Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 23:51
Static task
static1
Behavioral task
behavioral1
Sample
a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe
-
Size
512KB
-
MD5
a30314302457d8c62b1a1e3bb102d350
-
SHA1
9237d76816287c419dfcfa5729a38358792d9ef7
-
SHA256
6a3b945c8915c0db9b3aaefab1e5315c3541fa14f14c9f8efcb357bcd656265b
-
SHA512
8fc3f472db321ab85494f9e5da4982202ee878f0c63ae9fda49958c49bcc2b9560afc39b4bd6b8b0bad19665b4f249aebce66caa44203fe35376bb1ee6025454
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
tvgqidvgha.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tvgqidvgha.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
tvgqidvgha.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tvgqidvgha.exe -
Processes:
tvgqidvgha.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tvgqidvgha.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tvgqidvgha.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tvgqidvgha.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tvgqidvgha.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tvgqidvgha.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
tvgqidvgha.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tvgqidvgha.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
tvgqidvgha.exeoirhpgpvfjrzhsz.exebkueggjw.exepxlvcuxiyewhd.exebkueggjw.exepid Process 2900 tvgqidvgha.exe 4192 oirhpgpvfjrzhsz.exe 4624 bkueggjw.exe 4248 pxlvcuxiyewhd.exe 3076 bkueggjw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
tvgqidvgha.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tvgqidvgha.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tvgqidvgha.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tvgqidvgha.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tvgqidvgha.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tvgqidvgha.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tvgqidvgha.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
oirhpgpvfjrzhsz.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozeqhmwc = "tvgqidvgha.exe" oirhpgpvfjrzhsz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mrfafrja = "oirhpgpvfjrzhsz.exe" oirhpgpvfjrzhsz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pxlvcuxiyewhd.exe" oirhpgpvfjrzhsz.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
bkueggjw.exebkueggjw.exetvgqidvgha.exedescription ioc Process File opened (read-only) \??\b: bkueggjw.exe File opened (read-only) \??\y: bkueggjw.exe File opened (read-only) \??\b: bkueggjw.exe File opened (read-only) \??\x: tvgqidvgha.exe File opened (read-only) \??\h: tvgqidvgha.exe File opened (read-only) \??\z: tvgqidvgha.exe File opened (read-only) \??\g: bkueggjw.exe File opened (read-only) \??\i: bkueggjw.exe File opened (read-only) \??\e: bkueggjw.exe File opened (read-only) \??\r: bkueggjw.exe File opened (read-only) \??\s: tvgqidvgha.exe File opened (read-only) \??\y: tvgqidvgha.exe File opened (read-only) \??\l: bkueggjw.exe File opened (read-only) \??\v: bkueggjw.exe File opened (read-only) \??\j: bkueggjw.exe File opened (read-only) \??\p: tvgqidvgha.exe File opened (read-only) \??\i: tvgqidvgha.exe File opened (read-only) \??\n: bkueggjw.exe File opened (read-only) \??\w: bkueggjw.exe File opened (read-only) \??\z: bkueggjw.exe File opened (read-only) \??\o: bkueggjw.exe File opened (read-only) \??\s: bkueggjw.exe File opened (read-only) \??\j: tvgqidvgha.exe File opened (read-only) \??\v: bkueggjw.exe File opened (read-only) \??\b: tvgqidvgha.exe File opened (read-only) \??\x: bkueggjw.exe File opened (read-only) \??\k: bkueggjw.exe File opened (read-only) \??\p: bkueggjw.exe File opened (read-only) \??\l: tvgqidvgha.exe File opened (read-only) \??\h: bkueggjw.exe File opened (read-only) \??\j: bkueggjw.exe File opened (read-only) \??\t: bkueggjw.exe File opened (read-only) \??\h: bkueggjw.exe File opened (read-only) \??\g: tvgqidvgha.exe File opened (read-only) \??\t: bkueggjw.exe File opened (read-only) \??\y: bkueggjw.exe File opened (read-only) \??\e: tvgqidvgha.exe File opened (read-only) \??\k: tvgqidvgha.exe File opened (read-only) \??\g: bkueggjw.exe File opened (read-only) \??\i: bkueggjw.exe File opened (read-only) \??\a: bkueggjw.exe File opened (read-only) \??\n: bkueggjw.exe File opened (read-only) \??\p: bkueggjw.exe File opened (read-only) \??\r: tvgqidvgha.exe File opened (read-only) \??\t: tvgqidvgha.exe File opened (read-only) \??\w: tvgqidvgha.exe File opened (read-only) \??\m: bkueggjw.exe File opened (read-only) \??\n: tvgqidvgha.exe File opened (read-only) \??\u: tvgqidvgha.exe File opened (read-only) \??\a: bkueggjw.exe File opened (read-only) \??\s: bkueggjw.exe File opened (read-only) \??\l: bkueggjw.exe File opened (read-only) \??\a: tvgqidvgha.exe File opened (read-only) \??\v: tvgqidvgha.exe File opened (read-only) \??\k: bkueggjw.exe File opened (read-only) \??\o: bkueggjw.exe File opened (read-only) \??\q: bkueggjw.exe File opened (read-only) \??\r: bkueggjw.exe File opened (read-only) \??\q: tvgqidvgha.exe File opened (read-only) \??\w: bkueggjw.exe File opened (read-only) \??\u: bkueggjw.exe File opened (read-only) \??\q: bkueggjw.exe File opened (read-only) \??\u: bkueggjw.exe File opened (read-only) \??\m: bkueggjw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
tvgqidvgha.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tvgqidvgha.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tvgqidvgha.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3996-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023460-5.dat autoit_exe behavioral2/files/0x00050000000232b2-18.dat autoit_exe behavioral2/files/0x0007000000023461-26.dat autoit_exe behavioral2/files/0x0007000000023462-31.dat autoit_exe behavioral2/files/0x0002000000022a04-62.dat autoit_exe behavioral2/files/0x00090000000233ad-68.dat autoit_exe behavioral2/files/0x001a00000002348d-561.dat autoit_exe behavioral2/files/0x001a00000002348d-566.dat autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exebkueggjw.exebkueggjw.exetvgqidvgha.exedescription ioc Process File created C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exe a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bkueggjw.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bkueggjw.exe File created C:\Windows\SysWOW64\tvgqidvgha.exe a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe File created C:\Windows\SysWOW64\bkueggjw.exe a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bkueggjw.exe a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pxlvcuxiyewhd.exe a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bkueggjw.exe File opened for modification C:\Windows\SysWOW64\tvgqidvgha.exe a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe File created C:\Windows\SysWOW64\pxlvcuxiyewhd.exe a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tvgqidvgha.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bkueggjw.exe -
Drops file in Program Files directory 15 IoCs
Processes:
bkueggjw.exebkueggjw.exedescription ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bkueggjw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bkueggjw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bkueggjw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bkueggjw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bkueggjw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bkueggjw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bkueggjw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bkueggjw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bkueggjw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bkueggjw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bkueggjw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bkueggjw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bkueggjw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bkueggjw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bkueggjw.exe -
Drops file in Windows directory 19 IoCs
Processes:
bkueggjw.exebkueggjw.exeWINWORD.EXEa30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exedescription ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bkueggjw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bkueggjw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bkueggjw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bkueggjw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bkueggjw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bkueggjw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bkueggjw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bkueggjw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bkueggjw.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bkueggjw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bkueggjw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bkueggjw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bkueggjw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bkueggjw.exe File opened for modification C:\Windows\mydoc.rtf a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bkueggjw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bkueggjw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exetvgqidvgha.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472D7E9C5582276A3576D477202CD97D8664D8" a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFC8F482C82689142D65B7E9DBDE4E640594266406336D790" a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tvgqidvgha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tvgqidvgha.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tvgqidvgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tvgqidvgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tvgqidvgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFABDFE16F19184093B46819B3E97B08902FE42110233E1BD459C09A0" a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tvgqidvgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tvgqidvgha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tvgqidvgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768C6FE1822D9D278D0A38B7E9110" a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC70815E4DAC5B8B97FE6ED9434C8" a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tvgqidvgha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tvgqidvgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tvgqidvgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tvgqidvgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B1214492399853C9BAD5329FD4BE" a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid Process 3192 WINWORD.EXE 3192 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exeoirhpgpvfjrzhsz.exetvgqidvgha.exebkueggjw.exepxlvcuxiyewhd.exebkueggjw.exepid Process 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 4192 oirhpgpvfjrzhsz.exe 4192 oirhpgpvfjrzhsz.exe 4192 oirhpgpvfjrzhsz.exe 4192 oirhpgpvfjrzhsz.exe 4192 oirhpgpvfjrzhsz.exe 4192 oirhpgpvfjrzhsz.exe 4192 oirhpgpvfjrzhsz.exe 4192 oirhpgpvfjrzhsz.exe 4192 oirhpgpvfjrzhsz.exe 4192 oirhpgpvfjrzhsz.exe 2900 tvgqidvgha.exe 2900 tvgqidvgha.exe 4624 bkueggjw.exe 4624 bkueggjw.exe 2900 tvgqidvgha.exe 2900 tvgqidvgha.exe 2900 tvgqidvgha.exe 2900 tvgqidvgha.exe 2900 tvgqidvgha.exe 2900 tvgqidvgha.exe 2900 tvgqidvgha.exe 2900 tvgqidvgha.exe 4624 bkueggjw.exe 4624 bkueggjw.exe 4624 bkueggjw.exe 4624 bkueggjw.exe 4624 bkueggjw.exe 4624 bkueggjw.exe 4248 pxlvcuxiyewhd.exe 4248 pxlvcuxiyewhd.exe 4248 pxlvcuxiyewhd.exe 4248 pxlvcuxiyewhd.exe 4248 pxlvcuxiyewhd.exe 4248 pxlvcuxiyewhd.exe 4248 pxlvcuxiyewhd.exe 4248 pxlvcuxiyewhd.exe 4248 pxlvcuxiyewhd.exe 4248 pxlvcuxiyewhd.exe 4248 pxlvcuxiyewhd.exe 4248 pxlvcuxiyewhd.exe 4192 oirhpgpvfjrzhsz.exe 4192 oirhpgpvfjrzhsz.exe 3076 bkueggjw.exe 3076 bkueggjw.exe 3076 bkueggjw.exe 3076 bkueggjw.exe 3076 bkueggjw.exe 3076 bkueggjw.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exeoirhpgpvfjrzhsz.exetvgqidvgha.exebkueggjw.exepxlvcuxiyewhd.exebkueggjw.exepid Process 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 4192 oirhpgpvfjrzhsz.exe 4192 oirhpgpvfjrzhsz.exe 4192 oirhpgpvfjrzhsz.exe 2900 tvgqidvgha.exe 4624 bkueggjw.exe 2900 tvgqidvgha.exe 4248 pxlvcuxiyewhd.exe 4624 bkueggjw.exe 2900 tvgqidvgha.exe 4248 pxlvcuxiyewhd.exe 4624 bkueggjw.exe 4248 pxlvcuxiyewhd.exe 3076 bkueggjw.exe 3076 bkueggjw.exe 3076 bkueggjw.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exeoirhpgpvfjrzhsz.exetvgqidvgha.exebkueggjw.exepxlvcuxiyewhd.exebkueggjw.exepid Process 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 4192 oirhpgpvfjrzhsz.exe 4192 oirhpgpvfjrzhsz.exe 4192 oirhpgpvfjrzhsz.exe 2900 tvgqidvgha.exe 4624 bkueggjw.exe 2900 tvgqidvgha.exe 4248 pxlvcuxiyewhd.exe 4624 bkueggjw.exe 2900 tvgqidvgha.exe 4248 pxlvcuxiyewhd.exe 4624 bkueggjw.exe 4248 pxlvcuxiyewhd.exe 3076 bkueggjw.exe 3076 bkueggjw.exe 3076 bkueggjw.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid Process 3192 WINWORD.EXE 3192 WINWORD.EXE 3192 WINWORD.EXE 3192 WINWORD.EXE 3192 WINWORD.EXE 3192 WINWORD.EXE 3192 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exetvgqidvgha.exedescription pid Process procid_target PID 3996 wrote to memory of 2900 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 83 PID 3996 wrote to memory of 2900 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 83 PID 3996 wrote to memory of 2900 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 83 PID 3996 wrote to memory of 4192 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 84 PID 3996 wrote to memory of 4192 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 84 PID 3996 wrote to memory of 4192 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 84 PID 3996 wrote to memory of 4624 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 85 PID 3996 wrote to memory of 4624 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 85 PID 3996 wrote to memory of 4624 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 85 PID 3996 wrote to memory of 4248 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 86 PID 3996 wrote to memory of 4248 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 86 PID 3996 wrote to memory of 4248 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 86 PID 3996 wrote to memory of 3192 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 87 PID 3996 wrote to memory of 3192 3996 a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe 87 PID 2900 wrote to memory of 3076 2900 tvgqidvgha.exe 90 PID 2900 wrote to memory of 3076 2900 tvgqidvgha.exe 90 PID 2900 wrote to memory of 3076 2900 tvgqidvgha.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a30314302457d8c62b1a1e3bb102d350_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\tvgqidvgha.exetvgqidvgha.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\bkueggjw.exeC:\Windows\system32\bkueggjw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3076
-
-
-
C:\Windows\SysWOW64\oirhpgpvfjrzhsz.exeoirhpgpvfjrzhsz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4192
-
-
C:\Windows\SysWOW64\bkueggjw.exebkueggjw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4624
-
-
C:\Windows\SysWOW64\pxlvcuxiyewhd.exepxlvcuxiyewhd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4248
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3192
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5608a860f3516817774bb1cca9546c5a0
SHA1a60e97d237e2944cf476cbaff585ac06a2f8a5a6
SHA25621fa3fd3fa83ebacdfaec741e3ff2cae1fce1bc71128fa3ab03faef2c4a7a0f6
SHA512f1d47e54585823a425327e3c637eefb724224817c45dff65c4c93441c32c8e0b6af3db350b4f432cbc1721fc230d9184a99305c3483d0652c365fce3a58dc6e9
-
Filesize
512KB
MD5341c0888f9f8c73ea176273320721b3d
SHA11f5bffa32ea268dcf1f0d436c43d661974f1ae0f
SHA2566857807703999e1960990248be1dbf9925b06b75955b95d81d1740da13219a20
SHA512bece41bcf94421fe40e604aaef123898a3a21f8ee3aabc775ad80a09fc95831206e1c3a17b4b5af1ac75ad425dd5417a0511c559ee9dab3271d044e17d34aef1
-
Filesize
247B
MD51b529425a37b1334b8b33ebd890269a4
SHA184768e6475b45e3431d5dd62968dde9b92bcb799
SHA256774609fb895e024729e533b8420e732453a0f7ad9cc4599a871157b4f2ca0440
SHA5128d82cb100fb6e979061a2a86aedf2f77de9bb5abf4431ed7add5c75d04988a3cd747119ade26856e8c2fdf7fe75e6aedf0025f2015e525b6835c80cfa2eff295
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl
Filesize245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD55bdcc53f85a8777aa054b2f9159035ae
SHA1ea8f454bce486d7189b7304306d63a07fad58f6b
SHA25623df8e3803e4f0b52ab520b83943fb94c13fa6f2d7790b7631f795a56735bd2b
SHA5120e286479b2a12ee2681588483fe5cd1090013a6c7711c0faff127102e73faf3275ecfcbe8c06ffe35b7d5411165fbb2b6fe3b4cc426d906d7c7cb82249e545ae
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5be3260ef8b35b4d3f3a824bfcd84411b
SHA1870b64870812295ae2cc15288c25cdea4f2b91f9
SHA256f3a1411d2cc0bc61209b7ffb82005d21e6cff39142c1f5287497f88cf1d6c4b2
SHA51283eba4907371cf1f68417d5335efa9577c556aa1aad33bcb68e01f419a37ed599b9cce60ecf7970ef2803cc5a663b8782b2e48c539659b9a17cb89bcaad6970e
-
Filesize
512KB
MD5a635b0094f9760a49c0ab26686bf6aa8
SHA161b846e504741e2efc60c90783bc6c8e1363580a
SHA256676f504d41c26957bd6166ca346f74aab2ac94285e24d8e6361bf14aa34d8a9a
SHA5128deb9f3d0d1b83ebd69f153c0528fc474ab5494ab622d617048c0532fd3c37a352695d73ee4bb80b195f74cbc53ade7d660a0ce1bbb445a725d003dff7c562cb
-
Filesize
512KB
MD5ad7d150adeac7feca9e1eba563266a1b
SHA1f5c779c34c0abb8ad97b07c501af33e3e5ebd66d
SHA256c8bf72fb5f687fa7ccd1caab1d686ed00dd07d49516f9597ab717399e34f5c6d
SHA512c0e98fab17deee8984f62e592cdf4974ccdb138211ab25cec1c149b2e050fd07c4b9f52c1722ff25c3c7edc734d1bb42d5ce7acd6ce84ceaef00111d6f554413
-
Filesize
512KB
MD57398bf3079170683873421ee9e425c5a
SHA16e76d8744f8ddf3ab6dea9457676142909e07714
SHA2568295ab54495611a3c6c06e52161f61d01a648850aa2e2d4d3ccf70ba886fc237
SHA512b703fa84181763b293ffb04c7378b0d9031b227a1eef617d1d715a75546fa77732af8891a9f6b016976ed520c3be6e36e808b08722e3b8e7d0b6da031c05bdc1
-
Filesize
512KB
MD5e0c6eda7448c915adea60cb294d69c5c
SHA1d1198e5543d18c2be168306f6f1e94c1d048d381
SHA256b7d48ea5e83d587f35b96e23f0801620e7f8b5f76740836018e31464804eb7f0
SHA5129d1a534e21eb467b1e4a21d2bcc7380a4c4accf1aea9112a7783aa01f118ba1915fba3551a2a6a83c76d1955b4d8fbae37a0501185d06d347c3de2bfebbde400
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5d5cfcb719d66e0f607a13dc6f5e23787
SHA12bd2c88273c8a9381987b41fe44ff4aa51dc6ff2
SHA256140a3215532ddabd3bb9e051a9febfc6be34bcf0f939607e5fc091fb9747813f
SHA512f0a7d99044f1d69f4b8c15211080a16c11dff069ecb2b1891c2e3726b7ff484c45c192502f7c84f0842a267607bb77a87dc79b5ebc139588b64138cb820e79e0
-
Filesize
512KB
MD5a97422f97994dc29e406bc7d35396f38
SHA1e43a5920751453dc214c35e66f17dcca9952acb1
SHA25614ea66e0281acc2136d924fa0cccb523bcb1bcac31487e015f3115fd06c14b0c
SHA512a8f073e3fc6cb9ae2132868027fcb56796570334a2699d998d4aeb6c5f4b82da4450539d173e08e6c21bc57b8d0ce07fdaf1272466abe2d6563967a9ae734425