Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 23:55
Static task
static1
Behavioral task
behavioral1
Sample
a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe
-
Size
512KB
-
MD5
a306ebcea41dcb77700c72aafdb992c4
-
SHA1
e41b256f2a196aa6ce43309b07925eb6072d993a
-
SHA256
3b6df89f59c1adcef354652073d26161b41c47df8af04d3e71a82e7c2dd35253
-
SHA512
aa380355b6598831253a3634b3fdaeb47b0be05621e488d715f60cf754c3c411ba5964f9b0ef5b47b5ee41a97b4de318731e5b0e2fd8b6766c364c4f8a8a630c
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6g:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
hvayyrehdq.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hvayyrehdq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
hvayyrehdq.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hvayyrehdq.exe -
Processes:
hvayyrehdq.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hvayyrehdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hvayyrehdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hvayyrehdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hvayyrehdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hvayyrehdq.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
hvayyrehdq.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hvayyrehdq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
hvayyrehdq.exeyravpdglyvuyyni.exebuwcqimh.exewanzzvdiprxwc.exebuwcqimh.exepid Process 3092 hvayyrehdq.exe 1868 yravpdglyvuyyni.exe 2204 buwcqimh.exe 5068 wanzzvdiprxwc.exe 3472 buwcqimh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
hvayyrehdq.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hvayyrehdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hvayyrehdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hvayyrehdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" hvayyrehdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hvayyrehdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hvayyrehdq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
yravpdglyvuyyni.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vibspexo = "hvayyrehdq.exe" yravpdglyvuyyni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mndaethr = "yravpdglyvuyyni.exe" yravpdglyvuyyni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wanzzvdiprxwc.exe" yravpdglyvuyyni.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
buwcqimh.exehvayyrehdq.exebuwcqimh.exedescription ioc Process File opened (read-only) \??\h: buwcqimh.exe File opened (read-only) \??\k: buwcqimh.exe File opened (read-only) \??\v: buwcqimh.exe File opened (read-only) \??\y: buwcqimh.exe File opened (read-only) \??\r: hvayyrehdq.exe File opened (read-only) \??\y: buwcqimh.exe File opened (read-only) \??\t: hvayyrehdq.exe File opened (read-only) \??\x: hvayyrehdq.exe File opened (read-only) \??\q: hvayyrehdq.exe File opened (read-only) \??\s: hvayyrehdq.exe File opened (read-only) \??\w: buwcqimh.exe File opened (read-only) \??\i: buwcqimh.exe File opened (read-only) \??\u: buwcqimh.exe File opened (read-only) \??\z: hvayyrehdq.exe File opened (read-only) \??\o: buwcqimh.exe File opened (read-only) \??\a: buwcqimh.exe File opened (read-only) \??\b: buwcqimh.exe File opened (read-only) \??\m: buwcqimh.exe File opened (read-only) \??\o: buwcqimh.exe File opened (read-only) \??\h: hvayyrehdq.exe File opened (read-only) \??\b: buwcqimh.exe File opened (read-only) \??\m: buwcqimh.exe File opened (read-only) \??\s: buwcqimh.exe File opened (read-only) \??\e: buwcqimh.exe File opened (read-only) \??\i: hvayyrehdq.exe File opened (read-only) \??\m: hvayyrehdq.exe File opened (read-only) \??\n: buwcqimh.exe File opened (read-only) \??\x: buwcqimh.exe File opened (read-only) \??\a: hvayyrehdq.exe File opened (read-only) \??\y: hvayyrehdq.exe File opened (read-only) \??\b: hvayyrehdq.exe File opened (read-only) \??\t: buwcqimh.exe File opened (read-only) \??\e: buwcqimh.exe File opened (read-only) \??\l: buwcqimh.exe File opened (read-only) \??\r: buwcqimh.exe File opened (read-only) \??\n: buwcqimh.exe File opened (read-only) \??\w: hvayyrehdq.exe File opened (read-only) \??\h: buwcqimh.exe File opened (read-only) \??\z: buwcqimh.exe File opened (read-only) \??\j: buwcqimh.exe File opened (read-only) \??\p: buwcqimh.exe File opened (read-only) \??\z: buwcqimh.exe File opened (read-only) \??\p: buwcqimh.exe File opened (read-only) \??\x: buwcqimh.exe File opened (read-only) \??\g: buwcqimh.exe File opened (read-only) \??\p: hvayyrehdq.exe File opened (read-only) \??\u: buwcqimh.exe File opened (read-only) \??\q: buwcqimh.exe File opened (read-only) \??\t: buwcqimh.exe File opened (read-only) \??\v: hvayyrehdq.exe File opened (read-only) \??\j: buwcqimh.exe File opened (read-only) \??\k: hvayyrehdq.exe File opened (read-only) \??\i: buwcqimh.exe File opened (read-only) \??\e: hvayyrehdq.exe File opened (read-only) \??\g: hvayyrehdq.exe File opened (read-only) \??\k: buwcqimh.exe File opened (read-only) \??\l: buwcqimh.exe File opened (read-only) \??\j: hvayyrehdq.exe File opened (read-only) \??\o: hvayyrehdq.exe File opened (read-only) \??\v: buwcqimh.exe File opened (read-only) \??\r: buwcqimh.exe File opened (read-only) \??\a: buwcqimh.exe File opened (read-only) \??\g: buwcqimh.exe File opened (read-only) \??\u: hvayyrehdq.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
hvayyrehdq.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" hvayyrehdq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" hvayyrehdq.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3940-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002355a-5.dat autoit_exe behavioral2/files/0x0008000000023556-18.dat autoit_exe behavioral2/files/0x000700000002355b-27.dat autoit_exe behavioral2/files/0x000700000002355c-31.dat autoit_exe behavioral2/files/0x0003000000000713-57.dat autoit_exe behavioral2/files/0x001300000000074f-63.dat autoit_exe behavioral2/files/0x00090000000168e3-66.dat autoit_exe behavioral2/files/0x000d000000016906-86.dat autoit_exe behavioral2/files/0x000d000000016906-99.dat autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
buwcqimh.exea306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exebuwcqimh.exehvayyrehdq.exedescription ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe buwcqimh.exe File created C:\Windows\SysWOW64\hvayyrehdq.exe a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe File created C:\Windows\SysWOW64\yravpdglyvuyyni.exe a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe File created C:\Windows\SysWOW64\wanzzvdiprxwc.exe a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe buwcqimh.exe File opened for modification C:\Windows\SysWOW64\buwcqimh.exe a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll hvayyrehdq.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe buwcqimh.exe File opened for modification C:\Windows\SysWOW64\hvayyrehdq.exe a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yravpdglyvuyyni.exe a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe File created C:\Windows\SysWOW64\buwcqimh.exe a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wanzzvdiprxwc.exe a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe buwcqimh.exe -
Drops file in Program Files directory 14 IoCs
Processes:
buwcqimh.exebuwcqimh.exedescription ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe buwcqimh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe buwcqimh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal buwcqimh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe buwcqimh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe buwcqimh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe buwcqimh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe buwcqimh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal buwcqimh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe buwcqimh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe buwcqimh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe buwcqimh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe buwcqimh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal buwcqimh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal buwcqimh.exe -
Drops file in Windows directory 19 IoCs
Processes:
buwcqimh.exebuwcqimh.exea306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exeWINWORD.EXEdescription ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe buwcqimh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe buwcqimh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe buwcqimh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe buwcqimh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe buwcqimh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe buwcqimh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe buwcqimh.exe File opened for modification C:\Windows\mydoc.rtf a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe buwcqimh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe buwcqimh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe buwcqimh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe buwcqimh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe buwcqimh.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe buwcqimh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe buwcqimh.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe buwcqimh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe buwcqimh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exehvayyrehdq.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC67F15E6DAC5B8C17FE0ED9637CB" a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" hvayyrehdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf hvayyrehdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg hvayyrehdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs hvayyrehdq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat hvayyrehdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh hvayyrehdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc hvayyrehdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" hvayyrehdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" hvayyrehdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322D7E9C5782566D3577D270232CD67DF365D8" a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFFF9482E821B9032D6217D91BDE4E6325845664F6242D7EE" a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F76BC3FE6622DBD10BD0D28B0E9165" a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" hvayyrehdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" hvayyrehdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCF9CDF917F2E484093B45869C39E4B3FD038B4214024BE2BE42EE08A3" a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B02F4490399A52CFBAA23298D7CE" a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" hvayyrehdq.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid Process 4272 WINWORD.EXE 4272 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exehvayyrehdq.exeyravpdglyvuyyni.exewanzzvdiprxwc.exebuwcqimh.exebuwcqimh.exepid Process 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3092 hvayyrehdq.exe 3092 hvayyrehdq.exe 3092 hvayyrehdq.exe 3092 hvayyrehdq.exe 3092 hvayyrehdq.exe 3092 hvayyrehdq.exe 3092 hvayyrehdq.exe 3092 hvayyrehdq.exe 3092 hvayyrehdq.exe 3092 hvayyrehdq.exe 1868 yravpdglyvuyyni.exe 1868 yravpdglyvuyyni.exe 1868 yravpdglyvuyyni.exe 1868 yravpdglyvuyyni.exe 1868 yravpdglyvuyyni.exe 1868 yravpdglyvuyyni.exe 1868 yravpdglyvuyyni.exe 1868 yravpdglyvuyyni.exe 1868 yravpdglyvuyyni.exe 1868 yravpdglyvuyyni.exe 5068 wanzzvdiprxwc.exe 5068 wanzzvdiprxwc.exe 5068 wanzzvdiprxwc.exe 5068 wanzzvdiprxwc.exe 5068 wanzzvdiprxwc.exe 5068 wanzzvdiprxwc.exe 5068 wanzzvdiprxwc.exe 5068 wanzzvdiprxwc.exe 5068 wanzzvdiprxwc.exe 5068 wanzzvdiprxwc.exe 5068 wanzzvdiprxwc.exe 5068 wanzzvdiprxwc.exe 2204 buwcqimh.exe 2204 buwcqimh.exe 2204 buwcqimh.exe 2204 buwcqimh.exe 2204 buwcqimh.exe 2204 buwcqimh.exe 2204 buwcqimh.exe 2204 buwcqimh.exe 3472 buwcqimh.exe 3472 buwcqimh.exe 3472 buwcqimh.exe 3472 buwcqimh.exe 3472 buwcqimh.exe 3472 buwcqimh.exe 3472 buwcqimh.exe 3472 buwcqimh.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exehvayyrehdq.exeyravpdglyvuyyni.exebuwcqimh.exewanzzvdiprxwc.exebuwcqimh.exepid Process 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3092 hvayyrehdq.exe 3092 hvayyrehdq.exe 3092 hvayyrehdq.exe 1868 yravpdglyvuyyni.exe 2204 buwcqimh.exe 1868 yravpdglyvuyyni.exe 2204 buwcqimh.exe 1868 yravpdglyvuyyni.exe 2204 buwcqimh.exe 5068 wanzzvdiprxwc.exe 5068 wanzzvdiprxwc.exe 5068 wanzzvdiprxwc.exe 3472 buwcqimh.exe 3472 buwcqimh.exe 3472 buwcqimh.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exehvayyrehdq.exeyravpdglyvuyyni.exebuwcqimh.exewanzzvdiprxwc.exebuwcqimh.exepid Process 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 3092 hvayyrehdq.exe 3092 hvayyrehdq.exe 3092 hvayyrehdq.exe 1868 yravpdglyvuyyni.exe 2204 buwcqimh.exe 1868 yravpdglyvuyyni.exe 2204 buwcqimh.exe 1868 yravpdglyvuyyni.exe 2204 buwcqimh.exe 5068 wanzzvdiprxwc.exe 5068 wanzzvdiprxwc.exe 5068 wanzzvdiprxwc.exe 3472 buwcqimh.exe 3472 buwcqimh.exe 3472 buwcqimh.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid Process 4272 WINWORD.EXE 4272 WINWORD.EXE 4272 WINWORD.EXE 4272 WINWORD.EXE 4272 WINWORD.EXE 4272 WINWORD.EXE 4272 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exehvayyrehdq.exedescription pid Process procid_target PID 3940 wrote to memory of 3092 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 89 PID 3940 wrote to memory of 3092 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 89 PID 3940 wrote to memory of 3092 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 89 PID 3940 wrote to memory of 1868 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 90 PID 3940 wrote to memory of 1868 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 90 PID 3940 wrote to memory of 1868 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 90 PID 3940 wrote to memory of 2204 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 91 PID 3940 wrote to memory of 2204 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 91 PID 3940 wrote to memory of 2204 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 91 PID 3940 wrote to memory of 5068 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 92 PID 3940 wrote to memory of 5068 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 92 PID 3940 wrote to memory of 5068 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 92 PID 3940 wrote to memory of 4272 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 93 PID 3940 wrote to memory of 4272 3940 a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe 93 PID 3092 wrote to memory of 3472 3092 hvayyrehdq.exe 95 PID 3092 wrote to memory of 3472 3092 hvayyrehdq.exe 95 PID 3092 wrote to memory of 3472 3092 hvayyrehdq.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a306ebcea41dcb77700c72aafdb992c4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\hvayyrehdq.exehvayyrehdq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\buwcqimh.exeC:\Windows\system32\buwcqimh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3472
-
-
-
C:\Windows\SysWOW64\yravpdglyvuyyni.exeyravpdglyvuyyni.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1868
-
-
C:\Windows\SysWOW64\buwcqimh.exebuwcqimh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2204
-
-
C:\Windows\SysWOW64\wanzzvdiprxwc.exewanzzvdiprxwc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5068
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1300,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4348 /prefetch:81⤵PID:1736
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5a134bb0bcbc3d8bae3d898a5a823db03
SHA1c17601d4f51c5d8df4a32cfd1693f72d7bbedd93
SHA256b7f4c383291751e93a025cd54665d7a000345a596ed606a667f9cb05b5fd9c76
SHA512fb3996c70e0ceea04be86f65a835a42546720678f7caa05f614d6ea82816f1b0adc5a6da6748d91c07f7ffc88ebcb08c423df8bf52eb1a916052626f27c757ec
-
Filesize
512KB
MD5465c08f3d5b5b98fcf1f1cd1afd6287d
SHA1190bce071d1b55a22388bcb35a456b25942b2b02
SHA2562ccb999df71d583bb2793f0f5e7f18d415882e82f99dc5f8336c91ebf0c87d39
SHA5124b934f23021f47e0fd2245f3fe549aa94e3f3c4bfb4400398f3daf7bbcbfae4b81d274a545e6686fb40e5d0e40653d70383e93874d332655a4ee83b2645cea76
-
Filesize
239B
MD5602dad6ee0e60cde6698692534ef100b
SHA1c3e20be4cf62746964ff865964f4f354d412bfac
SHA256596069f7c5d4c9cea8266af60fcc730fbaec42eb5dd0c6f4203e463b742fb598
SHA512bc1fdcc479d9d46977847557985ca1744f1d4f135da27d82dd2f131419c16fbc70968eb27458a1769e59a9a166847be39aa81b82936e39e753d578ee13df8669
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e957a4fa795eaa6989e728e0ab090052
SHA1b7b85a7bd5edb5d3387d45425b577b2aec5f5fc8
SHA2569df45dd8118b41e1f1f01e6a907313f8a3c4986840adf7c28c953f9c6c29032f
SHA512d8591d077932ebc158de9895e08ac5a4356aa2813563b4e6e316ba91e0c4bb90e523ea985976be5ae7ad96db6715ffea758290dd22238c16de277341637cdbb4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD578403f8a3a3a94ccfe98a25bd6019910
SHA1e041153b97d11546f525e07153e58ac948c8adac
SHA2566683f7d4ff68c3f492e4f9d75932485969342d0abec3a7f87300424a2d8751cf
SHA5129a0dae40dfc220dcbe5b9b52ac0edbc6dc03d81ab3d13f715b62526c3d3650f201bbc49a3573216749f4252b6cf8ff11c17b60046bc1400769e6093c8be42bee
-
Filesize
512KB
MD5add2e4b3810bc4dfaf3d761985249257
SHA1cee6e733af866be4adf2cb1a9fbe275313130577
SHA256ed9f8606bd7f76f6ad76295aa04bf42149e1b887547fb38e1127f97a69de6370
SHA512005d9dc0bcb2e59b76f88b3b21cb0120418721e2f1fd71459760942d4a4a9c160d93357c6eb1e6d42a7a9f9ecbd138fc378fd3be8a92ca91ba8f2c8b43d8ef88
-
Filesize
512KB
MD52a45bff7184990db944f63e021ec828b
SHA141312deaddc2e9d1d812c969f2c3b89d682dab0e
SHA256a42aba81585bfffa3b5e56fc402a4223548f7b218b2c363e763a2db7154c7ef8
SHA512c2189b2aa5eab99760389bed872e85ce904dec0cce5b71fa23476f6de72c11a73ac8eea7d117b818a961fbb50502106ce0fdc08ba74c2ac1f1220b0f1b9c8d1c
-
Filesize
512KB
MD5315ca7914fa805fefee13a55bfece64b
SHA144e9fc347faf9f14d228d6cd9aa6018033e98099
SHA256e7f6f6e7af2734802fe291cad61127690360d8340c046a6b394c6a2037425a6d
SHA5124e328b00d65265ba1bb2d02766061fc751f6871d773b1dd9759f35b4e644cc4d07dc2e581a2c77d86ac7b4e110ab23fd5a1e3ed35dab08e7af52624edd748ace
-
Filesize
512KB
MD59cce5fe68f25d810de1fead1f15796d5
SHA11b823d172df8aae5242abef8bffd72169cd83c42
SHA256bf7b21a12f44dc630f789e4ea3c4f18a8c061526be569bb0b0239a5e5702f554
SHA512336677eeb3c967e667be9a59de4adb7cad0bda90782a201a2ca60e85f6cb7d41b2333cd2e7e418e0a01c29c962902bc9716d965b61f94670561bb9148c27479f
-
Filesize
512KB
MD5c2d03b55063863c279d3e815c7abfe53
SHA147eb2b1e892a9c10b15b986a618978d6f8e9ee6e
SHA256cc8748f8abd57c7f8431dc5fcf2c4f55db7cbcde04d1fad2713b0d990847e7d1
SHA5125b340c18bc9c2465c2fef764e11ab34d7e12ef182dab430a3c8507cb9f8da861b3dcb675a258a2b5cd66182aae220336722eb9a9b50d7ef15471600064c70c6d
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5ef26846fb04a813b4343718faba55c67
SHA12aed1dcbd95b0c84a27b8d90088c606cb2fea678
SHA25643154c60e44b64cbb2f19e2874a702c19f1e090c1c91e9bb251bce594c24c2e7
SHA5128b8c517175afca7e3b5b720f0a8caf86a178db4440c3cac72cbd07c03b5577e8592a341581e1c5d87a187030432a5e8d7e45ac94fb88d28ffaf8820e78ede6f2
-
Filesize
512KB
MD525f5fd9a41d53bd315c7ca41a38bf86a
SHA16d4dbeeaad53e1d2570a633188e1cf8db700f45c
SHA25661593bd9f380358458eb8fc383b82582f61b2149d7ea377ba02380c0732c550a
SHA5126f40c534c74d90607405cc3060bca15e2a7502b0b5154c77b79b63e6ef6c9716f0fcb7dd535ac683bf1401231399ae3b860fc0b9602bf439998cddb2c90394dd