Analysis
-
max time kernel
150s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2024, 08:37
Static task
static1
Behavioral task
behavioral1
Sample
97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe
-
Size
512KB
-
MD5
97a50fa5b38ce05acef9a1c9b76d192c
-
SHA1
fe842e3591b412cf4bc21feb180ec507eb9f9c74
-
SHA256
ef59ce22252d36c9da7b529a93a33edd78dab24a75c2cfc56b62d5b4e8b96bc3
-
SHA512
ed13d86573b9649c37ed798f5c6793d0d9bcde5e4f739e15d58d4917a840aed61fde8c961ae92522fd4130bdb1779722c5c08c7ea5e9e1ccd4ea53c81172e908
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm50
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dwrngpjxkq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dwrngpjxkq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dwrngpjxkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dwrngpjxkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dwrngpjxkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dwrngpjxkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dwrngpjxkq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dwrngpjxkq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3020 dwrngpjxkq.exe 2064 sktjpsiuyglpmys.exe 4264 stovwebt.exe 4548 efjjfwikvrqed.exe 2096 stovwebt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dwrngpjxkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dwrngpjxkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dwrngpjxkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dwrngpjxkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dwrngpjxkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dwrngpjxkq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "efjjfwikvrqed.exe" sktjpsiuyglpmys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tehekepg = "dwrngpjxkq.exe" sktjpsiuyglpmys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rsaybjdh = "sktjpsiuyglpmys.exe" sktjpsiuyglpmys.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: dwrngpjxkq.exe File opened (read-only) \??\n: dwrngpjxkq.exe File opened (read-only) \??\o: dwrngpjxkq.exe File opened (read-only) \??\i: stovwebt.exe File opened (read-only) \??\v: stovwebt.exe File opened (read-only) \??\y: stovwebt.exe File opened (read-only) \??\g: dwrngpjxkq.exe File opened (read-only) \??\j: dwrngpjxkq.exe File opened (read-only) \??\k: stovwebt.exe File opened (read-only) \??\r: stovwebt.exe File opened (read-only) \??\v: stovwebt.exe File opened (read-only) \??\l: dwrngpjxkq.exe File opened (read-only) \??\q: dwrngpjxkq.exe File opened (read-only) \??\u: dwrngpjxkq.exe File opened (read-only) \??\m: stovwebt.exe File opened (read-only) \??\y: stovwebt.exe File opened (read-only) \??\l: stovwebt.exe File opened (read-only) \??\p: stovwebt.exe File opened (read-only) \??\h: stovwebt.exe File opened (read-only) \??\r: dwrngpjxkq.exe File opened (read-only) \??\w: dwrngpjxkq.exe File opened (read-only) \??\w: stovwebt.exe File opened (read-only) \??\a: dwrngpjxkq.exe File opened (read-only) \??\b: dwrngpjxkq.exe File opened (read-only) \??\x: dwrngpjxkq.exe File opened (read-only) \??\b: stovwebt.exe File opened (read-only) \??\e: stovwebt.exe File opened (read-only) \??\k: stovwebt.exe File opened (read-only) \??\e: stovwebt.exe File opened (read-only) \??\e: dwrngpjxkq.exe File opened (read-only) \??\p: dwrngpjxkq.exe File opened (read-only) \??\t: dwrngpjxkq.exe File opened (read-only) \??\p: stovwebt.exe File opened (read-only) \??\r: stovwebt.exe File opened (read-only) \??\v: dwrngpjxkq.exe File opened (read-only) \??\y: dwrngpjxkq.exe File opened (read-only) \??\s: stovwebt.exe File opened (read-only) \??\u: stovwebt.exe File opened (read-only) \??\h: dwrngpjxkq.exe File opened (read-only) \??\o: stovwebt.exe File opened (read-only) \??\q: stovwebt.exe File opened (read-only) \??\o: stovwebt.exe File opened (read-only) \??\i: dwrngpjxkq.exe File opened (read-only) \??\z: dwrngpjxkq.exe File opened (read-only) \??\n: stovwebt.exe File opened (read-only) \??\u: stovwebt.exe File opened (read-only) \??\z: stovwebt.exe File opened (read-only) \??\a: stovwebt.exe File opened (read-only) \??\g: stovwebt.exe File opened (read-only) \??\k: dwrngpjxkq.exe File opened (read-only) \??\h: stovwebt.exe File opened (read-only) \??\j: stovwebt.exe File opened (read-only) \??\t: stovwebt.exe File opened (read-only) \??\w: stovwebt.exe File opened (read-only) \??\q: stovwebt.exe File opened (read-only) \??\t: stovwebt.exe File opened (read-only) \??\s: dwrngpjxkq.exe File opened (read-only) \??\a: stovwebt.exe File opened (read-only) \??\g: stovwebt.exe File opened (read-only) \??\s: stovwebt.exe File opened (read-only) \??\j: stovwebt.exe File opened (read-only) \??\x: stovwebt.exe File opened (read-only) \??\z: stovwebt.exe File opened (read-only) \??\x: stovwebt.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dwrngpjxkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dwrngpjxkq.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3336-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023418-5.dat autoit_exe behavioral2/files/0x00090000000233fd-18.dat autoit_exe behavioral2/files/0x0007000000023419-27.dat autoit_exe behavioral2/files/0x000700000002341a-32.dat autoit_exe behavioral2/files/0x000800000002333b-66.dat autoit_exe behavioral2/files/0x0007000000023426-72.dat autoit_exe behavioral2/files/0x0013000000023483-572.dat autoit_exe behavioral2/files/0x0013000000023483-576.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\sktjpsiuyglpmys.exe 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe File created C:\Windows\SysWOW64\efjjfwikvrqed.exe 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe stovwebt.exe File created C:\Windows\SysWOW64\stovwebt.exe 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dwrngpjxkq.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe stovwebt.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe stovwebt.exe File created C:\Windows\SysWOW64\dwrngpjxkq.exe 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dwrngpjxkq.exe 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\efjjfwikvrqed.exe 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe stovwebt.exe File opened for modification C:\Windows\SysWOW64\sktjpsiuyglpmys.exe 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\stovwebt.exe 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal stovwebt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe stovwebt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe stovwebt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal stovwebt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe stovwebt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe stovwebt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal stovwebt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe stovwebt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe stovwebt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal stovwebt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe stovwebt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe stovwebt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe stovwebt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe stovwebt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe stovwebt.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe stovwebt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe stovwebt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe stovwebt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe stovwebt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe stovwebt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe stovwebt.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe stovwebt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe stovwebt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe stovwebt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe stovwebt.exe File opened for modification C:\Windows\mydoc.rtf 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe stovwebt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe stovwebt.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe stovwebt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe stovwebt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe stovwebt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe stovwebt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C70B15E3DBB2B8BD7C97EDE534BA" 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs dwrngpjxkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472D7F9D5283516A4477D070552DD67D8565D8" 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dwrngpjxkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dwrngpjxkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dwrngpjxkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dwrngpjxkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dwrngpjxkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F56BB0FE6C21DDD27BD0D28B799114" 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf dwrngpjxkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" dwrngpjxkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dwrngpjxkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dwrngpjxkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" dwrngpjxkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFABFFE10F19384093A4286EB3E94B3FD028843640239E1BA45E909A9" 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B02E47E1389D52C9BAD732E8D4BB" 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FFF8482A851B9145D6207D9CBDE6E634584566466344D790" 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dwrngpjxkq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4180 WINWORD.EXE 4180 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3020 dwrngpjxkq.exe 3020 dwrngpjxkq.exe 3020 dwrngpjxkq.exe 3020 dwrngpjxkq.exe 3020 dwrngpjxkq.exe 3020 dwrngpjxkq.exe 3020 dwrngpjxkq.exe 3020 dwrngpjxkq.exe 3020 dwrngpjxkq.exe 3020 dwrngpjxkq.exe 2064 sktjpsiuyglpmys.exe 2064 sktjpsiuyglpmys.exe 2064 sktjpsiuyglpmys.exe 2064 sktjpsiuyglpmys.exe 2064 sktjpsiuyglpmys.exe 2064 sktjpsiuyglpmys.exe 2064 sktjpsiuyglpmys.exe 2064 sktjpsiuyglpmys.exe 2064 sktjpsiuyglpmys.exe 2064 sktjpsiuyglpmys.exe 4264 stovwebt.exe 4264 stovwebt.exe 4264 stovwebt.exe 4264 stovwebt.exe 4264 stovwebt.exe 4264 stovwebt.exe 4264 stovwebt.exe 4264 stovwebt.exe 4548 efjjfwikvrqed.exe 4548 efjjfwikvrqed.exe 4548 efjjfwikvrqed.exe 4548 efjjfwikvrqed.exe 4548 efjjfwikvrqed.exe 4548 efjjfwikvrqed.exe 4548 efjjfwikvrqed.exe 4548 efjjfwikvrqed.exe 4548 efjjfwikvrqed.exe 4548 efjjfwikvrqed.exe 4548 efjjfwikvrqed.exe 4548 efjjfwikvrqed.exe 2064 sktjpsiuyglpmys.exe 2064 sktjpsiuyglpmys.exe 2096 stovwebt.exe 2096 stovwebt.exe 2096 stovwebt.exe 2096 stovwebt.exe 2096 stovwebt.exe 2096 stovwebt.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3020 dwrngpjxkq.exe 3020 dwrngpjxkq.exe 3020 dwrngpjxkq.exe 2064 sktjpsiuyglpmys.exe 2064 sktjpsiuyglpmys.exe 2064 sktjpsiuyglpmys.exe 4264 stovwebt.exe 4264 stovwebt.exe 4264 stovwebt.exe 4548 efjjfwikvrqed.exe 4548 efjjfwikvrqed.exe 4548 efjjfwikvrqed.exe 2096 stovwebt.exe 2096 stovwebt.exe 2096 stovwebt.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 3020 dwrngpjxkq.exe 3020 dwrngpjxkq.exe 3020 dwrngpjxkq.exe 2064 sktjpsiuyglpmys.exe 2064 sktjpsiuyglpmys.exe 2064 sktjpsiuyglpmys.exe 4264 stovwebt.exe 4264 stovwebt.exe 4264 stovwebt.exe 4548 efjjfwikvrqed.exe 4548 efjjfwikvrqed.exe 4548 efjjfwikvrqed.exe 2096 stovwebt.exe 2096 stovwebt.exe 2096 stovwebt.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4180 WINWORD.EXE 4180 WINWORD.EXE 4180 WINWORD.EXE 4180 WINWORD.EXE 4180 WINWORD.EXE 4180 WINWORD.EXE 4180 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3336 wrote to memory of 3020 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 82 PID 3336 wrote to memory of 3020 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 82 PID 3336 wrote to memory of 3020 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 82 PID 3336 wrote to memory of 2064 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 83 PID 3336 wrote to memory of 2064 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 83 PID 3336 wrote to memory of 2064 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 83 PID 3336 wrote to memory of 4264 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 84 PID 3336 wrote to memory of 4264 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 84 PID 3336 wrote to memory of 4264 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 84 PID 3336 wrote to memory of 4548 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 85 PID 3336 wrote to memory of 4548 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 85 PID 3336 wrote to memory of 4548 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 85 PID 3336 wrote to memory of 4180 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 86 PID 3336 wrote to memory of 4180 3336 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe 86 PID 3020 wrote to memory of 2096 3020 dwrngpjxkq.exe 88 PID 3020 wrote to memory of 2096 3020 dwrngpjxkq.exe 88 PID 3020 wrote to memory of 2096 3020 dwrngpjxkq.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\dwrngpjxkq.exedwrngpjxkq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\stovwebt.exeC:\Windows\system32\stovwebt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2096
-
-
-
C:\Windows\SysWOW64\sktjpsiuyglpmys.exesktjpsiuyglpmys.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2064
-
-
C:\Windows\SysWOW64\stovwebt.exestovwebt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4264
-
-
C:\Windows\SysWOW64\efjjfwikvrqed.exeefjjfwikvrqed.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4548
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4180
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD56884f1d57fd9eafc66efcf366d57f33a
SHA170ee0639e949cd40a87068a3534666349fcd0261
SHA2564d6339085fd28bc876726935548007d934ceee6a5e5c6ec9dea19fa69bef629c
SHA5122209164be30ad14f2fb26acf25f67fc9c43059fcd78b2354bda9840ebf9ab5539a28617c06ee0868407e631926de8d308eced815a55169ae1194a24228d364cc
-
Filesize
512KB
MD561f640a47e9495bebf50d3a23c3bf66e
SHA19a3d05e209fea2912ce4284d2ee03f9abdad2af2
SHA25681cccf7f8d33090e3754abc4d506fae994df5a6ca99f6468e3aa6bec5a44df58
SHA5120728b027f3c25fba084d0438803b978cbaf318ae4c74778a6cabacd7c86a3902ac5aa47b8176b056aa428922ccecbc8fecf3612264bbcba4c75531d8731fa7a9
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD5a2f476fb970ff4f078a53f0164f2b959
SHA1531f3f100f11ff07c32df8d88038f4d5da7a58c3
SHA256f35b49bd36bf81dbce2df6540b03155ca43ef30609b3ae1d947a62eaf289d2c9
SHA512f3187e9e0465b004e3eb6320dfd1b75b37b79ff0240d989bd15cacc547a97d0a38a3b73deba81a824e71a2ae3306aab32cb692bde594dca3c2328eda16defe79
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5940ec4d209695f66fc258b7599860f4f
SHA1b17a38821baae679d741ce8f5fec6f8b7baf2593
SHA256705afb63f16757afc64e08b2b46d179346af146c3228b5a77a0ba0ff44abdee9
SHA512c0b92d78e0b7709777b35d6978ee5f0e1cf34a12092230d8f8acc440bf380cf10cfad6b1512997f552afd5dc7c2cc3fe7a28bd2f71d3c8f4ed10f60e7602b845
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD58a91a0a8f27381b81a25ede12e8498cb
SHA1a83c3761c1730a8eeb0e13db20b5175cd3b2463a
SHA256792434584a8a97242982be254860b40cc30c46a5e7ecd221e866074c7b2c19e1
SHA51252726a362a8b5daa530f042e86ac39991057c625325c22650be10bc98ca59eb55f056d6f638da1d03ab8b8ae5be711ace7b04d1f1a6abb0147a045fc600780fb
-
Filesize
512KB
MD58b5cf7e730a18271c9fa2e51b78e69e5
SHA10feb05b27bb2d9307486ac7ef1b51c4f7ad83790
SHA2562fc29bf4ce337ace23165dc2037614f1275babbbd3019bf264b678373395cb9c
SHA512a78c8b3e0655ec9219bcb94c170f633d6b82cec50cd3bdcf5ec5817844b8cfe9c2888345130e78edfd78145040b49b7b4727f197069ab5d0c7052d1c1bde1d20
-
Filesize
512KB
MD5205541b8f99239212ea27f7bc59f0375
SHA1a3a93f48169e3d9a877ecf59e7ab3d011aef0342
SHA2568412be904d746807ecb0ab89212cbac52d802694d75ee5c69542ca04a2d6292e
SHA5128df1299c0896688bd35417d8981fb0bc6bca9b682ba21c87420525bee9a08dae09b433b16efaeb6fe9c196a24b2307eb8a62c862de6e3ea2f0e14de9320dd400
-
Filesize
512KB
MD5d2dc625c98fab67179c2d3da405ac7c1
SHA1328ba204d5455f9efc1e59f2c6988d1214a51ac2
SHA25614108fb8a466bf8752e52a74867a096233da384608d0cb4a83a7d308297f8dbf
SHA512d5d80753cb0a1c1e1f9bfddaa818fddccb579b593a1165c497f1923685878711e62fd3533695c3e7a73c084745b6c409c1f07f2e061df6009458d0a9131fb046
-
Filesize
512KB
MD5f9765c0a0a1041f986f1afd10ec199d3
SHA1a31482553f598720c7c310669b305e74c17a4106
SHA2569e398e74af28a1030884329fdd699aff018978a76fdf277cb19b8e4bda35f766
SHA512fdefe95332710e355d61946f7d7a3e459f1287c30191b7b2d4cbb97b2b6603bf9d31a6b8382b9acf806eb362c19408ea293cb4bce479d8289cedc117ecb51e4c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5877662c896d348dbc5844aef2d06af07
SHA1b862a3c5edf6569e8abb6e67542dfd11d138fa90
SHA256e316a98edfec8a8ce15ef7e9aca1163edfe8f4a15a9bde0798c7e52cace5f39a
SHA512d3512a9ded4bde14c47d8b60e5a6ea30c32e31d39e3fbd32622d448fe3666b93d616f7863504db2c162cde428f4cfb69224ce30a0a7f29de032dca80c16ec367
-
Filesize
512KB
MD51676917d6e3be65d16bbd18176aa5e8e
SHA10615cca028bbdb34120918229e69fe154fd8ee7c
SHA25628fe4890fe0634d230dc06920ef2bc672dbee57c8d1cf897ef4b7701d3510911
SHA5129b65d3ddc170f4cf556d89ab122a5f51079baaa455b4591f38342097227527c45b4e330d5d7098720842f54f8933e14b38a2fbac5fbe922031fb9699b71bff18