Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 13:33
Static task
static1
Behavioral task
behavioral1
Sample
a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe
-
Size
512KB
-
MD5
a0d70dafbf56fbf8248a1a5f8a9b81cd
-
SHA1
232e4d759c7a4959d1ef54f50b9a3462286f8ab9
-
SHA256
2d3d7773775404e6b644e50be9dbc8fd33f373a6f1430f0fd8956f4c32548ed6
-
SHA512
3051a78bfd170f5d8be770ae8ca648d59a59c1e77eac824ec2382a98df5d4f088cef26f931cde0ef12df08b257fabe930070d6c4c841e1fc3e63f117d0bb903f
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6D:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Y
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
hvurrujxvg.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hvurrujxvg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
hvurrujxvg.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hvurrujxvg.exe -
Processes:
hvurrujxvg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hvurrujxvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hvurrujxvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hvurrujxvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hvurrujxvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hvurrujxvg.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
hvurrujxvg.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hvurrujxvg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
hvurrujxvg.exezwakkcns.exeantmaonoyqbmjzx.exezezlshojmodsa.exezwakkcns.exepid Process 3760 hvurrujxvg.exe 4616 zwakkcns.exe 4164 antmaonoyqbmjzx.exe 3704 zezlshojmodsa.exe 3432 zwakkcns.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
hvurrujxvg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hvurrujxvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hvurrujxvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hvurrujxvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" hvurrujxvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hvurrujxvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hvurrujxvg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
antmaonoyqbmjzx.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ezhzueko = "hvurrujxvg.exe" antmaonoyqbmjzx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fpybexbd = "antmaonoyqbmjzx.exe" antmaonoyqbmjzx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zezlshojmodsa.exe" antmaonoyqbmjzx.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
zwakkcns.exehvurrujxvg.exezwakkcns.exedescription ioc Process File opened (read-only) \??\s: zwakkcns.exe File opened (read-only) \??\a: hvurrujxvg.exe File opened (read-only) \??\e: hvurrujxvg.exe File opened (read-only) \??\k: hvurrujxvg.exe File opened (read-only) \??\p: hvurrujxvg.exe File opened (read-only) \??\w: hvurrujxvg.exe File opened (read-only) \??\z: hvurrujxvg.exe File opened (read-only) \??\i: zwakkcns.exe File opened (read-only) \??\b: zwakkcns.exe File opened (read-only) \??\t: zwakkcns.exe File opened (read-only) \??\j: zwakkcns.exe File opened (read-only) \??\q: zwakkcns.exe File opened (read-only) \??\t: hvurrujxvg.exe File opened (read-only) \??\u: hvurrujxvg.exe File opened (read-only) \??\w: zwakkcns.exe File opened (read-only) \??\o: zwakkcns.exe File opened (read-only) \??\h: hvurrujxvg.exe File opened (read-only) \??\i: hvurrujxvg.exe File opened (read-only) \??\v: hvurrujxvg.exe File opened (read-only) \??\x: hvurrujxvg.exe File opened (read-only) \??\l: zwakkcns.exe File opened (read-only) \??\i: zwakkcns.exe File opened (read-only) \??\o: hvurrujxvg.exe File opened (read-only) \??\v: zwakkcns.exe File opened (read-only) \??\h: zwakkcns.exe File opened (read-only) \??\s: hvurrujxvg.exe File opened (read-only) \??\h: zwakkcns.exe File opened (read-only) \??\y: zwakkcns.exe File opened (read-only) \??\j: hvurrujxvg.exe File opened (read-only) \??\y: hvurrujxvg.exe File opened (read-only) \??\p: zwakkcns.exe File opened (read-only) \??\m: zwakkcns.exe File opened (read-only) \??\z: zwakkcns.exe File opened (read-only) \??\r: hvurrujxvg.exe File opened (read-only) \??\k: zwakkcns.exe File opened (read-only) \??\y: zwakkcns.exe File opened (read-only) \??\x: zwakkcns.exe File opened (read-only) \??\e: zwakkcns.exe File opened (read-only) \??\v: zwakkcns.exe File opened (read-only) \??\x: zwakkcns.exe File opened (read-only) \??\g: hvurrujxvg.exe File opened (read-only) \??\g: zwakkcns.exe File opened (read-only) \??\m: zwakkcns.exe File opened (read-only) \??\q: zwakkcns.exe File opened (read-only) \??\p: zwakkcns.exe File opened (read-only) \??\r: zwakkcns.exe File opened (read-only) \??\u: zwakkcns.exe File opened (read-only) \??\b: zwakkcns.exe File opened (read-only) \??\e: zwakkcns.exe File opened (read-only) \??\o: zwakkcns.exe File opened (read-only) \??\s: zwakkcns.exe File opened (read-only) \??\w: zwakkcns.exe File opened (read-only) \??\b: hvurrujxvg.exe File opened (read-only) \??\j: zwakkcns.exe File opened (read-only) \??\z: zwakkcns.exe File opened (read-only) \??\k: zwakkcns.exe File opened (read-only) \??\t: zwakkcns.exe File opened (read-only) \??\n: hvurrujxvg.exe File opened (read-only) \??\n: zwakkcns.exe File opened (read-only) \??\m: hvurrujxvg.exe File opened (read-only) \??\q: hvurrujxvg.exe File opened (read-only) \??\r: zwakkcns.exe File opened (read-only) \??\u: zwakkcns.exe File opened (read-only) \??\l: zwakkcns.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
hvurrujxvg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" hvurrujxvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" hvurrujxvg.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3040-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000233f8-5.dat autoit_exe behavioral2/files/0x00080000000233f4-18.dat autoit_exe behavioral2/files/0x00070000000233f9-24.dat autoit_exe behavioral2/files/0x00070000000233fa-32.dat autoit_exe behavioral2/files/0x000300000000070b-60.dat autoit_exe behavioral2/files/0x0003000000000715-63.dat autoit_exe behavioral2/files/0x000a000000016fd9-69.dat autoit_exe behavioral2/files/0x000600000001d8b7-73.dat autoit_exe behavioral2/files/0x000400000001e502-94.dat autoit_exe behavioral2/files/0x000400000001e502-96.dat autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exehvurrujxvg.exezwakkcns.exezwakkcns.exedescription ioc Process File created C:\Windows\SysWOW64\antmaonoyqbmjzx.exe a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\antmaonoyqbmjzx.exe a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe File created C:\Windows\SysWOW64\zwakkcns.exe a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zwakkcns.exe a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe File created C:\Windows\SysWOW64\zezlshojmodsa.exe a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zezlshojmodsa.exe a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll hvurrujxvg.exe File opened for modification C:\Windows\SysWOW64\hvurrujxvg.exe a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zwakkcns.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zwakkcns.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zwakkcns.exe File created C:\Windows\SysWOW64\hvurrujxvg.exe a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe -
Drops file in Program Files directory 28 IoCs
Processes:
zwakkcns.exezwakkcns.exedescription ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zwakkcns.exe File created \??\c:\Program Files\TestDebug.doc.exe zwakkcns.exe File opened for modification C:\Program Files\TestDebug.doc.exe zwakkcns.exe File opened for modification C:\Program Files\TestDebug.nal zwakkcns.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zwakkcns.exe File created \??\c:\Program Files\MountUnpublish.doc.exe zwakkcns.exe File opened for modification \??\c:\Program Files\MountUnpublish.doc.exe zwakkcns.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zwakkcns.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zwakkcns.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zwakkcns.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zwakkcns.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zwakkcns.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zwakkcns.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zwakkcns.exe File opened for modification C:\Program Files\MountUnpublish.nal zwakkcns.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zwakkcns.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zwakkcns.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zwakkcns.exe File opened for modification C:\Program Files\MountUnpublish.nal zwakkcns.exe File opened for modification C:\Program Files\TestDebug.nal zwakkcns.exe File opened for modification \??\c:\Program Files\TestDebug.doc.exe zwakkcns.exe File opened for modification \??\c:\Program Files\TestDebug.doc.exe zwakkcns.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zwakkcns.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zwakkcns.exe File opened for modification \??\c:\Program Files\MountUnpublish.doc.exe zwakkcns.exe File opened for modification C:\Program Files\MountUnpublish.doc.exe zwakkcns.exe File opened for modification C:\Program Files\TestDebug.doc.exe zwakkcns.exe File opened for modification C:\Program Files\MountUnpublish.doc.exe zwakkcns.exe -
Drops file in Windows directory 19 IoCs
Processes:
zwakkcns.exezwakkcns.exea0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exeWINWORD.EXEdescription ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zwakkcns.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zwakkcns.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zwakkcns.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zwakkcns.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zwakkcns.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zwakkcns.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zwakkcns.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zwakkcns.exe File opened for modification C:\Windows\mydoc.rtf a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zwakkcns.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zwakkcns.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zwakkcns.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zwakkcns.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zwakkcns.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zwakkcns.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zwakkcns.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zwakkcns.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
hvurrujxvg.exea0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" hvurrujxvg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" hvurrujxvg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs hvurrujxvg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" hvurrujxvg.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322D7E9D2C82226D3E77D570552DD67CF164DE" a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B02D47EF39E953C5BAD1329BD4C5" a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFF824F2A851D9042D72F7DE1BDE7E144593167436246D7EC" a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" hvurrujxvg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat hvurrujxvg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc hvurrujxvg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" hvurrujxvg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg hvurrujxvg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" hvurrujxvg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh hvurrujxvg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf hvurrujxvg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4FABAFE10F194830E3B3786EE39E5B3FD038A4311034FE1C445EA09A2" a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F468C6FE6C22A9D10CD0D28A0B9165" a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC70E1490DAC0B8C17F95EDE734CD" a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid Process 3920 WINWORD.EXE 3920 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exezwakkcns.exehvurrujxvg.exeantmaonoyqbmjzx.exezezlshojmodsa.exezwakkcns.exepid Process 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 4616 zwakkcns.exe 4616 zwakkcns.exe 4616 zwakkcns.exe 4616 zwakkcns.exe 4616 zwakkcns.exe 4616 zwakkcns.exe 4616 zwakkcns.exe 4616 zwakkcns.exe 3760 hvurrujxvg.exe 3760 hvurrujxvg.exe 3760 hvurrujxvg.exe 3760 hvurrujxvg.exe 3760 hvurrujxvg.exe 3760 hvurrujxvg.exe 3760 hvurrujxvg.exe 3760 hvurrujxvg.exe 3760 hvurrujxvg.exe 3760 hvurrujxvg.exe 4164 antmaonoyqbmjzx.exe 4164 antmaonoyqbmjzx.exe 4164 antmaonoyqbmjzx.exe 4164 antmaonoyqbmjzx.exe 4164 antmaonoyqbmjzx.exe 4164 antmaonoyqbmjzx.exe 4164 antmaonoyqbmjzx.exe 4164 antmaonoyqbmjzx.exe 4164 antmaonoyqbmjzx.exe 4164 antmaonoyqbmjzx.exe 3704 zezlshojmodsa.exe 3704 zezlshojmodsa.exe 3704 zezlshojmodsa.exe 3704 zezlshojmodsa.exe 3704 zezlshojmodsa.exe 3704 zezlshojmodsa.exe 3704 zezlshojmodsa.exe 3704 zezlshojmodsa.exe 3704 zezlshojmodsa.exe 3704 zezlshojmodsa.exe 3704 zezlshojmodsa.exe 3704 zezlshojmodsa.exe 3432 zwakkcns.exe 3432 zwakkcns.exe 3432 zwakkcns.exe 3432 zwakkcns.exe 3432 zwakkcns.exe 3432 zwakkcns.exe 3432 zwakkcns.exe 3432 zwakkcns.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exehvurrujxvg.exeantmaonoyqbmjzx.exezwakkcns.exezezlshojmodsa.exezwakkcns.exepid Process 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3760 hvurrujxvg.exe 3760 hvurrujxvg.exe 3760 hvurrujxvg.exe 4164 antmaonoyqbmjzx.exe 4616 zwakkcns.exe 4164 antmaonoyqbmjzx.exe 4616 zwakkcns.exe 4616 zwakkcns.exe 4164 antmaonoyqbmjzx.exe 3704 zezlshojmodsa.exe 3704 zezlshojmodsa.exe 3704 zezlshojmodsa.exe 3432 zwakkcns.exe 3432 zwakkcns.exe 3432 zwakkcns.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exehvurrujxvg.exeantmaonoyqbmjzx.exezwakkcns.exezezlshojmodsa.exezwakkcns.exepid Process 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 3760 hvurrujxvg.exe 3760 hvurrujxvg.exe 3760 hvurrujxvg.exe 4164 antmaonoyqbmjzx.exe 4616 zwakkcns.exe 4164 antmaonoyqbmjzx.exe 4616 zwakkcns.exe 4616 zwakkcns.exe 4164 antmaonoyqbmjzx.exe 3704 zezlshojmodsa.exe 3704 zezlshojmodsa.exe 3704 zezlshojmodsa.exe 3432 zwakkcns.exe 3432 zwakkcns.exe 3432 zwakkcns.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid Process 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exehvurrujxvg.exedescription pid Process procid_target PID 3040 wrote to memory of 3760 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 80 PID 3040 wrote to memory of 3760 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 80 PID 3040 wrote to memory of 3760 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 80 PID 3040 wrote to memory of 4164 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 81 PID 3040 wrote to memory of 4164 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 81 PID 3040 wrote to memory of 4164 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 81 PID 3040 wrote to memory of 4616 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 82 PID 3040 wrote to memory of 4616 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 82 PID 3040 wrote to memory of 4616 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 82 PID 3040 wrote to memory of 3704 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 83 PID 3040 wrote to memory of 3704 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 83 PID 3040 wrote to memory of 3704 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 83 PID 3040 wrote to memory of 3920 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 84 PID 3040 wrote to memory of 3920 3040 a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe 84 PID 3760 wrote to memory of 3432 3760 hvurrujxvg.exe 86 PID 3760 wrote to memory of 3432 3760 hvurrujxvg.exe 86 PID 3760 wrote to memory of 3432 3760 hvurrujxvg.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0d70dafbf56fbf8248a1a5f8a9b81cd_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\hvurrujxvg.exehvurrujxvg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\zwakkcns.exeC:\Windows\system32\zwakkcns.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3432
-
-
-
C:\Windows\SysWOW64\antmaonoyqbmjzx.exeantmaonoyqbmjzx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4164
-
-
C:\Windows\SysWOW64\zwakkcns.exezwakkcns.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4616
-
-
C:\Windows\SysWOW64\zezlshojmodsa.exezezlshojmodsa.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3704
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3920
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5ed98ee1fab61a68d4385068c94748d5c
SHA1c02d0f25e493df1b2627c65c8e41a7f0c1f34f2f
SHA2560559589e01a7afeade6678adcfbd77bf62ce32af62f6ca7f9f009b6a1987a300
SHA512402f229a914fa6f330d3faf6a0f9bcacd86f74047c2967c89bd7bb4b73b46514407ee5ae3eb2ba7020439f51217d8c72e889d996b19a17592d659fc58dcc456d
-
Filesize
512KB
MD5279e0ef3b94c8f9ae239082a68b2acf1
SHA170d62b5bb14094b96575866fec8f5b0868505fdb
SHA2566a6193861a5dd370c7e20f099a899d114474992dfaa11ed1572fa1f97371cbd6
SHA512f6d0dcf736f2ec2b121b17c688c79c4d93467a70c64350e451cd67ff9d38adc300a07dca72bea2645d918507faca6c078f18d93017a6a1779aeca470aa575999
-
Filesize
512KB
MD54a582e2d2da15e1dd7e7993b189acf04
SHA1894f70d53c8cdd0aca64fbedd4dda06a8a348f98
SHA25625bb775974d6f316880242d5ac48384c92733fd4aa216ca10d28766b56cba29f
SHA512c536ebf51cccc916c716ec96c68eb9436030e7974a267f6d4cd0922e55aab036518e5c2c2ffef050ebbd31caf2df7aaf7933fd37db10709cfb52a9a7d3fee6a2
-
Filesize
512KB
MD5c37728c3fd74937eb62a00ffc8749789
SHA1bf959f43c766adcaa6a150e2860c2810a27bf2bf
SHA2566d151a2039de96ee7b1309807fd2d4576d31a7e4066bb845ee00a36527288058
SHA512d0277eba5b7d83f1f24cfdbae785ccdf8f7b49b2016649e88142ed406035b4f7be48cea926f2e57fe81fb48c89e17e218a2186708f97fa34ca18c31f414a4a09
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD56c472de24a316fb7331f7c0fa09d4dff
SHA10abcd6907a3c4f8639ecd9b96c96d7e3de5957e8
SHA256de1d69c93e5d93b9912f24e87897a38d0f4ccb72f5318d154489620777689598
SHA51224df39a06e6ce0ddd4aa9964c0fdc6920690d48cdc9628af90407ebda9cab4e7d4b285d0633c95202881916587fc3dfefb3dad7cf6bf6fc2cbefe39822c74a26
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD588b3f7686c8a659e26ae84ffc66130e5
SHA1014314e28b29ce61899d5e8e811637d48a9d2709
SHA2560715a0be7696dd394eb7525e3cbb8ae272e0287a3e7470b68830a99c3953550b
SHA512286e312e0e62b7c5379cdaef0dfe4b2c3a82692f7afca54d3d707796e5b1a99f0ec3b683ad621e04aa8eddaa10028feed81233042691b27fb54769968c7a6296
-
Filesize
512KB
MD5ec37a39e502529074b9c69753da53ef6
SHA12977264dc29ea91ecbd1baa1879eae8ff2f25d39
SHA2568a3dd868d1a25303ecddea09822a40a9509776c56ea8d8e1b559d553741bd56c
SHA512d21ce43939786a9970c4d8bb94dc62bdfa4d2cb402d8c57b2acf79b3a51f99dd6a29f72992ed066cd13a7697a9b522a534f29ffaf954f38a60e8489faeaaa7a8
-
Filesize
512KB
MD54b90858b5bcbcfb87ad05873cae063d7
SHA109d35bec066f34be14704e8e2168db8e8ec285d6
SHA256fb5f49c3aa173bca89e2e68dce5c0d223bd7fdee92e18f67d79f0c95fa16d4ed
SHA512e48ffe989dfcd7ec34275f64b745d98a7e2306814ad9300e19a7ecc95d5e555c6b58c2f558a806e91cf3e366831238191530a20e5956c6c229ea1a95c630be2c
-
Filesize
512KB
MD5f1c5a24077932fea415489f7cf267765
SHA12da06da8372786d803b51a645126a9aed451263e
SHA2565a89c0bc96a273c9b095bf823132376b42e1768d98037c7dd17b9dbca89c237c
SHA51288cbe97835ccacc553cbbebab76dc3343290c8e8dee2bc122d77e732be89ee65b3e6d571c6413e4b932716367f0718852e7591143e539036b88b4b85f7eb2806
-
Filesize
512KB
MD5cb9d49a312f051f81a8a546989beaadf
SHA11f60413e3220439e78071fe5699aa61c4a1e8e12
SHA25628884f9944d13e08e0259563a175a937d7986509acc1dcf7b00a75b24c898490
SHA512760d19d11fc1c6590bc4d07b2199f1492aa77f6f33e934ce60d52a6f7dc9d1e3392bac74c6d4badf08878a258a6787f0b955bbdb2f5e5a48a31f6d74735bce2e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD507d1ec0994b651227df3c57ba1263fa7
SHA1d1714d74985a68e9d8cb7f04a4da63aff5586aa6
SHA256d6bf959615404ed53e8f92989b96d3f3995bc4dc75feb539324078d18081cd4f
SHA512443a43730fa8a6df7eb6fd03565d02b2e456c4682dd63d81836499aac19bf11d3e4ca442e950d6e13e906100c5b1bcc76577010dd061a4da37cdbdaf382b0c16
-
Filesize
512KB
MD5d4d04f92a0a7f6bca3de655e3e903546
SHA1f56b631b446d290e1db01ad6a42443a5ba44597d
SHA256609f191923f3fea9b91131b641571bdb7bd4d79566364b90d545a56eba348820
SHA512d0e6d9af73e77bef721c4f142d1473bccc96f0401373d412659537c328e493ff98808e38bbe4a5f382b8fd93981397f1db4627001f95489b5e42724b423792e1