270a1ca2a79
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD57b674dc9f5b6140d2976042f5ed991ab
SHA1eb928caa02c9ca8736e7476ed095d56f2d0f5fb1
SHA256a62c1c9b2daeb4a14ab116bc6446be8b409aca3c3160b52943584fc38a8d7063
SHA512f07cc56c783e2db3b429736a795fbceea24a053437bd0c09063f42477c2c5acebcc8144f128d352fb5986f9709fbabbd06c6147260ebfa8b20aa36286962bfff
-
Filesize
512KB
MD550ff6d9b1fc4a3d3abf2abbcc0d2f41e
SHA12a5ebaf75e9f0fb8729ac8d186e3311704319231
SHA2568115f24131d7abd1ceedac6ffe2dd92b30ef7a5520e08814e89acecc5394f8d7
SHA5123b6e78dac92bc39ead26ba10b9565fbab65afd36878f6c587d70cb5b2932b724c5ea2f56f36fe5e25bd5661aee8016a72aa267eaf492f398eb8c3d47fe3504fc