Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:01
Static task
static1
Behavioral task
behavioral1
Sample
930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe
-
Size
512KB
-
MD5
930fa2cd09ec1041791fa2fba5a4ff17
-
SHA1
aff48860c009c79b7121afc9a34d6e01829fa7bb
-
SHA256
7f0b385a896f1d533717002c2b789a254f61fd2a6235e4aa989f43fe94df5b7c
-
SHA512
bbc15cb41611adbc2bd1b2719cd927a455b274b12bed66cf822a5b9e2fb3ebe2011eb3d2128551a40d5f1473066f8b9071729d19d4dc4baf4d9b2d7c36937455
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6B:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5e
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
zragvhgyse.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zragvhgyse.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
zragvhgyse.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zragvhgyse.exe -
Processes:
zragvhgyse.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zragvhgyse.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zragvhgyse.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zragvhgyse.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zragvhgyse.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zragvhgyse.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
zragvhgyse.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zragvhgyse.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
zragvhgyse.exexmohfznteyklulr.exegbuxytvi.execpgevhkelnhni.exegbuxytvi.exepid process 2952 zragvhgyse.exe 3428 xmohfznteyklulr.exe 4908 gbuxytvi.exe 4740 cpgevhkelnhni.exe 1616 gbuxytvi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
zragvhgyse.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zragvhgyse.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zragvhgyse.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zragvhgyse.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zragvhgyse.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zragvhgyse.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zragvhgyse.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
xmohfznteyklulr.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xicnvvhb = "zragvhgyse.exe" xmohfznteyklulr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrfjioyd = "xmohfznteyklulr.exe" xmohfznteyklulr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cpgevhkelnhni.exe" xmohfznteyklulr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
gbuxytvi.exegbuxytvi.exezragvhgyse.exedescription ioc process File opened (read-only) \??\e: gbuxytvi.exe File opened (read-only) \??\t: gbuxytvi.exe File opened (read-only) \??\x: gbuxytvi.exe File opened (read-only) \??\a: gbuxytvi.exe File opened (read-only) \??\o: gbuxytvi.exe File opened (read-only) \??\p: gbuxytvi.exe File opened (read-only) \??\b: gbuxytvi.exe File opened (read-only) \??\g: gbuxytvi.exe File opened (read-only) \??\l: gbuxytvi.exe File opened (read-only) \??\a: zragvhgyse.exe File opened (read-only) \??\k: zragvhgyse.exe File opened (read-only) \??\n: zragvhgyse.exe File opened (read-only) \??\u: gbuxytvi.exe File opened (read-only) \??\k: gbuxytvi.exe File opened (read-only) \??\n: gbuxytvi.exe File opened (read-only) \??\w: gbuxytvi.exe File opened (read-only) \??\b: zragvhgyse.exe File opened (read-only) \??\l: zragvhgyse.exe File opened (read-only) \??\r: zragvhgyse.exe File opened (read-only) \??\t: zragvhgyse.exe File opened (read-only) \??\y: zragvhgyse.exe File opened (read-only) \??\r: gbuxytvi.exe File opened (read-only) \??\p: zragvhgyse.exe File opened (read-only) \??\x: zragvhgyse.exe File opened (read-only) \??\j: zragvhgyse.exe File opened (read-only) \??\j: gbuxytvi.exe File opened (read-only) \??\h: gbuxytvi.exe File opened (read-only) \??\i: gbuxytvi.exe File opened (read-only) \??\m: gbuxytvi.exe File opened (read-only) \??\n: gbuxytvi.exe File opened (read-only) \??\s: gbuxytvi.exe File opened (read-only) \??\m: gbuxytvi.exe File opened (read-only) \??\y: gbuxytvi.exe File opened (read-only) \??\i: gbuxytvi.exe File opened (read-only) \??\j: gbuxytvi.exe File opened (read-only) \??\v: zragvhgyse.exe File opened (read-only) \??\l: gbuxytvi.exe File opened (read-only) \??\v: gbuxytvi.exe File opened (read-only) \??\o: gbuxytvi.exe File opened (read-only) \??\r: gbuxytvi.exe File opened (read-only) \??\s: gbuxytvi.exe File opened (read-only) \??\o: zragvhgyse.exe File opened (read-only) \??\z: gbuxytvi.exe File opened (read-only) \??\q: gbuxytvi.exe File opened (read-only) \??\i: zragvhgyse.exe File opened (read-only) \??\e: gbuxytvi.exe File opened (read-only) \??\u: gbuxytvi.exe File opened (read-only) \??\v: gbuxytvi.exe File opened (read-only) \??\z: gbuxytvi.exe File opened (read-only) \??\s: zragvhgyse.exe File opened (read-only) \??\h: gbuxytvi.exe File opened (read-only) \??\e: zragvhgyse.exe File opened (read-only) \??\x: gbuxytvi.exe File opened (read-only) \??\k: gbuxytvi.exe File opened (read-only) \??\g: zragvhgyse.exe File opened (read-only) \??\g: gbuxytvi.exe File opened (read-only) \??\q: gbuxytvi.exe File opened (read-only) \??\w: gbuxytvi.exe File opened (read-only) \??\a: gbuxytvi.exe File opened (read-only) \??\p: gbuxytvi.exe File opened (read-only) \??\u: zragvhgyse.exe File opened (read-only) \??\z: zragvhgyse.exe File opened (read-only) \??\b: gbuxytvi.exe File opened (read-only) \??\t: gbuxytvi.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
zragvhgyse.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zragvhgyse.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zragvhgyse.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2896-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\xmohfznteyklulr.exe autoit_exe C:\Windows\SysWOW64\zragvhgyse.exe autoit_exe C:\Windows\SysWOW64\gbuxytvi.exe autoit_exe C:\Windows\SysWOW64\cpgevhkelnhni.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\AppData\Roaming\SubmitFormat.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
gbuxytvi.exe930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exezragvhgyse.exegbuxytvi.exedescription ioc process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gbuxytvi.exe File created C:\Windows\SysWOW64\zragvhgyse.exe 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe File created C:\Windows\SysWOW64\xmohfznteyklulr.exe 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe File created C:\Windows\SysWOW64\gbuxytvi.exe 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cpgevhkelnhni.exe 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zragvhgyse.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gbuxytvi.exe File opened for modification C:\Windows\SysWOW64\zragvhgyse.exe 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xmohfznteyklulr.exe 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gbuxytvi.exe 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe File created C:\Windows\SysWOW64\cpgevhkelnhni.exe 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gbuxytvi.exe -
Drops file in Program Files directory 16 IoCs
Processes:
gbuxytvi.exegbuxytvi.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbuxytvi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gbuxytvi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbuxytvi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gbuxytvi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbuxytvi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbuxytvi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbuxytvi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbuxytvi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gbuxytvi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbuxytvi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbuxytvi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbuxytvi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbuxytvi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbuxytvi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbuxytvi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gbuxytvi.exe -
Drops file in Windows directory 19 IoCs
Processes:
gbuxytvi.exegbuxytvi.exeWINWORD.EXE930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exedescription ioc process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gbuxytvi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gbuxytvi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gbuxytvi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gbuxytvi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gbuxytvi.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gbuxytvi.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gbuxytvi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gbuxytvi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gbuxytvi.exe File opened for modification C:\Windows\mydoc.rtf 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gbuxytvi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gbuxytvi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gbuxytvi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gbuxytvi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gbuxytvi.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gbuxytvi.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gbuxytvi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
zragvhgyse.exe930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zragvhgyse.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D7A9C5783586D4376A770212DD77CF664DC" 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zragvhgyse.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zragvhgyse.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zragvhgyse.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zragvhgyse.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zragvhgyse.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zragvhgyse.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zragvhgyse.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDFAB9F962F191830F3A4B86EE3E95B08A03FD4363034CE2CB42EC09A8" 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFCFE4827856D9045D72F7DE5BD93E1475932674F6330D79D" 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0866BC3FE6721ADD109D1A88A0E9113" 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B128449238EA52BEB9D63393D7CF" 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC70815E4DAB1B8CD7C90EC9734CD" 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zragvhgyse.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zragvhgyse.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zragvhgyse.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zragvhgyse.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3060 WINWORD.EXE 3060 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exegbuxytvi.exexmohfznteyklulr.execpgevhkelnhni.exezragvhgyse.exegbuxytvi.exepid process 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 4908 gbuxytvi.exe 4908 gbuxytvi.exe 4908 gbuxytvi.exe 4908 gbuxytvi.exe 4908 gbuxytvi.exe 4908 gbuxytvi.exe 4908 gbuxytvi.exe 4908 gbuxytvi.exe 3428 xmohfznteyklulr.exe 3428 xmohfznteyklulr.exe 3428 xmohfznteyklulr.exe 3428 xmohfznteyklulr.exe 3428 xmohfznteyklulr.exe 3428 xmohfznteyklulr.exe 3428 xmohfznteyklulr.exe 3428 xmohfznteyklulr.exe 4740 cpgevhkelnhni.exe 4740 cpgevhkelnhni.exe 4740 cpgevhkelnhni.exe 4740 cpgevhkelnhni.exe 4740 cpgevhkelnhni.exe 4740 cpgevhkelnhni.exe 4740 cpgevhkelnhni.exe 4740 cpgevhkelnhni.exe 4740 cpgevhkelnhni.exe 4740 cpgevhkelnhni.exe 4740 cpgevhkelnhni.exe 4740 cpgevhkelnhni.exe 2952 zragvhgyse.exe 2952 zragvhgyse.exe 2952 zragvhgyse.exe 2952 zragvhgyse.exe 2952 zragvhgyse.exe 2952 zragvhgyse.exe 2952 zragvhgyse.exe 2952 zragvhgyse.exe 2952 zragvhgyse.exe 2952 zragvhgyse.exe 3428 xmohfznteyklulr.exe 3428 xmohfznteyklulr.exe 1616 gbuxytvi.exe 1616 gbuxytvi.exe 1616 gbuxytvi.exe 1616 gbuxytvi.exe 1616 gbuxytvi.exe 1616 gbuxytvi.exe 1616 gbuxytvi.exe 1616 gbuxytvi.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exegbuxytvi.exexmohfznteyklulr.execpgevhkelnhni.exezragvhgyse.exegbuxytvi.exepid process 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 4908 gbuxytvi.exe 4908 gbuxytvi.exe 4908 gbuxytvi.exe 3428 xmohfznteyklulr.exe 4740 cpgevhkelnhni.exe 2952 zragvhgyse.exe 3428 xmohfznteyklulr.exe 4740 cpgevhkelnhni.exe 2952 zragvhgyse.exe 3428 xmohfznteyklulr.exe 4740 cpgevhkelnhni.exe 2952 zragvhgyse.exe 1616 gbuxytvi.exe 1616 gbuxytvi.exe 1616 gbuxytvi.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exegbuxytvi.exexmohfznteyklulr.execpgevhkelnhni.exezragvhgyse.exegbuxytvi.exepid process 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe 4908 gbuxytvi.exe 4908 gbuxytvi.exe 4908 gbuxytvi.exe 3428 xmohfznteyklulr.exe 4740 cpgevhkelnhni.exe 2952 zragvhgyse.exe 3428 xmohfznteyklulr.exe 4740 cpgevhkelnhni.exe 2952 zragvhgyse.exe 3428 xmohfznteyklulr.exe 4740 cpgevhkelnhni.exe 2952 zragvhgyse.exe 1616 gbuxytvi.exe 1616 gbuxytvi.exe 1616 gbuxytvi.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3060 WINWORD.EXE 3060 WINWORD.EXE 3060 WINWORD.EXE 3060 WINWORD.EXE 3060 WINWORD.EXE 3060 WINWORD.EXE 3060 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exezragvhgyse.exedescription pid process target process PID 2896 wrote to memory of 2952 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe zragvhgyse.exe PID 2896 wrote to memory of 2952 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe zragvhgyse.exe PID 2896 wrote to memory of 2952 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe zragvhgyse.exe PID 2896 wrote to memory of 3428 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe xmohfznteyklulr.exe PID 2896 wrote to memory of 3428 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe xmohfznteyklulr.exe PID 2896 wrote to memory of 3428 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe xmohfznteyklulr.exe PID 2896 wrote to memory of 4908 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe gbuxytvi.exe PID 2896 wrote to memory of 4908 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe gbuxytvi.exe PID 2896 wrote to memory of 4908 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe gbuxytvi.exe PID 2896 wrote to memory of 4740 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe cpgevhkelnhni.exe PID 2896 wrote to memory of 4740 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe cpgevhkelnhni.exe PID 2896 wrote to memory of 4740 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe cpgevhkelnhni.exe PID 2896 wrote to memory of 3060 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe WINWORD.EXE PID 2896 wrote to memory of 3060 2896 930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe WINWORD.EXE PID 2952 wrote to memory of 1616 2952 zragvhgyse.exe gbuxytvi.exe PID 2952 wrote to memory of 1616 2952 zragvhgyse.exe gbuxytvi.exe PID 2952 wrote to memory of 1616 2952 zragvhgyse.exe gbuxytvi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\930fa2cd09ec1041791fa2fba5a4ff17_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\zragvhgyse.exezragvhgyse.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\gbuxytvi.exeC:\Windows\system32\gbuxytvi.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1616 -
C:\Windows\SysWOW64\xmohfznteyklulr.exexmohfznteyklulr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3428 -
C:\Windows\SysWOW64\gbuxytvi.exegbuxytvi.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4908 -
C:\Windows\SysWOW64\cpgevhkelnhni.execpgevhkelnhni.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4740 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3060
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5948534a3df373b8c7c4a97c71aeb6d9f
SHA119b7ff286774797021ba2f11d33b6bd5ea42e225
SHA25662175cd5dd889dd125c7bfda76b8aaf2787d73829183e9ebfb3686e42266c2ab
SHA512c613e59c359f38f70fcaf92c0db2c42a14e6425c0e001f74e530a3b0a3e6a76b4cfdd58014009a2c7083b38ef158dcf200d5cb16d1185cae0d06e7c3cf147e74
-
Filesize
512KB
MD5a70bbcbb960e3fde298b54d357f23605
SHA1c10c16aaf3ca7b0dddcaf9b3aac2a54c888eb4ef
SHA256d6567502bc545b9e0c40e7e26f1e536c9bffbb5a585f7443fb6f475653698dbc
SHA512b20ffc5b98237bcdb721f28834d9d60437960e188bc250fc88063fb30918e08720bc26a17eaea18c402c48a0bec035636ba7a79c420112656f4b244e0f9772e9
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f62f289d99a71b6319215a55b1d74fe6
SHA1aa91654582d6d6055bd03db7c5b61100a516100f
SHA256bbca51806873ab5a92e9d4b4c22431f22244b037c14b720d214f5460b99e7f44
SHA51202abb7ad7a1763eaa2ee5522587d42b3f15b346226b57c2092828b89bbb2bd9fc981abe718b459e6aaade811770dee3c9383ef552d2276a75c8dee2fb0a1edd9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5892f18dd7e32fbcbd290e0dde0dd4d0f
SHA19122a5c3655116dcbdd9b34a666416280c0321d8
SHA256b0316c3679731a6d31b6f143ceb7ed6e24e7cea59f08e35fbfabf6359ecf834f
SHA512ef97c28de25551225dce6204ccc4a5b00bfa78c8fe46259d1fc6b5732231028f9f31c3e3224d1dc66cdb94f541c14d31a1d33b1d8fd844f77c830bd0bdc94c9f
-
Filesize
512KB
MD5753b329154cb00a72d18c74b4c357771
SHA1be75716d7029378eab036bc98c9990668477b970
SHA256e03f09595a199dabaf70be1510598e200eb64b160e6ac8b471f9a49c6b933a55
SHA512c1a0c7ac035e0b7d2a9e28a6df24f31d745ad69d22ce001a08808c5371bb3cc986f1422afec905707c88229b1eab3c9658fe98cbc2165caf4fc248ef090727a8
-
Filesize
512KB
MD50357c1c89cad5953e8510f99eac942f1
SHA16371f572fc9563e6bae2cf6ae0b7431e3ab903df
SHA256bc72b5ddb998da09995552e23bb74a7514fab5e1823542cc114ed6cc11fcac7d
SHA512e02096140a9d6892df94f55710e933daca6ff0790e25a5579d232b0f312cf7a75de302cddffd66823f4eb2e8af6d50b0bfe810945ab2daf3843031c4af0a3b08
-
Filesize
512KB
MD58b14ce372f82157c325f403fc0cc2601
SHA12b0b9ffe82d871b5102dd6320568b53f14c745e2
SHA256b02b26195816c6b0ad057f99ce7bc671af6c87f89092ac0992ecef75614769a4
SHA5120bb5915ea148872126765ebdd29cbd2ca9607907421d9636fb992041e39fc547296b87b4e3579139a17363c929ab9465b415e70471824bf3d03fe15ca05dbace
-
Filesize
512KB
MD595e1a40de69f0ae59d201b22fdb44fd6
SHA1a472a8cbcc65022b5a54f1ba094e2acac7e5a146
SHA25655587f626e7dbfc1c875dfdb0f3365c447b1c6637bfd29d433b65399cc3297c0
SHA5121d1a68caf73354b928103107cef680557a07052ae5de547d0729e9f951ba09157ff93499d8c3494fecd489cd3992793fca9376e2f02404a857da887e775af8c1
-
Filesize
512KB
MD53852450803a789a1fdd4688397940f9f
SHA195ee2d279699c6a4a69c8d9c0d124e774b752553
SHA256643ccbb7acc75226d1479cdf7cf59234a8ec42d3ffeae2302e669896e7e4f779
SHA51290139add7b831c301e6c937ce22681599b03d833c760591df8e614f3373cb4aea779969324b0f0b212bc6f181a17b1b3cfecd774c3e598039cfe3a3cdd7372ed
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5c01630d88191cf4b9ba097574033fe61
SHA128e2ade5a3b1b8d0ec6aa9356f60b0c94c394598
SHA256a457ac005d0bedd2ad3e2fa653947026919884d372937034e96057a972105857
SHA512d4310039afa85c2b3e7efaccb7a1471310bf058d6bebe1c7f2e32f6df4a26b065c22589db8dfa298158c97d2f2eaa98fcc3ff0d283ac4b8488c67fbf845abfda
-
Filesize
512KB
MD5174f1cd26f208342eddf33a17542bf1f
SHA1f1bc1bdf85043e00dd679ce59ae5b6d49235da45
SHA256f543df4b5dc5e0987d7879148ad3c4aee33aa2867a7b125cb3c007bc0c7b3b04
SHA512517791ca5da882b347d21e8abf41fa736ed8415a3f6ec8a7c607652b96c0cdfc5b42d1ae3808ccf517f3d21b9ae41177bd0c642eb09497286fcef71f9fa5248e