Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 04:04
Static task
static1
Behavioral task
behavioral1
Sample
907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe
-
Size
512KB
-
MD5
907abca4a46cd96738dd4cacd43e276e
-
SHA1
a6261c56d6dcffc147cb8d2883834c2d12e7429d
-
SHA256
d7d117e4bbcd6880006f68a014c68d43601d4df9bd64a61bd315a7981bef4e7e
-
SHA512
ebfeeb895bde071c23a9bb40bb36ec192156d80f7f70e229cfaa155330c99e6e41a9294a3ef9c8b1e53b9ae2a161ccdafe8c1a46be93a4a152f693d169088dd9
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6j:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5u
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" azsgnoggem.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" azsgnoggem.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" azsgnoggem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" azsgnoggem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" azsgnoggem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" azsgnoggem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" azsgnoggem.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" azsgnoggem.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2664 azsgnoggem.exe 1944 gmxcpjqpjmvnfwm.exe 4148 fnfqwypr.exe 5000 zyqixfxdndokn.exe 4516 fnfqwypr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" azsgnoggem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" azsgnoggem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" azsgnoggem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" azsgnoggem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" azsgnoggem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" azsgnoggem.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jmjeslyz = "azsgnoggem.exe" gmxcpjqpjmvnfwm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bphpeoft = "gmxcpjqpjmvnfwm.exe" gmxcpjqpjmvnfwm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zyqixfxdndokn.exe" gmxcpjqpjmvnfwm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: fnfqwypr.exe File opened (read-only) \??\i: fnfqwypr.exe File opened (read-only) \??\p: fnfqwypr.exe File opened (read-only) \??\q: fnfqwypr.exe File opened (read-only) \??\j: azsgnoggem.exe File opened (read-only) \??\o: azsgnoggem.exe File opened (read-only) \??\s: azsgnoggem.exe File opened (read-only) \??\p: fnfqwypr.exe File opened (read-only) \??\t: fnfqwypr.exe File opened (read-only) \??\i: azsgnoggem.exe File opened (read-only) \??\o: fnfqwypr.exe File opened (read-only) \??\m: fnfqwypr.exe File opened (read-only) \??\x: fnfqwypr.exe File opened (read-only) \??\w: fnfqwypr.exe File opened (read-only) \??\n: azsgnoggem.exe File opened (read-only) \??\q: fnfqwypr.exe File opened (read-only) \??\w: azsgnoggem.exe File opened (read-only) \??\g: fnfqwypr.exe File opened (read-only) \??\k: fnfqwypr.exe File opened (read-only) \??\m: fnfqwypr.exe File opened (read-only) \??\h: azsgnoggem.exe File opened (read-only) \??\k: azsgnoggem.exe File opened (read-only) \??\m: azsgnoggem.exe File opened (read-only) \??\u: azsgnoggem.exe File opened (read-only) \??\l: fnfqwypr.exe File opened (read-only) \??\v: fnfqwypr.exe File opened (read-only) \??\a: azsgnoggem.exe File opened (read-only) \??\b: azsgnoggem.exe File opened (read-only) \??\r: azsgnoggem.exe File opened (read-only) \??\t: azsgnoggem.exe File opened (read-only) \??\i: fnfqwypr.exe File opened (read-only) \??\u: fnfqwypr.exe File opened (read-only) \??\w: fnfqwypr.exe File opened (read-only) \??\e: fnfqwypr.exe File opened (read-only) \??\h: fnfqwypr.exe File opened (read-only) \??\r: fnfqwypr.exe File opened (read-only) \??\y: fnfqwypr.exe File opened (read-only) \??\z: fnfqwypr.exe File opened (read-only) \??\l: fnfqwypr.exe File opened (read-only) \??\e: azsgnoggem.exe File opened (read-only) \??\p: azsgnoggem.exe File opened (read-only) \??\v: fnfqwypr.exe File opened (read-only) \??\b: fnfqwypr.exe File opened (read-only) \??\q: azsgnoggem.exe File opened (read-only) \??\y: azsgnoggem.exe File opened (read-only) \??\s: fnfqwypr.exe File opened (read-only) \??\o: fnfqwypr.exe File opened (read-only) \??\l: azsgnoggem.exe File opened (read-only) \??\x: azsgnoggem.exe File opened (read-only) \??\t: fnfqwypr.exe File opened (read-only) \??\n: fnfqwypr.exe File opened (read-only) \??\b: fnfqwypr.exe File opened (read-only) \??\e: fnfqwypr.exe File opened (read-only) \??\h: fnfqwypr.exe File opened (read-only) \??\j: fnfqwypr.exe File opened (read-only) \??\a: fnfqwypr.exe File opened (read-only) \??\r: fnfqwypr.exe File opened (read-only) \??\s: fnfqwypr.exe File opened (read-only) \??\v: azsgnoggem.exe File opened (read-only) \??\z: azsgnoggem.exe File opened (read-only) \??\a: fnfqwypr.exe File opened (read-only) \??\n: fnfqwypr.exe File opened (read-only) \??\x: fnfqwypr.exe File opened (read-only) \??\y: fnfqwypr.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" azsgnoggem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" azsgnoggem.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/748-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023490-5.dat autoit_exe behavioral2/files/0x0007000000023305-18.dat autoit_exe behavioral2/files/0x0007000000023491-27.dat autoit_exe behavioral2/files/0x0007000000023492-31.dat autoit_exe behavioral2/files/0x000400000001da4d-66.dat autoit_exe behavioral2/files/0x000400000001da4e-69.dat autoit_exe behavioral2/files/0x000400000001e4d1-90.dat autoit_exe behavioral2/files/0x000400000001e4d3-93.dat autoit_exe behavioral2/files/0x000400000001e4d3-96.dat autoit_exe behavioral2/files/0x001600000002349d-575.dat autoit_exe behavioral2/files/0x001600000002349d-583.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fnfqwypr.exe File created C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe File created C:\Windows\SysWOW64\fnfqwypr.exe 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fnfqwypr.exe 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe File created C:\Windows\SysWOW64\zyqixfxdndokn.exe 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fnfqwypr.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fnfqwypr.exe File created C:\Windows\SysWOW64\azsgnoggem.exe 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\azsgnoggem.exe 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exe 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zyqixfxdndokn.exe 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll azsgnoggem.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal fnfqwypr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fnfqwypr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fnfqwypr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal fnfqwypr.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fnfqwypr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal fnfqwypr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fnfqwypr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fnfqwypr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal fnfqwypr.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fnfqwypr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fnfqwypr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fnfqwypr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fnfqwypr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fnfqwypr.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fnfqwypr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fnfqwypr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fnfqwypr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fnfqwypr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fnfqwypr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fnfqwypr.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fnfqwypr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fnfqwypr.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fnfqwypr.exe File opened for modification C:\Windows\mydoc.rtf 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fnfqwypr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fnfqwypr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fnfqwypr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fnfqwypr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fnfqwypr.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fnfqwypr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fnfqwypr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422D0D9D5183586A3276A670212CD97DF464AF" 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9FAB9FE65F1E384093B4B819A3E91B0FC02F94215034EE1C845E708A7" 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFC8E4F5885189030D7217E9DBD90E13C594367316335D79A" 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7806BB8FE6E21DDD173D0A28B099060" 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh azsgnoggem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" azsgnoggem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg azsgnoggem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" azsgnoggem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B15D479338E352C9B9A233EED4C4" 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C70E1593DBC2B8C17C90EDE337CD" 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" azsgnoggem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" azsgnoggem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc azsgnoggem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf azsgnoggem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" azsgnoggem.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat azsgnoggem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" azsgnoggem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs azsgnoggem.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2280 WINWORD.EXE 2280 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 2664 azsgnoggem.exe 2664 azsgnoggem.exe 2664 azsgnoggem.exe 2664 azsgnoggem.exe 2664 azsgnoggem.exe 2664 azsgnoggem.exe 2664 azsgnoggem.exe 2664 azsgnoggem.exe 2664 azsgnoggem.exe 2664 azsgnoggem.exe 1944 gmxcpjqpjmvnfwm.exe 1944 gmxcpjqpjmvnfwm.exe 1944 gmxcpjqpjmvnfwm.exe 1944 gmxcpjqpjmvnfwm.exe 1944 gmxcpjqpjmvnfwm.exe 1944 gmxcpjqpjmvnfwm.exe 1944 gmxcpjqpjmvnfwm.exe 1944 gmxcpjqpjmvnfwm.exe 1944 gmxcpjqpjmvnfwm.exe 1944 gmxcpjqpjmvnfwm.exe 4148 fnfqwypr.exe 4148 fnfqwypr.exe 4148 fnfqwypr.exe 4148 fnfqwypr.exe 4148 fnfqwypr.exe 4148 fnfqwypr.exe 4148 fnfqwypr.exe 4148 fnfqwypr.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 1944 gmxcpjqpjmvnfwm.exe 1944 gmxcpjqpjmvnfwm.exe 1944 gmxcpjqpjmvnfwm.exe 1944 gmxcpjqpjmvnfwm.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 2664 azsgnoggem.exe 2664 azsgnoggem.exe 2664 azsgnoggem.exe 1944 gmxcpjqpjmvnfwm.exe 1944 gmxcpjqpjmvnfwm.exe 1944 gmxcpjqpjmvnfwm.exe 4148 fnfqwypr.exe 4148 fnfqwypr.exe 4148 fnfqwypr.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 4516 fnfqwypr.exe 4516 fnfqwypr.exe 4516 fnfqwypr.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 2664 azsgnoggem.exe 2664 azsgnoggem.exe 2664 azsgnoggem.exe 1944 gmxcpjqpjmvnfwm.exe 1944 gmxcpjqpjmvnfwm.exe 1944 gmxcpjqpjmvnfwm.exe 4148 fnfqwypr.exe 4148 fnfqwypr.exe 4148 fnfqwypr.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 5000 zyqixfxdndokn.exe 4516 fnfqwypr.exe 4516 fnfqwypr.exe 4516 fnfqwypr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2280 WINWORD.EXE 2280 WINWORD.EXE 2280 WINWORD.EXE 2280 WINWORD.EXE 2280 WINWORD.EXE 2280 WINWORD.EXE 2280 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 748 wrote to memory of 2664 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 83 PID 748 wrote to memory of 2664 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 83 PID 748 wrote to memory of 2664 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 83 PID 748 wrote to memory of 1944 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 84 PID 748 wrote to memory of 1944 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 84 PID 748 wrote to memory of 1944 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 84 PID 748 wrote to memory of 4148 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 85 PID 748 wrote to memory of 4148 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 85 PID 748 wrote to memory of 4148 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 85 PID 748 wrote to memory of 5000 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 86 PID 748 wrote to memory of 5000 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 86 PID 748 wrote to memory of 5000 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 86 PID 748 wrote to memory of 2280 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 87 PID 748 wrote to memory of 2280 748 907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe 87 PID 2664 wrote to memory of 4516 2664 azsgnoggem.exe 89 PID 2664 wrote to memory of 4516 2664 azsgnoggem.exe 89 PID 2664 wrote to memory of 4516 2664 azsgnoggem.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\907abca4a46cd96738dd4cacd43e276e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\azsgnoggem.exeazsgnoggem.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\fnfqwypr.exeC:\Windows\system32\fnfqwypr.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4516
-
-
-
C:\Windows\SysWOW64\gmxcpjqpjmvnfwm.exegmxcpjqpjmvnfwm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1944
-
-
C:\Windows\SysWOW64\fnfqwypr.exefnfqwypr.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4148
-
-
C:\Windows\SysWOW64\zyqixfxdndokn.exezyqixfxdndokn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5000
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2280
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5e92ca4fef967247c7a9df86b13d43eb7
SHA12114dc9eaa2f094a17a250c16f995f059264803b
SHA25696c996384abe7a9fda3b55a1dbf40ee23ef36e10fa4faab6f8589eb555da6eef
SHA512bbaf2bc785939b8987299617c35c3eba6b02d8e2dd397f3b590f12faf1033741d95e4da6d101987b477d59aaaf127a0959459d908079636766114705ef669b1e
-
Filesize
512KB
MD510767850e1a1ab15346744be26f6109a
SHA18aa8ca656edfb61645cd8c9f0d91eba4a33d6ddc
SHA2561c462407d4f4718299144cdcac4e0b6ac1c2fbd3bdf0848e7d964ba769743538
SHA512ba93d2d6af1f126d35a6d72dde5cfe4e3ea8c89b432add0d52042456b3d5096fa6bc271912b4ebcc014a232c9c6585889a2599a1987bca698ac20b477724b662
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD578bbb275ee7c4f95ae9bcdf53ec6d8e9
SHA1e2dcd3fec20003abd0dec81e1edd98cc1731302c
SHA256bb8860b517b293a5e593d56b5b3adfbe5e95e17c41572ba886283581f752d992
SHA512cd859582795677146d92f9b131a53d7c537037c5ac5ae8331a6ae9be7b3c01adef3bb6edc7fa7d8108848cc49746eeeaba1153f2eaf3e9d44375c1b975ed9284
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD58541b8f68b1ebb191eecd33a66f932a6
SHA10b07a81a137e1574ce0ecdf70aeb838176b8057b
SHA2562fb2d882a98fbf1fd95479ce89847164d8dfd8365bda0aba0502e36a2bb401ba
SHA512d0cfb3d3d90a7357ce74f4c03ad0762b2649c050942973ac0ded3651a4f79cee5af43c617ae335abe9499549b0c43509b85d54f223821e07bca9b9100e1d0648
-
Filesize
512KB
MD5e7e8ac49c17476f7b6cd39082d490e7f
SHA17da9d4ed3502b5be31f8958bac65c7693fea795f
SHA256522a526256b4d55d4a2e2dee1f36d3a1b0d5e544105247bec202ada4c1b8ff2c
SHA5121a0d310fe8bc9bbe3761d332859beecfabe36f94e4ad451f12f04f2e6fbc86f0d35b688433780aca53e66e91a489b069f31fefba708704e200cbd70829814fe1
-
Filesize
512KB
MD579143e693f765631f5fa8c56478f283d
SHA1b7fccf87d1caaaed2685a523e10a40c52f336b30
SHA256d5ce3d0d73ae831a7fa45edffc6411301acabd7966f7807b000effb25bdf023f
SHA5120def78070ed9e96f80e28c5894d02c38d76df3424573a9a38a981f60760ef0b72d6dee3aaf30df31d976480ff24c6992ba23c0b8c1fbedb8181696abedca286a
-
Filesize
512KB
MD5f0bf4b580e4810fe438be89a58153330
SHA1c00bf8622f560f660292d5e26138f5ba7ebcc1cf
SHA2569ff21abaefcd933067a2e18a14f052479823fd6813eaf887a6993c81b68bfe23
SHA512b88aff1c8ca9edd889ddee9981453cf8f128e1c9166ccf3935fe0acd371d9fe075e1d06dd6eb4ad045bd798361e0ffc39e5bad361977af91e50d1653b83e4ee4
-
Filesize
512KB
MD58afa6046a96e9ca345ee21d3519c9446
SHA1eaab374932201e68bccf9c7b2eb4536fa00ebb06
SHA256d673fcd4c87093009ab071f1764815eac5b7a8ef8a524707bf39b1043a121091
SHA5129aedcf41a4c9b237157f8c5eb407207061f5db33547392d27a21b36ab742bfcd1febc3b46eecdb14d97a8ffbd1ffdc23007accd9688d22d6c5e8efae031112e7
-
Filesize
512KB
MD55ebe0857dfc84aae8a9853371b6e56ec
SHA18fe129e1879f327347a788ee848379298ca2754a
SHA256f1afc7e8ac2fe8a4e1844a81d0e0eaac18861b92f9b49afe457c713fc3f83057
SHA512750db96626becafdd7af6333ee092cfcc62de042ba29704022eaa135ed3d670b33084a481a643ae4c005aec7c067b73a839d83ca70910942e4ee69024787c588
-
Filesize
512KB
MD5793376f775364d7a73caaa78244b2b9e
SHA1aeed29a74a885b3cbd0431acec3c07a510464409
SHA2566fe0c119123a5a52a4a0d772ac6398905513cdc22edb58dd8ce4b4fa946465f1
SHA51235be72ee6c5c57cb82804014459bbbeb0e77c6e08a4813a70fe26411828c50bf280c9e57128c0e890e03782667a7b39428e7e14e64e9b1699342daf3154faafc
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5530290362f283464a6d1e3aaa9aa4ecd
SHA1cae6b21079d3c2483712301a80872ded55df8fca
SHA2565494061f6a89ae045b27da43ec16ea64d4131027e690f297e5089691128decc5
SHA5123940cae74024ad126bf2a42bb6365434c7a5e189389dcf2d08c941420995c1ea0cffa954106b9b13bde91e9edffa56b04eb82968bcf09a7bdf5a3712f67ecbd2
-
Filesize
512KB
MD563bef064744e4cc9c958502cf118b639
SHA1f26875aedebb6871af7101d82077a7f40324c615
SHA25679c46c0525fb2c480e108a134c91b281db11988eec4c7a22a6cb01bbf758bcfe
SHA5122ffac0497276183cbf4d9067b99364d5c64aa9c273c8068528a7e706d7e617138da7ede08af8e4f9708cce9a36fa8bf7537e2d1c50763fa98785f084e9ade06c
-
Filesize
512KB
MD54d6295a99246db92bcb83836cdb37925
SHA167485c14125d0fbcb9e56b40b4f789b859a635f8
SHA2569961bf6c5729d12219620ff68079fe45320c547f5e622f09c82394b33f926d5c
SHA512ff98ef80cf8e329b5d6167c736ffab90ad057529a1fb1af7fb1fef2ca186d00a0af2752153256b2832f4cffe25b25e54a6f38d0af769fc70fe1fbfd2818fc74a