Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 07:22
Static task
static1
Behavioral task
behavioral1
Sample
90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe
-
Size
512KB
-
MD5
90f0c70e05a03f187734ef651882f6a0
-
SHA1
84bb8f123173c489f3acbbf895bcf92915a6b0ae
-
SHA256
f6b159c8e4bb247707be0d044837853e913065bc2c0c0e0d4d23dd3148afaaad
-
SHA512
df00064bf0b72ea6706b4a13fed12859a7dff93760657ead9da4a983bdbca50ca7d6461b5e11370328d15b5ee9dec118d33a904219b0c3d1602f531cd0d8681d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6D:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm52
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
vjlwacwfji.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vjlwacwfji.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
vjlwacwfji.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vjlwacwfji.exe -
Processes:
vjlwacwfji.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vjlwacwfji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vjlwacwfji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vjlwacwfji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vjlwacwfji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vjlwacwfji.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
vjlwacwfji.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vjlwacwfji.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
vjlwacwfji.exeyerkmrlagdeoiok.exeaudrlbrc.exelrbnmpgmgfjbk.exeaudrlbrc.exepid process 3224 vjlwacwfji.exe 4008 yerkmrlagdeoiok.exe 2556 audrlbrc.exe 4264 lrbnmpgmgfjbk.exe 1464 audrlbrc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
vjlwacwfji.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vjlwacwfji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vjlwacwfji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vjlwacwfji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vjlwacwfji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vjlwacwfji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vjlwacwfji.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
yerkmrlagdeoiok.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjiozylw = "vjlwacwfji.exe" yerkmrlagdeoiok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xwxhvkqy = "yerkmrlagdeoiok.exe" yerkmrlagdeoiok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "lrbnmpgmgfjbk.exe" yerkmrlagdeoiok.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
audrlbrc.exeaudrlbrc.exevjlwacwfji.exedescription ioc process File opened (read-only) \??\n: audrlbrc.exe File opened (read-only) \??\z: audrlbrc.exe File opened (read-only) \??\n: audrlbrc.exe File opened (read-only) \??\t: vjlwacwfji.exe File opened (read-only) \??\b: vjlwacwfji.exe File opened (read-only) \??\l: vjlwacwfji.exe File opened (read-only) \??\u: vjlwacwfji.exe File opened (read-only) \??\y: vjlwacwfji.exe File opened (read-only) \??\p: audrlbrc.exe File opened (read-only) \??\h: audrlbrc.exe File opened (read-only) \??\w: audrlbrc.exe File opened (read-only) \??\m: vjlwacwfji.exe File opened (read-only) \??\v: audrlbrc.exe File opened (read-only) \??\k: audrlbrc.exe File opened (read-only) \??\e: vjlwacwfji.exe File opened (read-only) \??\s: audrlbrc.exe File opened (read-only) \??\e: audrlbrc.exe File opened (read-only) \??\w: vjlwacwfji.exe File opened (read-only) \??\w: audrlbrc.exe File opened (read-only) \??\y: audrlbrc.exe File opened (read-only) \??\p: audrlbrc.exe File opened (read-only) \??\z: audrlbrc.exe File opened (read-only) \??\h: vjlwacwfji.exe File opened (read-only) \??\t: audrlbrc.exe File opened (read-only) \??\q: vjlwacwfji.exe File opened (read-only) \??\x: vjlwacwfji.exe File opened (read-only) \??\e: audrlbrc.exe File opened (read-only) \??\x: audrlbrc.exe File opened (read-only) \??\l: audrlbrc.exe File opened (read-only) \??\o: audrlbrc.exe File opened (read-only) \??\g: vjlwacwfji.exe File opened (read-only) \??\j: vjlwacwfji.exe File opened (read-only) \??\p: vjlwacwfji.exe File opened (read-only) \??\v: vjlwacwfji.exe File opened (read-only) \??\t: audrlbrc.exe File opened (read-only) \??\i: audrlbrc.exe File opened (read-only) \??\s: audrlbrc.exe File opened (read-only) \??\a: vjlwacwfji.exe File opened (read-only) \??\b: audrlbrc.exe File opened (read-only) \??\g: audrlbrc.exe File opened (read-only) \??\h: audrlbrc.exe File opened (read-only) \??\i: audrlbrc.exe File opened (read-only) \??\m: audrlbrc.exe File opened (read-only) \??\u: audrlbrc.exe File opened (read-only) \??\v: audrlbrc.exe File opened (read-only) \??\q: audrlbrc.exe File opened (read-only) \??\r: audrlbrc.exe File opened (read-only) \??\o: vjlwacwfji.exe File opened (read-only) \??\z: vjlwacwfji.exe File opened (read-only) \??\g: audrlbrc.exe File opened (read-only) \??\y: audrlbrc.exe File opened (read-only) \??\x: audrlbrc.exe File opened (read-only) \??\i: vjlwacwfji.exe File opened (read-only) \??\k: audrlbrc.exe File opened (read-only) \??\l: audrlbrc.exe File opened (read-only) \??\o: audrlbrc.exe File opened (read-only) \??\b: audrlbrc.exe File opened (read-only) \??\r: audrlbrc.exe File opened (read-only) \??\n: vjlwacwfji.exe File opened (read-only) \??\r: vjlwacwfji.exe File opened (read-only) \??\s: vjlwacwfji.exe File opened (read-only) \??\m: audrlbrc.exe File opened (read-only) \??\q: audrlbrc.exe File opened (read-only) \??\a: audrlbrc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
vjlwacwfji.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vjlwacwfji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vjlwacwfji.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3856-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\yerkmrlagdeoiok.exe autoit_exe C:\Windows\SysWOW64\vjlwacwfji.exe autoit_exe C:\Windows\SysWOW64\audrlbrc.exe autoit_exe C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\SkipResume.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exeaudrlbrc.exevjlwacwfji.exeaudrlbrc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\vjlwacwfji.exe 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe File created C:\Windows\SysWOW64\yerkmrlagdeoiok.exe 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe File created C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe audrlbrc.exe File created C:\Windows\SysWOW64\vjlwacwfji.exe 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yerkmrlagdeoiok.exe 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vjlwacwfji.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe audrlbrc.exe File created C:\Windows\SysWOW64\audrlbrc.exe 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\audrlbrc.exe 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lrbnmpgmgfjbk.exe 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe audrlbrc.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe audrlbrc.exe -
Drops file in Program Files directory 14 IoCs
Processes:
audrlbrc.exeaudrlbrc.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal audrlbrc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe audrlbrc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal audrlbrc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe audrlbrc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe audrlbrc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal audrlbrc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe audrlbrc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe audrlbrc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe audrlbrc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe audrlbrc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal audrlbrc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe audrlbrc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe audrlbrc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe audrlbrc.exe -
Drops file in Windows directory 19 IoCs
Processes:
audrlbrc.exeaudrlbrc.exe90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exeWINWORD.EXEdescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe audrlbrc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe audrlbrc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe audrlbrc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe audrlbrc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe audrlbrc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe audrlbrc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe audrlbrc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe audrlbrc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe audrlbrc.exe File opened for modification C:\Windows\mydoc.rtf 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe audrlbrc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe audrlbrc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe audrlbrc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe audrlbrc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe audrlbrc.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe audrlbrc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe audrlbrc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
vjlwacwfji.exe90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vjlwacwfji.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vjlwacwfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vjlwacwfji.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vjlwacwfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vjlwacwfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452C0D9C2582586A4676D377212CD87D8464AB" 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB02F4795389953B9BAD033E8D7C5" 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C70F1493DAB3B9B97C94EC9F37B9" 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vjlwacwfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vjlwacwfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCFAB1FE16F192837D3A4386973990B08802F043140349E1BE42EF08A1" 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFCFC485D851F9135D65C7D92BDE0E135594167366345D79F" 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vjlwacwfji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vjlwacwfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vjlwacwfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0816BC6FE6D21AED17AD1A78A759014" 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vjlwacwfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vjlwacwfji.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 860 WINWORD.EXE 860 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exeyerkmrlagdeoiok.exeaudrlbrc.exevjlwacwfji.exelrbnmpgmgfjbk.exeaudrlbrc.exepid process 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 4008 yerkmrlagdeoiok.exe 4008 yerkmrlagdeoiok.exe 4008 yerkmrlagdeoiok.exe 4008 yerkmrlagdeoiok.exe 4008 yerkmrlagdeoiok.exe 4008 yerkmrlagdeoiok.exe 4008 yerkmrlagdeoiok.exe 4008 yerkmrlagdeoiok.exe 4008 yerkmrlagdeoiok.exe 4008 yerkmrlagdeoiok.exe 2556 audrlbrc.exe 2556 audrlbrc.exe 2556 audrlbrc.exe 2556 audrlbrc.exe 2556 audrlbrc.exe 2556 audrlbrc.exe 2556 audrlbrc.exe 2556 audrlbrc.exe 3224 vjlwacwfji.exe 3224 vjlwacwfji.exe 3224 vjlwacwfji.exe 3224 vjlwacwfji.exe 3224 vjlwacwfji.exe 3224 vjlwacwfji.exe 3224 vjlwacwfji.exe 3224 vjlwacwfji.exe 3224 vjlwacwfji.exe 3224 vjlwacwfji.exe 4264 lrbnmpgmgfjbk.exe 4264 lrbnmpgmgfjbk.exe 4264 lrbnmpgmgfjbk.exe 4264 lrbnmpgmgfjbk.exe 4264 lrbnmpgmgfjbk.exe 4264 lrbnmpgmgfjbk.exe 4264 lrbnmpgmgfjbk.exe 4264 lrbnmpgmgfjbk.exe 4264 lrbnmpgmgfjbk.exe 4264 lrbnmpgmgfjbk.exe 4264 lrbnmpgmgfjbk.exe 4264 lrbnmpgmgfjbk.exe 4008 yerkmrlagdeoiok.exe 4008 yerkmrlagdeoiok.exe 1464 audrlbrc.exe 1464 audrlbrc.exe 1464 audrlbrc.exe 1464 audrlbrc.exe 1464 audrlbrc.exe 1464 audrlbrc.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exeyerkmrlagdeoiok.exevjlwacwfji.exeaudrlbrc.exelrbnmpgmgfjbk.exeaudrlbrc.exepid process 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 4008 yerkmrlagdeoiok.exe 3224 vjlwacwfji.exe 4008 yerkmrlagdeoiok.exe 4008 yerkmrlagdeoiok.exe 3224 vjlwacwfji.exe 3224 vjlwacwfji.exe 2556 audrlbrc.exe 2556 audrlbrc.exe 2556 audrlbrc.exe 4264 lrbnmpgmgfjbk.exe 4264 lrbnmpgmgfjbk.exe 4264 lrbnmpgmgfjbk.exe 1464 audrlbrc.exe 1464 audrlbrc.exe 1464 audrlbrc.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exeyerkmrlagdeoiok.exevjlwacwfji.exeaudrlbrc.exelrbnmpgmgfjbk.exeaudrlbrc.exepid process 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe 4008 yerkmrlagdeoiok.exe 4008 yerkmrlagdeoiok.exe 4008 yerkmrlagdeoiok.exe 3224 vjlwacwfji.exe 3224 vjlwacwfji.exe 3224 vjlwacwfji.exe 2556 audrlbrc.exe 2556 audrlbrc.exe 2556 audrlbrc.exe 4264 lrbnmpgmgfjbk.exe 4264 lrbnmpgmgfjbk.exe 4264 lrbnmpgmgfjbk.exe 1464 audrlbrc.exe 1464 audrlbrc.exe 1464 audrlbrc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 860 WINWORD.EXE 860 WINWORD.EXE 860 WINWORD.EXE 860 WINWORD.EXE 860 WINWORD.EXE 860 WINWORD.EXE 860 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exevjlwacwfji.exedescription pid process target process PID 3856 wrote to memory of 3224 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe vjlwacwfji.exe PID 3856 wrote to memory of 3224 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe vjlwacwfji.exe PID 3856 wrote to memory of 3224 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe vjlwacwfji.exe PID 3856 wrote to memory of 4008 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe yerkmrlagdeoiok.exe PID 3856 wrote to memory of 4008 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe yerkmrlagdeoiok.exe PID 3856 wrote to memory of 4008 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe yerkmrlagdeoiok.exe PID 3856 wrote to memory of 2556 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe audrlbrc.exe PID 3856 wrote to memory of 2556 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe audrlbrc.exe PID 3856 wrote to memory of 2556 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe audrlbrc.exe PID 3856 wrote to memory of 4264 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe lrbnmpgmgfjbk.exe PID 3856 wrote to memory of 4264 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe lrbnmpgmgfjbk.exe PID 3856 wrote to memory of 4264 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe lrbnmpgmgfjbk.exe PID 3856 wrote to memory of 860 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe WINWORD.EXE PID 3856 wrote to memory of 860 3856 90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe WINWORD.EXE PID 3224 wrote to memory of 1464 3224 vjlwacwfji.exe audrlbrc.exe PID 3224 wrote to memory of 1464 3224 vjlwacwfji.exe audrlbrc.exe PID 3224 wrote to memory of 1464 3224 vjlwacwfji.exe audrlbrc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\90f0c70e05a03f187734ef651882f6a0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\vjlwacwfji.exevjlwacwfji.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\audrlbrc.exeC:\Windows\system32\audrlbrc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1464
-
-
-
C:\Windows\SysWOW64\yerkmrlagdeoiok.exeyerkmrlagdeoiok.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4008
-
-
C:\Windows\SysWOW64\audrlbrc.exeaudrlbrc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2556
-
-
C:\Windows\SysWOW64\lrbnmpgmgfjbk.exelrbnmpgmgfjbk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4264
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:860
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5fd9e27b035934bcd37ea7cde375f21b6
SHA1a8a214548c09a68781d546efe04fbab273fbf54d
SHA25682f283fb98184d4a4f73e011b4da4b1b20d8c15d8d4490855c1555b722a190b0
SHA5129d7fc059bcd0769db0b07f8416943039531b8a92b7d410ffc6a45678008fa07ac0643a0cd14ddb92c0abae108a75b67ff8d767bf33aeea4048b0a5a33822a971
-
Filesize
512KB
MD5b73b80f1aa18b3895ac86ed299f77023
SHA1d0fd5e0f2160455a49ed19ea12efe612b05a31fc
SHA256f14ed51dc9c25903daec9d484546d08670dd672b4869b425503aef97397c6204
SHA5121a94ec9e5b2df1a818f9879abb9051b14651a8ce7d50d2265d0ca6ee879191fca6d53793c8cae7b485c710d73f3030524d4b09f8bd935df9d862f7af7ee1490b
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD517de95cc44b08f15cec3d71281c1645a
SHA195b8826825270b531374eedb963a141037228d18
SHA256cfd697c2b24801e80742c876eb2f0b014a8a16b0ceaa04af229cf1956b88e5bb
SHA512989b11fedc38dee4fcdbb48cc1129b18d3fa0cdd6303595582592bf7e16b662b5c52159e1d9b83f7482b4bddd09ddc189846a88941822de10f1fdaf8b80307f7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD581ad03755aba9cc27bfb3d7a5f23b132
SHA1fd4016a4d7b653afea2538149c69bf700a8d6134
SHA25623177166987993aa5cac3430ce616e3ee308a2ce904bc156905f19e22017e32d
SHA512f957cb9ab6cb3406a100af509459ae77411fd379c8323ff6a31158829ac7df68d0be6180a6ba85975e177cb8d36eb3e36a845380a6e788dbea42d25c109a1459
-
Filesize
512KB
MD51fced686974406c6d296288744da77b7
SHA1230e378fc23f64f56655269a90631e6086416e92
SHA2567bf4ecc2c599254d438765794d2d872d54d0702509349111a5e3d96440c87c74
SHA5120d4a2de5f7dee48fe97e03dad54229113b819f5763f7681425ece5d7ce04c967439074c9f0e5e7de8f020f36ee05d6c69e328a0bedfeb1151047c68b3af0106f
-
Filesize
512KB
MD5e2de2691dd01a0739035c9074692632c
SHA1bc26520499b150522ee31a79a10004a1513fd7b0
SHA256a376d72df0a047def446c2a80fa832fc5699efbc7ca885a55b443f9b173373a0
SHA512aca9de607dc5e2c8f33a01f9fe91a877622405bd18c34d9fa5bdf3969f529e8ac2b76fe2f42b96a487e6f2b0f830ba6b87f2f171bff844172f61041ccca138e6
-
Filesize
512KB
MD5b3323ae127001bef0d669ed93ab69f4e
SHA15c163573cc64918384ce906f9c797fa91e5dd19e
SHA256fb91b7f06b69fe3a9fa034e02985e59b8020d1bc5a88a1e22b1f0ebb0a613e0a
SHA5126f777fcda49bd12e8c873e2287f4f13e176380ce02b38222b9307584854cca7fc06dc8401f4e536d5bc2b5bce9c0b95b48137faec132a6b9dcdeec6d5b82d4ea
-
Filesize
512KB
MD5ce4c3af584ffdfcca42dc527aa43f425
SHA1fc6bc811ce104bcbed8554726fb7addef7218c0d
SHA2563df2e162bbd93fe367b86558c09cad17b80126edc50a26143914f18343fea59b
SHA512298c5a5e8a0ba350d31af3e9c7332cbcc0d9053410b28afaca8ff5fdfaee1f95868ea0249a8e3096354b89754edbb16f5590bdfefd0c62e24dcd5f676b86fd1c
-
Filesize
512KB
MD54b839785987e710d519db9ed9867037e
SHA1d77f42dcfb08a208ac6fdae5f0f60515bd50b6b7
SHA256657141110bdfc16ce590cf3d9a02613b1cfd6be995e81bec4e30e6ece21ca634
SHA5121fed774a9c8d46a4f9353a8a5e85e1bf49c91f10ca77ea66459ce98932cbad8d7a905fe72bca34ca33401a918b3a0f20af6954c5efc8aee3a17c88a6cc177102
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5e99433f3971a8270116923f0f531dbd4
SHA166297325908b264d625cd985dbf2dbb306923d1a
SHA2562d9c1d19a4f9a108d696083f21023ad4b0c076801494376f47f7052ab06f8194
SHA51251ca2e86078bb011a5d1f605d2205fb9baae8fd4265700211168f2bb9b2ef67c29cb4e938a2031fe09763ea4b9ce38500c7628f015421f44e0ae22f72ee36089
-
Filesize
512KB
MD561b98f859c300fe1ae5d6ddce04f020b
SHA109a22d8e8b2b0d04e09063268dd0b579e695497a
SHA2569131b72b49b1cc97f8bc7d3096c91008b02c1db9f737313139c651b9ee0b4169
SHA512d81f943d46f0355e959bd2ec296c902ad2ef9f276fa612d78517beaa35d05217cbe69a1d15796e5c533a26d5d2b44b4bc16a3cfd9b4df1c67d6225e2bc0e4379
-
Filesize
512KB
MD5c73bd2c78c10ffce4664b960eb788948
SHA1bda8ceaf37d5e647c5f3b7d1862204724fed572b
SHA256e3a88821422b8c81e6bf658e5066c99af0dfe008f3048d9ae39bf2f2c839917e
SHA51206f3aad8ae1e5b3630cde16392a8ed88d4e4ce52b1483b4d7b42420bcb78db77407d769c287353ab96d4b0213e10ec2daff0f79464aa12e156bce72f3be7a4eb