Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2024, 00:42
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe
-
Size
512KB
-
MD5
96ca33f41cf09ab3d2e5b52919aa99e3
-
SHA1
e3c4838b1e749449a17f201ecd08420215d0db3e
-
SHA256
3340480e26165e6e76e34e95d6c690861bbd725ca0148ff0d38b411ca17accea
-
SHA512
af455ad2afcdd33070282c5b9f1e4c0f9cda6a25bb257daecdc75463864ef28ec149bf6fb7c96adbe375ce0cd493b4d93a90f6c1134001bbd61c4406bc4f9620
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Z
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bmigbhqysh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bmigbhqysh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bmigbhqysh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bmigbhqysh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bmigbhqysh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bmigbhqysh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bmigbhqysh.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bmigbhqysh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4296 bmigbhqysh.exe 540 rfplkibojicladv.exe 2228 lcljlflj.exe 524 vexppvllblndm.exe 1060 lcljlflj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bmigbhqysh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bmigbhqysh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bmigbhqysh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bmigbhqysh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bmigbhqysh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bmigbhqysh.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vxluckol = "bmigbhqysh.exe" rfplkibojicladv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szomuffp = "rfplkibojicladv.exe" rfplkibojicladv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vexppvllblndm.exe" rfplkibojicladv.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: bmigbhqysh.exe File opened (read-only) \??\o: lcljlflj.exe File opened (read-only) \??\p: lcljlflj.exe File opened (read-only) \??\t: lcljlflj.exe File opened (read-only) \??\v: lcljlflj.exe File opened (read-only) \??\g: lcljlflj.exe File opened (read-only) \??\a: bmigbhqysh.exe File opened (read-only) \??\i: bmigbhqysh.exe File opened (read-only) \??\e: lcljlflj.exe File opened (read-only) \??\m: lcljlflj.exe File opened (read-only) \??\r: lcljlflj.exe File opened (read-only) \??\o: lcljlflj.exe File opened (read-only) \??\u: lcljlflj.exe File opened (read-only) \??\q: bmigbhqysh.exe File opened (read-only) \??\w: bmigbhqysh.exe File opened (read-only) \??\z: lcljlflj.exe File opened (read-only) \??\e: bmigbhqysh.exe File opened (read-only) \??\a: lcljlflj.exe File opened (read-only) \??\s: lcljlflj.exe File opened (read-only) \??\u: lcljlflj.exe File opened (read-only) \??\n: lcljlflj.exe File opened (read-only) \??\p: lcljlflj.exe File opened (read-only) \??\q: lcljlflj.exe File opened (read-only) \??\r: lcljlflj.exe File opened (read-only) \??\x: bmigbhqysh.exe File opened (read-only) \??\a: lcljlflj.exe File opened (read-only) \??\l: lcljlflj.exe File opened (read-only) \??\w: lcljlflj.exe File opened (read-only) \??\b: bmigbhqysh.exe File opened (read-only) \??\m: bmigbhqysh.exe File opened (read-only) \??\e: lcljlflj.exe File opened (read-only) \??\k: bmigbhqysh.exe File opened (read-only) \??\h: lcljlflj.exe File opened (read-only) \??\j: lcljlflj.exe File opened (read-only) \??\z: lcljlflj.exe File opened (read-only) \??\m: lcljlflj.exe File opened (read-only) \??\l: bmigbhqysh.exe File opened (read-only) \??\r: bmigbhqysh.exe File opened (read-only) \??\i: lcljlflj.exe File opened (read-only) \??\x: lcljlflj.exe File opened (read-only) \??\v: lcljlflj.exe File opened (read-only) \??\y: lcljlflj.exe File opened (read-only) \??\g: bmigbhqysh.exe File opened (read-only) \??\b: lcljlflj.exe File opened (read-only) \??\v: bmigbhqysh.exe File opened (read-only) \??\g: lcljlflj.exe File opened (read-only) \??\t: lcljlflj.exe File opened (read-only) \??\j: bmigbhqysh.exe File opened (read-only) \??\p: bmigbhqysh.exe File opened (read-only) \??\l: lcljlflj.exe File opened (read-only) \??\w: lcljlflj.exe File opened (read-only) \??\b: lcljlflj.exe File opened (read-only) \??\z: bmigbhqysh.exe File opened (read-only) \??\n: lcljlflj.exe File opened (read-only) \??\j: lcljlflj.exe File opened (read-only) \??\s: lcljlflj.exe File opened (read-only) \??\x: lcljlflj.exe File opened (read-only) \??\o: bmigbhqysh.exe File opened (read-only) \??\y: bmigbhqysh.exe File opened (read-only) \??\n: bmigbhqysh.exe File opened (read-only) \??\i: lcljlflj.exe File opened (read-only) \??\t: bmigbhqysh.exe File opened (read-only) \??\k: lcljlflj.exe File opened (read-only) \??\q: lcljlflj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bmigbhqysh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bmigbhqysh.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1036-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000233e3-5.dat autoit_exe behavioral2/files/0x00080000000233df-19.dat autoit_exe behavioral2/files/0x00070000000233e5-29.dat autoit_exe behavioral2/files/0x00070000000233e4-30.dat autoit_exe behavioral2/files/0x00080000000233d5-69.dat autoit_exe behavioral2/files/0x00070000000233f2-75.dat autoit_exe behavioral2/files/0x001800000002340f-569.dat autoit_exe behavioral2/files/0x001800000002340f-577.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\lcljlflj.exe 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vexppvllblndm.exe 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lcljlflj.exe File created C:\Windows\SysWOW64\rfplkibojicladv.exe 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bmigbhqysh.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lcljlflj.exe File created C:\Windows\SysWOW64\bmigbhqysh.exe 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bmigbhqysh.exe 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rfplkibojicladv.exe 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lcljlflj.exe 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lcljlflj.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lcljlflj.exe File created C:\Windows\SysWOW64\vexppvllblndm.exe 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lcljlflj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lcljlflj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lcljlflj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lcljlflj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lcljlflj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lcljlflj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lcljlflj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lcljlflj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lcljlflj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lcljlflj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lcljlflj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lcljlflj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lcljlflj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lcljlflj.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lcljlflj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lcljlflj.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lcljlflj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lcljlflj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lcljlflj.exe File opened for modification C:\Windows\mydoc.rtf 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lcljlflj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lcljlflj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lcljlflj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lcljlflj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lcljlflj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lcljlflj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lcljlflj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lcljlflj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lcljlflj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lcljlflj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lcljlflj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bmigbhqysh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bmigbhqysh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bmigbhqysh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bmigbhqysh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bmigbhqysh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC77B15EDDAB6B9C17CE2EDE337C9" 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bmigbhqysh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bmigbhqysh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bmigbhqysh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bmigbhqysh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bmigbhqysh.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEFAC9FE14F195837B3B31869939E5B0FC02FD4312034CE1CF429D09D3" 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B12947E239E853B9BAD43299D7CC" 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFF824F28826A9047D6217DE0BDE1E130594B67326343D799" 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768C4FE6822DDD273D0A58A0F9166" 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C0C9C2083586A3E76A777272DD77CF664A8" 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bmigbhqysh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bmigbhqysh.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2168 WINWORD.EXE 2168 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 4296 bmigbhqysh.exe 4296 bmigbhqysh.exe 4296 bmigbhqysh.exe 4296 bmigbhqysh.exe 4296 bmigbhqysh.exe 4296 bmigbhqysh.exe 4296 bmigbhqysh.exe 4296 bmigbhqysh.exe 4296 bmigbhqysh.exe 4296 bmigbhqysh.exe 540 rfplkibojicladv.exe 540 rfplkibojicladv.exe 540 rfplkibojicladv.exe 540 rfplkibojicladv.exe 540 rfplkibojicladv.exe 540 rfplkibojicladv.exe 540 rfplkibojicladv.exe 540 rfplkibojicladv.exe 2228 lcljlflj.exe 2228 lcljlflj.exe 2228 lcljlflj.exe 2228 lcljlflj.exe 2228 lcljlflj.exe 2228 lcljlflj.exe 2228 lcljlflj.exe 2228 lcljlflj.exe 540 rfplkibojicladv.exe 540 rfplkibojicladv.exe 524 vexppvllblndm.exe 524 vexppvllblndm.exe 524 vexppvllblndm.exe 524 vexppvllblndm.exe 524 vexppvllblndm.exe 524 vexppvllblndm.exe 524 vexppvllblndm.exe 524 vexppvllblndm.exe 524 vexppvllblndm.exe 524 vexppvllblndm.exe 524 vexppvllblndm.exe 524 vexppvllblndm.exe 1060 lcljlflj.exe 1060 lcljlflj.exe 1060 lcljlflj.exe 1060 lcljlflj.exe 1060 lcljlflj.exe 1060 lcljlflj.exe 1060 lcljlflj.exe 1060 lcljlflj.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 4296 bmigbhqysh.exe 4296 bmigbhqysh.exe 4296 bmigbhqysh.exe 2228 lcljlflj.exe 540 rfplkibojicladv.exe 2228 lcljlflj.exe 540 rfplkibojicladv.exe 524 vexppvllblndm.exe 2228 lcljlflj.exe 540 rfplkibojicladv.exe 524 vexppvllblndm.exe 524 vexppvllblndm.exe 1060 lcljlflj.exe 1060 lcljlflj.exe 1060 lcljlflj.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 4296 bmigbhqysh.exe 4296 bmigbhqysh.exe 4296 bmigbhqysh.exe 2228 lcljlflj.exe 540 rfplkibojicladv.exe 2228 lcljlflj.exe 540 rfplkibojicladv.exe 524 vexppvllblndm.exe 2228 lcljlflj.exe 540 rfplkibojicladv.exe 524 vexppvllblndm.exe 524 vexppvllblndm.exe 1060 lcljlflj.exe 1060 lcljlflj.exe 1060 lcljlflj.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2168 WINWORD.EXE 2168 WINWORD.EXE 2168 WINWORD.EXE 2168 WINWORD.EXE 2168 WINWORD.EXE 2168 WINWORD.EXE 2168 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1036 wrote to memory of 4296 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 83 PID 1036 wrote to memory of 4296 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 83 PID 1036 wrote to memory of 4296 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 83 PID 1036 wrote to memory of 540 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 84 PID 1036 wrote to memory of 540 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 84 PID 1036 wrote to memory of 540 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 84 PID 1036 wrote to memory of 2228 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 85 PID 1036 wrote to memory of 2228 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 85 PID 1036 wrote to memory of 2228 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 85 PID 1036 wrote to memory of 524 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 86 PID 1036 wrote to memory of 524 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 86 PID 1036 wrote to memory of 524 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 86 PID 4296 wrote to memory of 1060 4296 bmigbhqysh.exe 89 PID 4296 wrote to memory of 1060 4296 bmigbhqysh.exe 89 PID 4296 wrote to memory of 1060 4296 bmigbhqysh.exe 89 PID 1036 wrote to memory of 2168 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 88 PID 1036 wrote to memory of 2168 1036 96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\96ca33f41cf09ab3d2e5b52919aa99e3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\bmigbhqysh.exebmigbhqysh.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\lcljlflj.exeC:\Windows\system32\lcljlflj.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1060
-
-
-
C:\Windows\SysWOW64\rfplkibojicladv.exerfplkibojicladv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:540
-
-
C:\Windows\SysWOW64\lcljlflj.exelcljlflj.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2228
-
-
C:\Windows\SysWOW64\vexppvllblndm.exevexppvllblndm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:524
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2168
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD54feb861889ae673ff7ab0b11e3f807e9
SHA1cd383a80109eaf5267668dc322ffcaae19b5e7b5
SHA256de9c6971788722348e43f4f747a84db479a3b90004a2a75c2c38ee4b7be0f6ec
SHA5126a681179cd005b50a8f8b0e4ae04ec789ec8075a6ab101af47f45ced8c5337a3d15a7979ed2fde091da393b75874fd28a1e55b12ec8041b835971c5f70b707d6
-
Filesize
512KB
MD5f2d1df91e42fe1fa4e40421064f62f65
SHA11e303d2b79d7be5ce719f4fadbf0d7f69281c62c
SHA2569f54ef04bb193454be1e7be7a1320cc44e49c9a3b5329dda6352e7439069b065
SHA512b80ec3a7b74fe03e35318381a03ac8f4dabe80b8286c69a3660249169a8d162d98657c3092b2b7003cffea19ad83d09ef57f744ed0bbc7fb93d6abb86c0637ac
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD55cc1504f469a721ec232731e5e5afe8b
SHA11307ccc58a8d2d884766357840afae3ba4e4dd39
SHA256752b71b164a8d12d9ae27fdf3c7191de3b0c0909e57601fbea222bebf1014658
SHA5120d27aacd1cf3bcccc7f27b5d6a84a8a6ffc511717de7f1678b49396969a8ca876be4434e5f60322665a83104031cbd4bfb5f88ba677997479c6289865c723b61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD554a1b1360a945e5aed42bead305d3c09
SHA1a2a9edf2d485579cfa6fe522239581bc6104904d
SHA256f40f49c370c78e610a08093b7f7af7268d47e197d88db0e01cbdd0efadc0c81b
SHA5122bace731ff93043eb5efa51f067cb0f7c838b1400540a00112cd6d0bb8207300c1eb6055f8b0c591f83415374e0a515f7e01be86ef6922089c6f06aae9d48922
-
Filesize
512KB
MD52755ab4cdeeb740bf765af23770c5650
SHA1f70067d49b5516b8b6d99530af9c31b5d74ae70f
SHA256d0bef0ea258351f9ae4962df4ce942c954bc5e653260c9e61718691e227f4dff
SHA51279049b436fb670c7de3230c27260c6642011a6dd384f010ec8ab40805d98f0f7a6cf56f3d8b57d063a9362de8c3d07f6ba63a4d50e944da17e4fdc117eed2d1c
-
Filesize
512KB
MD523da6eea547a298c11ae56a9b8079b30
SHA165df83a8b37b52c7f9b43d14c55bb8c621babbb8
SHA256ec04c37ea099b2fee83ca03a3a3282207aa8006359e577d66d37597a44a1c9d3
SHA5121d4f991aa04b6caed846d2ed1da69e0b468cb6e8fd3906e1558085cf160672c4e1dd206c01849072c9728b9ee10c8445921e83150aa8c59e955bdfbf335390b5
-
Filesize
512KB
MD51578ce2ef1e4c603d2878defb51f66c3
SHA1bfd1a29ec6157ba634ae08a811fc52d7e73d181c
SHA256b747e22a3379939425e2785c4c13cc60c10cf5b313d70b8007b0b7616d05b26f
SHA512e12453d09704f81e94e2a00fe4e380c2757e14a6d690c6f72d834319caffaef7a320486ba5fb0363915e49c8126ac877e17df4788eee77403ab9dfac57eef3c1
-
Filesize
512KB
MD530eb6b7c4d78e2410d47e20fe0dd8faf
SHA132313d6bb570ac86594339a40488949b8cff7dcf
SHA256ccc612dfadd67699be00eaf1e6e4488a7c101011a99898561420ef596eb39ee2
SHA512c2d58fec911d089f159eb604e05afc56993cc1858820d1c52dd3874b7e4049ac1d935eb1b9a88b30c5c6dfcd9bcc0fe0adea5cb6fa9ff811f84ac17d335427c0
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD51db28080b2725c4cbb0ee1a3597f7a71
SHA12f86eed7162cf7588b89594854738d4b0835b872
SHA2565578b4b15231fe1ad9da8dfd00a5a68b032e1f394dd7695a7cefd9069d682579
SHA51276888c2148a65c1e139be1572aa40a9aca1f830468c399ebd72dae580f28a265a6ee57167bb82fd5c52a5538cdb916e926277cbb11efeff8484af7fcdb5a7735
-
Filesize
512KB
MD532da6d5c49eeb2d704832035e7279bf7
SHA107b86ab3ad6f7be601ac9c0f400c47fefdf94dab
SHA256c2d9484de3c473173c2bdf72d5d2148c7422b774ec865bcce52a9aedf08ff0c3
SHA51295aad9c118aa929ff133fde51f28cafc44d0a756ef12e04a271ed619f0e82df22c8e7dc4b629d32e66883ed3fa25b037f650d4cd9ed5014025e2053d66f53a39