Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 01:47
Static task
static1
Behavioral task
behavioral1
Sample
935291009263d139f26a9b2474db4312_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
935291009263d139f26a9b2474db4312_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
935291009263d139f26a9b2474db4312_JaffaCakes118.exe
-
Size
512KB
-
MD5
935291009263d139f26a9b2474db4312
-
SHA1
44a6d3f0de2de309d86c0b6b9c016d38bb28848c
-
SHA256
b9053701ea9e223affccd8f86367af83e7f0f51b53c59f7a95d31227a66282fc
-
SHA512
70b84afb00bb32c5cc8f61862fbc1a7e3d06ec2a9b2a41add5962841065b0c37088578dabfb2b6a450ae28c2fe77a728f3111f22d150eeec1de5fbdc3930de60
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6A:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5H
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" yiqbexikaz.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yiqbexikaz.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yiqbexikaz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yiqbexikaz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yiqbexikaz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yiqbexikaz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yiqbexikaz.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yiqbexikaz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 935291009263d139f26a9b2474db4312_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1468 yiqbexikaz.exe 3668 vcyykexufwwvepw.exe 4432 rwhnaoco.exe 3316 hqxfqdetotjjd.exe 2408 rwhnaoco.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yiqbexikaz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" yiqbexikaz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yiqbexikaz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yiqbexikaz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yiqbexikaz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yiqbexikaz.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hqxfqdetotjjd.exe" vcyykexufwwvepw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vtoxbwiw = "yiqbexikaz.exe" vcyykexufwwvepw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sazlphtf = "vcyykexufwwvepw.exe" vcyykexufwwvepw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: yiqbexikaz.exe File opened (read-only) \??\l: rwhnaoco.exe File opened (read-only) \??\s: rwhnaoco.exe File opened (read-only) \??\b: rwhnaoco.exe File opened (read-only) \??\w: rwhnaoco.exe File opened (read-only) \??\b: rwhnaoco.exe File opened (read-only) \??\g: yiqbexikaz.exe File opened (read-only) \??\l: yiqbexikaz.exe File opened (read-only) \??\p: yiqbexikaz.exe File opened (read-only) \??\y: yiqbexikaz.exe File opened (read-only) \??\a: rwhnaoco.exe File opened (read-only) \??\h: rwhnaoco.exe File opened (read-only) \??\i: rwhnaoco.exe File opened (read-only) \??\r: rwhnaoco.exe File opened (read-only) \??\a: yiqbexikaz.exe File opened (read-only) \??\j: yiqbexikaz.exe File opened (read-only) \??\q: rwhnaoco.exe File opened (read-only) \??\r: rwhnaoco.exe File opened (read-only) \??\u: rwhnaoco.exe File opened (read-only) \??\y: rwhnaoco.exe File opened (read-only) \??\n: yiqbexikaz.exe File opened (read-only) \??\x: yiqbexikaz.exe File opened (read-only) \??\i: rwhnaoco.exe File opened (read-only) \??\y: rwhnaoco.exe File opened (read-only) \??\u: rwhnaoco.exe File opened (read-only) \??\n: rwhnaoco.exe File opened (read-only) \??\p: rwhnaoco.exe File opened (read-only) \??\o: rwhnaoco.exe File opened (read-only) \??\q: rwhnaoco.exe File opened (read-only) \??\t: rwhnaoco.exe File opened (read-only) \??\e: yiqbexikaz.exe File opened (read-only) \??\i: yiqbexikaz.exe File opened (read-only) \??\l: rwhnaoco.exe File opened (read-only) \??\m: rwhnaoco.exe File opened (read-only) \??\p: rwhnaoco.exe File opened (read-only) \??\a: rwhnaoco.exe File opened (read-only) \??\n: rwhnaoco.exe File opened (read-only) \??\x: rwhnaoco.exe File opened (read-only) \??\k: yiqbexikaz.exe File opened (read-only) \??\g: rwhnaoco.exe File opened (read-only) \??\j: rwhnaoco.exe File opened (read-only) \??\k: rwhnaoco.exe File opened (read-only) \??\z: rwhnaoco.exe File opened (read-only) \??\w: yiqbexikaz.exe File opened (read-only) \??\e: rwhnaoco.exe File opened (read-only) \??\e: rwhnaoco.exe File opened (read-only) \??\h: rwhnaoco.exe File opened (read-only) \??\w: rwhnaoco.exe File opened (read-only) \??\t: yiqbexikaz.exe File opened (read-only) \??\u: yiqbexikaz.exe File opened (read-only) \??\o: rwhnaoco.exe File opened (read-only) \??\v: rwhnaoco.exe File opened (read-only) \??\z: rwhnaoco.exe File opened (read-only) \??\m: yiqbexikaz.exe File opened (read-only) \??\r: yiqbexikaz.exe File opened (read-only) \??\v: rwhnaoco.exe File opened (read-only) \??\x: rwhnaoco.exe File opened (read-only) \??\m: rwhnaoco.exe File opened (read-only) \??\h: yiqbexikaz.exe File opened (read-only) \??\q: yiqbexikaz.exe File opened (read-only) \??\s: yiqbexikaz.exe File opened (read-only) \??\s: rwhnaoco.exe File opened (read-only) \??\b: yiqbexikaz.exe File opened (read-only) \??\o: yiqbexikaz.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" yiqbexikaz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" yiqbexikaz.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/5060-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002354e-5.dat autoit_exe behavioral2/files/0x000800000002354a-18.dat autoit_exe behavioral2/files/0x000700000002354f-27.dat autoit_exe behavioral2/files/0x0007000000023550-32.dat autoit_exe behavioral2/files/0x000a000000023339-66.dat autoit_exe behavioral2/files/0x0008000000023406-69.dat autoit_exe behavioral2/files/0x00080000000232a5-75.dat autoit_exe behavioral2/files/0x001b00000002356f-559.dat autoit_exe behavioral2/files/0x001b00000002356f-582.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\yiqbexikaz.exe 935291009263d139f26a9b2474db4312_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yiqbexikaz.exe 935291009263d139f26a9b2474db4312_JaffaCakes118.exe File created C:\Windows\SysWOW64\vcyykexufwwvepw.exe 935291009263d139f26a9b2474db4312_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vcyykexufwwvepw.exe 935291009263d139f26a9b2474db4312_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rwhnaoco.exe 935291009263d139f26a9b2474db4312_JaffaCakes118.exe File created C:\Windows\SysWOW64\hqxfqdetotjjd.exe 935291009263d139f26a9b2474db4312_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rwhnaoco.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rwhnaoco.exe File created C:\Windows\SysWOW64\rwhnaoco.exe 935291009263d139f26a9b2474db4312_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hqxfqdetotjjd.exe 935291009263d139f26a9b2474db4312_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll yiqbexikaz.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rwhnaoco.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rwhnaoco.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rwhnaoco.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rwhnaoco.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rwhnaoco.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rwhnaoco.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rwhnaoco.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rwhnaoco.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rwhnaoco.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rwhnaoco.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rwhnaoco.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rwhnaoco.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rwhnaoco.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rwhnaoco.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rwhnaoco.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rwhnaoco.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rwhnaoco.exe File opened for modification C:\Windows\mydoc.rtf 935291009263d139f26a9b2474db4312_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rwhnaoco.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rwhnaoco.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rwhnaoco.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rwhnaoco.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rwhnaoco.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rwhnaoco.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rwhnaoco.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rwhnaoco.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rwhnaoco.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rwhnaoco.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rwhnaoco.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rwhnaoco.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rwhnaoco.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rwhnaoco.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rwhnaoco.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" yiqbexikaz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" yiqbexikaz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg yiqbexikaz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" yiqbexikaz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C089D5783226A4277A7702F2CAE7D8F65AA" 935291009263d139f26a9b2474db4312_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFACEFE64F290837B3B4481EC3E94B08903884216023FE1CB459909D4" 935291009263d139f26a9b2474db4312_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FCF94F2885689040D7587D90BC90E13D584367366334D790" 935291009263d139f26a9b2474db4312_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" yiqbexikaz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768B1FE6B22D0D272D1A98A099014" 935291009263d139f26a9b2474db4312_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat yiqbexikaz.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings 935291009263d139f26a9b2474db4312_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 935291009263d139f26a9b2474db4312_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh yiqbexikaz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" yiqbexikaz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf yiqbexikaz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs yiqbexikaz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B02D47E639EC53CFBADD32EFD7C9" 935291009263d139f26a9b2474db4312_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC6091491DAB7B9BB7C95ECE534CF" 935291009263d139f26a9b2474db4312_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" yiqbexikaz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc yiqbexikaz.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3432 WINWORD.EXE 3432 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 1468 yiqbexikaz.exe 1468 yiqbexikaz.exe 1468 yiqbexikaz.exe 1468 yiqbexikaz.exe 1468 yiqbexikaz.exe 1468 yiqbexikaz.exe 1468 yiqbexikaz.exe 1468 yiqbexikaz.exe 1468 yiqbexikaz.exe 1468 yiqbexikaz.exe 3668 vcyykexufwwvepw.exe 3668 vcyykexufwwvepw.exe 3668 vcyykexufwwvepw.exe 3668 vcyykexufwwvepw.exe 3668 vcyykexufwwvepw.exe 3668 vcyykexufwwvepw.exe 3668 vcyykexufwwvepw.exe 3668 vcyykexufwwvepw.exe 3668 vcyykexufwwvepw.exe 3668 vcyykexufwwvepw.exe 4432 rwhnaoco.exe 4432 rwhnaoco.exe 4432 rwhnaoco.exe 4432 rwhnaoco.exe 4432 rwhnaoco.exe 4432 rwhnaoco.exe 4432 rwhnaoco.exe 4432 rwhnaoco.exe 3316 hqxfqdetotjjd.exe 3316 hqxfqdetotjjd.exe 3316 hqxfqdetotjjd.exe 3316 hqxfqdetotjjd.exe 3316 hqxfqdetotjjd.exe 3316 hqxfqdetotjjd.exe 3316 hqxfqdetotjjd.exe 3316 hqxfqdetotjjd.exe 3316 hqxfqdetotjjd.exe 3316 hqxfqdetotjjd.exe 3316 hqxfqdetotjjd.exe 3316 hqxfqdetotjjd.exe 2408 rwhnaoco.exe 2408 rwhnaoco.exe 2408 rwhnaoco.exe 2408 rwhnaoco.exe 2408 rwhnaoco.exe 2408 rwhnaoco.exe 2408 rwhnaoco.exe 2408 rwhnaoco.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 1468 yiqbexikaz.exe 3668 vcyykexufwwvepw.exe 1468 yiqbexikaz.exe 3668 vcyykexufwwvepw.exe 1468 yiqbexikaz.exe 3668 vcyykexufwwvepw.exe 4432 rwhnaoco.exe 4432 rwhnaoco.exe 4432 rwhnaoco.exe 3316 hqxfqdetotjjd.exe 3316 hqxfqdetotjjd.exe 3316 hqxfqdetotjjd.exe 2408 rwhnaoco.exe 2408 rwhnaoco.exe 2408 rwhnaoco.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 1468 yiqbexikaz.exe 3668 vcyykexufwwvepw.exe 1468 yiqbexikaz.exe 3668 vcyykexufwwvepw.exe 1468 yiqbexikaz.exe 3668 vcyykexufwwvepw.exe 4432 rwhnaoco.exe 4432 rwhnaoco.exe 4432 rwhnaoco.exe 3316 hqxfqdetotjjd.exe 3316 hqxfqdetotjjd.exe 3316 hqxfqdetotjjd.exe 2408 rwhnaoco.exe 2408 rwhnaoco.exe 2408 rwhnaoco.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3432 WINWORD.EXE 3432 WINWORD.EXE 3432 WINWORD.EXE 3432 WINWORD.EXE 3432 WINWORD.EXE 3432 WINWORD.EXE 3432 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 5060 wrote to memory of 1468 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 90 PID 5060 wrote to memory of 1468 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 90 PID 5060 wrote to memory of 1468 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 90 PID 5060 wrote to memory of 3668 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 91 PID 5060 wrote to memory of 3668 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 91 PID 5060 wrote to memory of 3668 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 91 PID 5060 wrote to memory of 4432 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 92 PID 5060 wrote to memory of 4432 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 92 PID 5060 wrote to memory of 4432 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 92 PID 5060 wrote to memory of 3316 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 93 PID 5060 wrote to memory of 3316 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 93 PID 5060 wrote to memory of 3316 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 93 PID 5060 wrote to memory of 3432 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 94 PID 5060 wrote to memory of 3432 5060 935291009263d139f26a9b2474db4312_JaffaCakes118.exe 94 PID 1468 wrote to memory of 2408 1468 yiqbexikaz.exe 96 PID 1468 wrote to memory of 2408 1468 yiqbexikaz.exe 96 PID 1468 wrote to memory of 2408 1468 yiqbexikaz.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\935291009263d139f26a9b2474db4312_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\935291009263d139f26a9b2474db4312_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\yiqbexikaz.exeyiqbexikaz.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\rwhnaoco.exeC:\Windows\system32\rwhnaoco.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2408
-
-
-
C:\Windows\SysWOW64\vcyykexufwwvepw.exevcyykexufwwvepw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3668
-
-
C:\Windows\SysWOW64\rwhnaoco.exerwhnaoco.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4432
-
-
C:\Windows\SysWOW64\hqxfqdetotjjd.exehqxfqdetotjjd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3316
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3456,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:81⤵PID:1676
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5499d046284a8195627998b3f0d24ce8f
SHA154256c74ee9bd3ca8a1f852c50a678ed1b5b3047
SHA256e08d8af4d44d698e93d6a166ade9dfe64061afad4a4f6e9ddd36a8c2362efc49
SHA5124d98a74d1da74cd000204d37be8755be48deef0a291b708969e16d858f1822d1124dab03cb3760118f842a81c89e8b39f6acfcc8ec3953df1f9173c79de95669
-
Filesize
512KB
MD5e80482655df04a89ea4e64a2d36516a9
SHA12c947f8a71a42c2a93ab782d031241be5a1a1150
SHA25653370c9c29fa2f7eb2fe6969467c0312046bad75eefef9fce5aa4a6aa06fb9c6
SHA512507f2355f065f4518a0dcab4e6acca18eea31a69a8a6a0a5c4e2500da1d04665e450ef036c302188de094e2d532b0d8d6db814715402565282b059b94041798c
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
512KB
MD5d74ec329af009417a3f4a6d9ffdbf05a
SHA18a093cc4f6c8d4be3b291d20d93270914bd1e92e
SHA256e2bad9b0f90d25f220ecafae77dfa24721e5dc81897217b8574ac4a1cac68181
SHA512ff4c4d1981e6547a09a9be153f229fb345a2819bd1964ba1a81953d71f7326167841cdac8f1faccde2947a36877ca00fab9440d78460a63f29c37180aba57aeb
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a43ebf38d43b98dfb8231f8ac68de7dc
SHA14e50218206705378b3f25245279d44ca95947e17
SHA2566198262cec41ccb30d8c896d491b2a4b23b47f5231d81ccaa63c9610c3d03223
SHA512fba6719178fb0750e9c9719399859502c84917b7d1376a7a2784235c0da41fd22dbc77d450dbe2b921e5bfb1b436471f51db1cffcd65dd11fc6519ea2561b4f5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e82219e8a93e789bb5bd729bdf1cbf91
SHA1b70f5f77372e47b9124885efb6a72634e758b5d9
SHA25613f683623136a6671f4c9c99ee4c742325746e2cc4e95f134988d7f6e91686fa
SHA512312d57adfc8cbd86805d5b3c5bdf7a4c076d3c75c2d1ce8864775521d6ea7d62c769ed6e7a5871b31bc573907781bc0116c93fee447f46ae227b1e08e825b819
-
Filesize
512KB
MD5cac344c74345f1f4d9512decfd900235
SHA1c667880b1c9e8b0bee48e4c4540d5b19e9dcb5e7
SHA256e3617462ce5a30dda0483f93064c4cb1e695ab77485b8f5d19bacc3ade3a93bf
SHA512a651de338bba49cfc33d39c80f28fbea1f63c34f3cebf7d114ac25fc61682d3907b7691d7c07274de3739a67cf7e9d2795256411a00df273f2432d19b1cb7e99
-
Filesize
512KB
MD57438aae3707b6fe37637fa4ff5ac5b99
SHA114d9bee2018ca85fbcb1cb46b79fad339f1d4f9c
SHA2568674bdbb855f6ca852e3ec9990a44122cd3d20eb0c1d57f866dc810b4ec1d4b5
SHA5122e21ff08d3fd930dd65d72672119c15214832732dd3e78a0145ae18581982d57035a29cba2bb072a06bdbf618702a935bc050ba31df0f6beca79193881153b5c
-
Filesize
512KB
MD53c6bac07975cc152065e8e7e4d83081d
SHA17760b9854bb7092e3eeb28f11d0b59e62bc718c1
SHA2569e3c54c67e9c9c64f993ef3bf73c17fc99047d5dfee29f065bdb9634866e954b
SHA51265cb532f470478f3f41bc85ad31c76254199707244d1ea0818d18b71103e0e10a850af8866e25d8b81d9f729fe6c483fc31c66417b2cbcdd55009f0557b02122
-
Filesize
512KB
MD5cc5b66cc2a0eabffcf1f3194e88adb1d
SHA1866ff5ac1804be6d094d5302be26ba9007e6772d
SHA256822e403f4f14f413069fa9b02991e64bfa6754bbe7b67ae5dabbd03585794e73
SHA512afa1d35d420d3b34f33b2bcfbc5901e55977d1cf780344f7048b49c36812e1041c836ebe3d2515cbc4b0e6a9c021e9afb6a64c80ba45dcbd9fd89a88d0511257
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5e026ceefc4312e9c5ecc2e6896157693
SHA18b64f5e92c1a7e3e2ad9a7527a7707c658c9480c
SHA256fff63565cb08f8f2cf91eaf13b94272eb50ee644e8837e5d5aec121ceedf17c5
SHA51266688bb7d04bf730293c2fb855a63babb13b390d6c5b395d1ea2c527e65084184d6d25118d5006fdfcc180a19567925749fe6cb1cb772e048327fad0158fa4e3
-
Filesize
512KB
MD5251ca343bb96cee2212f051378cf83b3
SHA11c52c345f2350a7871ee36e61e8aa0e0feb6e67f
SHA256513af4d6d7088772138eb606681fc057e5097639d26b167c1f0a5e97edc4992b
SHA51253121cd132889ccc1b828d6aa37ad215f7faf6177eccdaf1506d13862e865687aa36a569d69c7859179cb823d2efb7a11b2c2df4d56a5fb706034342e11c17b2