Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 17:51
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe
-
Size
512KB
-
MD5
95bc30676854e61d8c1ba2251543e1f4
-
SHA1
7742b1c7e3887a2162dd5ca768063fb14743f0d8
-
SHA256
5a9d919f86bf8ca4fea85c674b77539cafd6c2b3e77cbdb34507345cc0ce6baf
-
SHA512
57d30a73d4caa955f86e5c612cda5931ffd954354fd3390efd64691eaef792d132514d928b5ab9ecbdaee23467244204029d14dc1306a42e949ea950bf1b99cb
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj68:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5f
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mvuvzazifd.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mvuvzazifd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mvuvzazifd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mvuvzazifd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mvuvzazifd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mvuvzazifd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mvuvzazifd.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mvuvzazifd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4632 mvuvzazifd.exe 3908 acbqaavdqflzhdm.exe 852 lyuvanmf.exe 3188 ucjdalyuqsond.exe 1420 lyuvanmf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mvuvzazifd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mvuvzazifd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mvuvzazifd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mvuvzazifd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mvuvzazifd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mvuvzazifd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ucjdalyuqsond.exe" acbqaavdqflzhdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zqdvmhle = "mvuvzazifd.exe" acbqaavdqflzhdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ykhadmbz = "acbqaavdqflzhdm.exe" acbqaavdqflzhdm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: lyuvanmf.exe File opened (read-only) \??\h: mvuvzazifd.exe File opened (read-only) \??\l: mvuvzazifd.exe File opened (read-only) \??\z: mvuvzazifd.exe File opened (read-only) \??\v: lyuvanmf.exe File opened (read-only) \??\r: lyuvanmf.exe File opened (read-only) \??\e: mvuvzazifd.exe File opened (read-only) \??\w: lyuvanmf.exe File opened (read-only) \??\z: lyuvanmf.exe File opened (read-only) \??\m: lyuvanmf.exe File opened (read-only) \??\p: lyuvanmf.exe File opened (read-only) \??\e: lyuvanmf.exe File opened (read-only) \??\u: mvuvzazifd.exe File opened (read-only) \??\i: lyuvanmf.exe File opened (read-only) \??\k: lyuvanmf.exe File opened (read-only) \??\i: lyuvanmf.exe File opened (read-only) \??\s: lyuvanmf.exe File opened (read-only) \??\b: mvuvzazifd.exe File opened (read-only) \??\j: mvuvzazifd.exe File opened (read-only) \??\j: lyuvanmf.exe File opened (read-only) \??\o: lyuvanmf.exe File opened (read-only) \??\q: mvuvzazifd.exe File opened (read-only) \??\u: lyuvanmf.exe File opened (read-only) \??\x: lyuvanmf.exe File opened (read-only) \??\a: mvuvzazifd.exe File opened (read-only) \??\i: mvuvzazifd.exe File opened (read-only) \??\k: mvuvzazifd.exe File opened (read-only) \??\s: lyuvanmf.exe File opened (read-only) \??\l: lyuvanmf.exe File opened (read-only) \??\q: lyuvanmf.exe File opened (read-only) \??\p: mvuvzazifd.exe File opened (read-only) \??\t: mvuvzazifd.exe File opened (read-only) \??\r: lyuvanmf.exe File opened (read-only) \??\p: lyuvanmf.exe File opened (read-only) \??\n: lyuvanmf.exe File opened (read-only) \??\g: mvuvzazifd.exe File opened (read-only) \??\m: mvuvzazifd.exe File opened (read-only) \??\r: mvuvzazifd.exe File opened (read-only) \??\m: lyuvanmf.exe File opened (read-only) \??\o: lyuvanmf.exe File opened (read-only) \??\v: lyuvanmf.exe File opened (read-only) \??\w: lyuvanmf.exe File opened (read-only) \??\z: lyuvanmf.exe File opened (read-only) \??\o: mvuvzazifd.exe File opened (read-only) \??\t: lyuvanmf.exe File opened (read-only) \??\b: lyuvanmf.exe File opened (read-only) \??\g: lyuvanmf.exe File opened (read-only) \??\k: lyuvanmf.exe File opened (read-only) \??\u: lyuvanmf.exe File opened (read-only) \??\y: lyuvanmf.exe File opened (read-only) \??\w: mvuvzazifd.exe File opened (read-only) \??\t: lyuvanmf.exe File opened (read-only) \??\s: mvuvzazifd.exe File opened (read-only) \??\e: lyuvanmf.exe File opened (read-only) \??\v: mvuvzazifd.exe File opened (read-only) \??\y: mvuvzazifd.exe File opened (read-only) \??\a: lyuvanmf.exe File opened (read-only) \??\j: lyuvanmf.exe File opened (read-only) \??\l: lyuvanmf.exe File opened (read-only) \??\n: lyuvanmf.exe File opened (read-only) \??\x: mvuvzazifd.exe File opened (read-only) \??\h: lyuvanmf.exe File opened (read-only) \??\y: lyuvanmf.exe File opened (read-only) \??\b: lyuvanmf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mvuvzazifd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mvuvzazifd.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4644-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002343c-5.dat autoit_exe behavioral2/files/0x0008000000023438-18.dat autoit_exe behavioral2/files/0x000700000002343d-24.dat autoit_exe behavioral2/files/0x000700000002343e-31.dat autoit_exe behavioral2/files/0x000400000001db5b-75.dat autoit_exe behavioral2/files/0x000400000001db59-69.dat autoit_exe behavioral2/files/0x000c00000001e5ca-93.dat autoit_exe behavioral2/files/0x000c00000001e5ca-102.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\acbqaavdqflzhdm.exe 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lyuvanmf.exe 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe File created C:\Windows\SysWOW64\mvuvzazifd.exe 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe File created C:\Windows\SysWOW64\acbqaavdqflzhdm.exe 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe File created C:\Windows\SysWOW64\lyuvanmf.exe 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lyuvanmf.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lyuvanmf.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lyuvanmf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lyuvanmf.exe File opened for modification C:\Windows\SysWOW64\mvuvzazifd.exe 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe File created C:\Windows\SysWOW64\ucjdalyuqsond.exe 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ucjdalyuqsond.exe 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll mvuvzazifd.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lyuvanmf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lyuvanmf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lyuvanmf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lyuvanmf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lyuvanmf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lyuvanmf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lyuvanmf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lyuvanmf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lyuvanmf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lyuvanmf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lyuvanmf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lyuvanmf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lyuvanmf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lyuvanmf.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lyuvanmf.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lyuvanmf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lyuvanmf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lyuvanmf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lyuvanmf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lyuvanmf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lyuvanmf.exe File opened for modification C:\Windows\mydoc.rtf 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lyuvanmf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lyuvanmf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lyuvanmf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lyuvanmf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lyuvanmf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lyuvanmf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lyuvanmf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lyuvanmf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lyuvanmf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mvuvzazifd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mvuvzazifd.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08068B4FE1B22DED27DD0A68A759116" 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mvuvzazifd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mvuvzazifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mvuvzazifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2D7E9D2C82596D3676D177552CD77DF164DD" 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4FACEF916F298830E3B40819D3995B38E028B43640233E1BD429D08A7" 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B0584492389D53CFBADC3298D7B9" 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C67A1593DAC5B8C07CE9EDE737BC" 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mvuvzazifd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mvuvzazifd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mvuvzazifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mvuvzazifd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mvuvzazifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mvuvzazifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FFFF482A856E9140D72B7E9CBC93E633584467316330D790" 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mvuvzazifd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4060 WINWORD.EXE 4060 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 852 lyuvanmf.exe 852 lyuvanmf.exe 852 lyuvanmf.exe 852 lyuvanmf.exe 852 lyuvanmf.exe 852 lyuvanmf.exe 852 lyuvanmf.exe 852 lyuvanmf.exe 4632 mvuvzazifd.exe 4632 mvuvzazifd.exe 4632 mvuvzazifd.exe 4632 mvuvzazifd.exe 4632 mvuvzazifd.exe 4632 mvuvzazifd.exe 4632 mvuvzazifd.exe 4632 mvuvzazifd.exe 4632 mvuvzazifd.exe 4632 mvuvzazifd.exe 3908 acbqaavdqflzhdm.exe 3908 acbqaavdqflzhdm.exe 3908 acbqaavdqflzhdm.exe 3908 acbqaavdqflzhdm.exe 3908 acbqaavdqflzhdm.exe 3908 acbqaavdqflzhdm.exe 3908 acbqaavdqflzhdm.exe 3908 acbqaavdqflzhdm.exe 3908 acbqaavdqflzhdm.exe 3908 acbqaavdqflzhdm.exe 3188 ucjdalyuqsond.exe 3188 ucjdalyuqsond.exe 3188 ucjdalyuqsond.exe 3188 ucjdalyuqsond.exe 3188 ucjdalyuqsond.exe 3188 ucjdalyuqsond.exe 3188 ucjdalyuqsond.exe 3188 ucjdalyuqsond.exe 3188 ucjdalyuqsond.exe 3188 ucjdalyuqsond.exe 3188 ucjdalyuqsond.exe 3188 ucjdalyuqsond.exe 1420 lyuvanmf.exe 1420 lyuvanmf.exe 1420 lyuvanmf.exe 1420 lyuvanmf.exe 1420 lyuvanmf.exe 1420 lyuvanmf.exe 1420 lyuvanmf.exe 1420 lyuvanmf.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4632 mvuvzazifd.exe 4632 mvuvzazifd.exe 4632 mvuvzazifd.exe 852 lyuvanmf.exe 852 lyuvanmf.exe 852 lyuvanmf.exe 3908 acbqaavdqflzhdm.exe 3908 acbqaavdqflzhdm.exe 3908 acbqaavdqflzhdm.exe 3188 ucjdalyuqsond.exe 3188 ucjdalyuqsond.exe 3188 ucjdalyuqsond.exe 1420 lyuvanmf.exe 1420 lyuvanmf.exe 1420 lyuvanmf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 4632 mvuvzazifd.exe 4632 mvuvzazifd.exe 4632 mvuvzazifd.exe 852 lyuvanmf.exe 852 lyuvanmf.exe 852 lyuvanmf.exe 3908 acbqaavdqflzhdm.exe 3908 acbqaavdqflzhdm.exe 3908 acbqaavdqflzhdm.exe 3188 ucjdalyuqsond.exe 3188 ucjdalyuqsond.exe 3188 ucjdalyuqsond.exe 1420 lyuvanmf.exe 1420 lyuvanmf.exe 1420 lyuvanmf.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4060 WINWORD.EXE 4060 WINWORD.EXE 4060 WINWORD.EXE 4060 WINWORD.EXE 4060 WINWORD.EXE 4060 WINWORD.EXE 4060 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4644 wrote to memory of 4632 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 81 PID 4644 wrote to memory of 4632 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 81 PID 4644 wrote to memory of 4632 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 81 PID 4644 wrote to memory of 3908 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 82 PID 4644 wrote to memory of 3908 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 82 PID 4644 wrote to memory of 3908 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 82 PID 4644 wrote to memory of 852 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 83 PID 4644 wrote to memory of 852 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 83 PID 4644 wrote to memory of 852 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 83 PID 4644 wrote to memory of 3188 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 84 PID 4644 wrote to memory of 3188 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 84 PID 4644 wrote to memory of 3188 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 84 PID 4644 wrote to memory of 4060 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 85 PID 4644 wrote to memory of 4060 4644 95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe 85 PID 4632 wrote to memory of 1420 4632 mvuvzazifd.exe 87 PID 4632 wrote to memory of 1420 4632 mvuvzazifd.exe 87 PID 4632 wrote to memory of 1420 4632 mvuvzazifd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\95bc30676854e61d8c1ba2251543e1f4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\mvuvzazifd.exemvuvzazifd.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\lyuvanmf.exeC:\Windows\system32\lyuvanmf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1420
-
-
-
C:\Windows\SysWOW64\acbqaavdqflzhdm.exeacbqaavdqflzhdm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3908
-
-
C:\Windows\SysWOW64\lyuvanmf.exelyuvanmf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:852
-
-
C:\Windows\SysWOW64\ucjdalyuqsond.exeucjdalyuqsond.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3188
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4060
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5f287ace8fccaeb085f2dd7d280bab41c
SHA1a01143190678940979bb611cce4f507133c9c691
SHA2565a4ca8320822a14cc8d7f4726c472bf32654e70e91c13a0302cbbcffda511001
SHA512c81d5c6f65d00ccf6cf31a8db5dc5d7a75e09e8a4e04a69d691c7ca55c329f73880e47819b42c789d89c33df0e2417d6d98723f7bcfd82c0aeaa86a3aaa69dc6
-
Filesize
512KB
MD5099879ba1a3cf8477221ed7015cc92ba
SHA142cd6a660f60c92d9eca358b3af6643e7f3e597f
SHA25651544b5b615d7e33476112b49b52f0f29eab40fb9162bc04aa3946954f2c707f
SHA512e6740bca279cace934b0662eca28db51083b67e7e886d8ed39a375fa5f5e8e23967ffba7ba4b1a54c9c5a40455846b6cdfcd93ec51fde71903755bc6455ada9d
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5483e486b210bf9292b8a9d2e2aa343d4
SHA1987199a029470a96dba4e925dec7bc589cd2c72e
SHA2561ab895bd83a248ff2134ed43ccaa60fb1f71fdd030a80b307a106d7cd6937b1c
SHA512a84db342e8eda97dfc74e4d1681b2cb4eb1a796041a44b02f843854f2e951a3ce80cf2e76486205066a13446dd0199ff77d62a86736a3bdf4291a14e1667dae7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52fac8c297c7b82f8ec6a933d62287a61
SHA153d5edd899d28774af60b013b886aa285fd87604
SHA256c7c068cea49ec27c4dc089b725fee26aa16c4a8b451f00a344a22075c2852c2c
SHA512e3cb3880efeb30e4df87e32a97fa018b7a24818a699a61ac7df9da6f66d6366ea2caccb71865270c37081f7e66e9c81dbbb8a6de4a54a8bd4c99a447668b5815
-
Filesize
512KB
MD5e13759cbe7608b8ef6a00a6044149149
SHA19fbbc278b7ef0a62896cbd8b8df4c6d30a461166
SHA25641f5cb861adf78da7284ed4ed18af9e930cade5aec5e2803e9eced93fe887647
SHA51240d72dc3124846eff256b76235bdaec0723e34bf75a3e1bc847fef01c7ebf454f26c0bbab2a3a570d3fb643caf0e8b3a1e26d342e831fc1b9a20104d94e640f2
-
Filesize
512KB
MD5330e3807c27e3388c5ac4be230d2ca7f
SHA1188dc7009f64de0f2787c45785eee4638fd88f8b
SHA2566118d5295beaf4256c1cb7526f40972284fb36827d95457900fc5598748c2663
SHA5120405db58ab962f5eddb65ba144d1e6c5b471aa0236bf31d809907f02bfce49c048253b9be56881e3c5462a41ea1198b5130d656061e3ccacfcbf345c721fa13b
-
Filesize
512KB
MD503038358cbc309af2b8500bff8555786
SHA1e7686b40cd8b244dd36cb3f0185571662d42a9f4
SHA25666d8ef39695cee0b17e1651158c16c311835f6beb008a8c3e3804e386a43cd70
SHA5120fbdfac517b381964d5f39a3a28eee3a30c81e04d2a0f0036085a2b877135ec1f7ffb93f602e5bd8e895b22929f8130ec7504cdbb64997b0045e799ef23de404
-
Filesize
512KB
MD53090a93df56ab7f6b3afa4d9a40a1113
SHA14db3e299968518cd757fc2433e90f63062a340a4
SHA2562048779d20b3c7e03c8b8aead64accca4c0cb9f502f6d142f42945ecfef54f9f
SHA5121d2d1289d70c6adae87eee8344554605720b817b14b4c57d303ad902443239044e7f8d33b76bc182b9ad472aa87b98d98a57c323c088e80c87bee047321a2f6d
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD56a39adf4a96aff16cbd3d1350e2ec037
SHA1f7a35bb5ce78cd78a56d97b3b243489b97786a51
SHA2566b35f99f827cc26a77de18ae8ba5bf295a4547b489f810019e1b88f89f56d795
SHA512cb052879fb6f5f8a2238f05c10861e77a93bf11e8bfa2091504b6d94034aa9f38897d7d94dd060a01772ba443d1703402dd0a957c02b6510b084d76e618a8ee8
-
Filesize
512KB
MD56a73016d936ef63cd5be05c6b98ea434
SHA1dab1b0a7f4ad3c5d663d4655fc5e4ee1ff7ce75d
SHA2569c973434341469c5f749de6fe8021e6ee7f87fe8416942b7b28a6153019f334f
SHA512214a4ced4097f48c42756358e793882043f0ac260e3d0a8d3082fe5a2837d3a414454bea728d07616882fed91346278614f78a9ad38b65bfd3a23a8b28d6c356