Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 00:06
Static task
static1
Behavioral task
behavioral1
Sample
a31224d26b26443ef664482c59a05399_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a31224d26b26443ef664482c59a05399_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
a31224d26b26443ef664482c59a05399_JaffaCakes118.exe
-
Size
512KB
-
MD5
a31224d26b26443ef664482c59a05399
-
SHA1
eb1d2af0c1ddaca31f291a742ed4e13b46a62dc9
-
SHA256
96d822e1de3f50016ea9cd158071698714cb0aa5dd2da3d86d82c987604196c8
-
SHA512
5ea5307184aedb90d0f89434cb9378a0e7f8eb7bb354f5a8d674314981f6db40403a863c6b6f2ce878b221d726a2e4e527b02335dc12aa08ceab3adfd1fbc47b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6o:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
khfjvspmqr.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" khfjvspmqr.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
khfjvspmqr.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" khfjvspmqr.exe -
Processes:
khfjvspmqr.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" khfjvspmqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" khfjvspmqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" khfjvspmqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" khfjvspmqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" khfjvspmqr.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
khfjvspmqr.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" khfjvspmqr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a31224d26b26443ef664482c59a05399_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation a31224d26b26443ef664482c59a05399_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
khfjvspmqr.exemkvnsxlhfzfsvde.exebxzdtjoj.exeviadpnxblugim.exebxzdtjoj.exepid Process 1592 khfjvspmqr.exe 3256 mkvnsxlhfzfsvde.exe 928 bxzdtjoj.exe 908 viadpnxblugim.exe 4088 bxzdtjoj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
khfjvspmqr.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" khfjvspmqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" khfjvspmqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" khfjvspmqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" khfjvspmqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" khfjvspmqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" khfjvspmqr.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
mkvnsxlhfzfsvde.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swkvjihf = "mkvnsxlhfzfsvde.exe" mkvnsxlhfzfsvde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "viadpnxblugim.exe" mkvnsxlhfzfsvde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fsnsfcjn = "khfjvspmqr.exe" mkvnsxlhfzfsvde.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
khfjvspmqr.exebxzdtjoj.exebxzdtjoj.exedescription ioc Process File opened (read-only) \??\r: khfjvspmqr.exe File opened (read-only) \??\g: bxzdtjoj.exe File opened (read-only) \??\l: khfjvspmqr.exe File opened (read-only) \??\v: khfjvspmqr.exe File opened (read-only) \??\s: khfjvspmqr.exe File opened (read-only) \??\x: bxzdtjoj.exe File opened (read-only) \??\a: bxzdtjoj.exe File opened (read-only) \??\e: bxzdtjoj.exe File opened (read-only) \??\v: bxzdtjoj.exe File opened (read-only) \??\v: bxzdtjoj.exe File opened (read-only) \??\p: bxzdtjoj.exe File opened (read-only) \??\x: bxzdtjoj.exe File opened (read-only) \??\n: bxzdtjoj.exe File opened (read-only) \??\k: bxzdtjoj.exe File opened (read-only) \??\r: bxzdtjoj.exe File opened (read-only) \??\m: khfjvspmqr.exe File opened (read-only) \??\y: khfjvspmqr.exe File opened (read-only) \??\z: khfjvspmqr.exe File opened (read-only) \??\b: khfjvspmqr.exe File opened (read-only) \??\k: khfjvspmqr.exe File opened (read-only) \??\e: bxzdtjoj.exe File opened (read-only) \??\t: bxzdtjoj.exe File opened (read-only) \??\l: bxzdtjoj.exe File opened (read-only) \??\w: bxzdtjoj.exe File opened (read-only) \??\y: bxzdtjoj.exe File opened (read-only) \??\z: bxzdtjoj.exe File opened (read-only) \??\k: bxzdtjoj.exe File opened (read-only) \??\h: khfjvspmqr.exe File opened (read-only) \??\s: bxzdtjoj.exe File opened (read-only) \??\m: bxzdtjoj.exe File opened (read-only) \??\p: bxzdtjoj.exe File opened (read-only) \??\o: bxzdtjoj.exe File opened (read-only) \??\q: bxzdtjoj.exe File opened (read-only) \??\t: khfjvspmqr.exe File opened (read-only) \??\o: bxzdtjoj.exe File opened (read-only) \??\w: bxzdtjoj.exe File opened (read-only) \??\h: bxzdtjoj.exe File opened (read-only) \??\a: khfjvspmqr.exe File opened (read-only) \??\j: bxzdtjoj.exe File opened (read-only) \??\i: khfjvspmqr.exe File opened (read-only) \??\l: bxzdtjoj.exe File opened (read-only) \??\y: bxzdtjoj.exe File opened (read-only) \??\g: bxzdtjoj.exe File opened (read-only) \??\j: bxzdtjoj.exe File opened (read-only) \??\t: bxzdtjoj.exe File opened (read-only) \??\p: khfjvspmqr.exe File opened (read-only) \??\q: bxzdtjoj.exe File opened (read-only) \??\u: bxzdtjoj.exe File opened (read-only) \??\o: khfjvspmqr.exe File opened (read-only) \??\u: khfjvspmqr.exe File opened (read-only) \??\b: bxzdtjoj.exe File opened (read-only) \??\r: bxzdtjoj.exe File opened (read-only) \??\g: khfjvspmqr.exe File opened (read-only) \??\j: khfjvspmqr.exe File opened (read-only) \??\n: khfjvspmqr.exe File opened (read-only) \??\a: bxzdtjoj.exe File opened (read-only) \??\b: bxzdtjoj.exe File opened (read-only) \??\i: bxzdtjoj.exe File opened (read-only) \??\m: bxzdtjoj.exe File opened (read-only) \??\i: bxzdtjoj.exe File opened (read-only) \??\s: bxzdtjoj.exe File opened (read-only) \??\u: bxzdtjoj.exe File opened (read-only) \??\h: bxzdtjoj.exe File opened (read-only) \??\n: bxzdtjoj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
khfjvspmqr.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" khfjvspmqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" khfjvspmqr.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4784-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023270-9.dat autoit_exe behavioral2/files/0x000800000002326c-18.dat autoit_exe behavioral2/files/0x000800000002326f-22.dat autoit_exe behavioral2/files/0x0008000000023273-31.dat autoit_exe behavioral2/files/0x0004000000016868-67.dat autoit_exe behavioral2/files/0x000200000001eb28-86.dat autoit_exe behavioral2/files/0x000200000001eb2d-93.dat autoit_exe behavioral2/files/0x000200000001eb2d-100.dat autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
bxzdtjoj.exea31224d26b26443ef664482c59a05399_JaffaCakes118.exebxzdtjoj.exekhfjvspmqr.exedescription ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bxzdtjoj.exe File created C:\Windows\SysWOW64\khfjvspmqr.exe a31224d26b26443ef664482c59a05399_JaffaCakes118.exe File created C:\Windows\SysWOW64\viadpnxblugim.exe a31224d26b26443ef664482c59a05399_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\viadpnxblugim.exe a31224d26b26443ef664482c59a05399_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bxzdtjoj.exe File opened for modification C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe a31224d26b26443ef664482c59a05399_JaffaCakes118.exe File created C:\Windows\SysWOW64\bxzdtjoj.exe a31224d26b26443ef664482c59a05399_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bxzdtjoj.exe File opened for modification C:\Windows\SysWOW64\khfjvspmqr.exe a31224d26b26443ef664482c59a05399_JaffaCakes118.exe File created C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe a31224d26b26443ef664482c59a05399_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bxzdtjoj.exe a31224d26b26443ef664482c59a05399_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll khfjvspmqr.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bxzdtjoj.exe -
Drops file in Program Files directory 14 IoCs
Processes:
bxzdtjoj.exebxzdtjoj.exedescription ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bxzdtjoj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bxzdtjoj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bxzdtjoj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bxzdtjoj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bxzdtjoj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bxzdtjoj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bxzdtjoj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bxzdtjoj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bxzdtjoj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bxzdtjoj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bxzdtjoj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bxzdtjoj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bxzdtjoj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bxzdtjoj.exe -
Drops file in Windows directory 11 IoCs
Processes:
bxzdtjoj.exebxzdtjoj.exea31224d26b26443ef664482c59a05399_JaffaCakes118.exeWINWORD.EXEdescription ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bxzdtjoj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bxzdtjoj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bxzdtjoj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bxzdtjoj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bxzdtjoj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bxzdtjoj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bxzdtjoj.exe File opened for modification C:\Windows\mydoc.rtf a31224d26b26443ef664482c59a05399_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bxzdtjoj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
a31224d26b26443ef664482c59a05399_JaffaCakes118.exekhfjvspmqr.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFF8E4858856E9047D7297E9DBDEFE147584267406337D799" a31224d26b26443ef664482c59a05399_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC70F1596DBC4B8CE7C92ED9634CF" a31224d26b26443ef664482c59a05399_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat khfjvspmqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg khfjvspmqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" khfjvspmqr.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings a31224d26b26443ef664482c59a05399_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a31224d26b26443ef664482c59a05399_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8FABFFE6BF19784083A3286973999B08903FE4315023AE2C8429D08D6" a31224d26b26443ef664482c59a05399_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" khfjvspmqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F768B6FE6A22DBD209D0D48A089164" a31224d26b26443ef664482c59a05399_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh khfjvspmqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc khfjvspmqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" khfjvspmqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf khfjvspmqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs khfjvspmqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" khfjvspmqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" khfjvspmqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" khfjvspmqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C0B9C5683556D4377D377262CAC7C8F65DB" a31224d26b26443ef664482c59a05399_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B05B44E4399F52CABAA7329AD7CC" a31224d26b26443ef664482c59a05399_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid Process 2440 WINWORD.EXE 2440 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a31224d26b26443ef664482c59a05399_JaffaCakes118.exekhfjvspmqr.exemkvnsxlhfzfsvde.exebxzdtjoj.exeviadpnxblugim.exebxzdtjoj.exepid Process 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 1592 khfjvspmqr.exe 1592 khfjvspmqr.exe 3256 mkvnsxlhfzfsvde.exe 3256 mkvnsxlhfzfsvde.exe 1592 khfjvspmqr.exe 1592 khfjvspmqr.exe 3256 mkvnsxlhfzfsvde.exe 3256 mkvnsxlhfzfsvde.exe 1592 khfjvspmqr.exe 3256 mkvnsxlhfzfsvde.exe 3256 mkvnsxlhfzfsvde.exe 1592 khfjvspmqr.exe 3256 mkvnsxlhfzfsvde.exe 1592 khfjvspmqr.exe 3256 mkvnsxlhfzfsvde.exe 1592 khfjvspmqr.exe 1592 khfjvspmqr.exe 1592 khfjvspmqr.exe 3256 mkvnsxlhfzfsvde.exe 3256 mkvnsxlhfzfsvde.exe 928 bxzdtjoj.exe 928 bxzdtjoj.exe 928 bxzdtjoj.exe 928 bxzdtjoj.exe 928 bxzdtjoj.exe 928 bxzdtjoj.exe 928 bxzdtjoj.exe 928 bxzdtjoj.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 3256 mkvnsxlhfzfsvde.exe 3256 mkvnsxlhfzfsvde.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 4088 bxzdtjoj.exe 4088 bxzdtjoj.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
a31224d26b26443ef664482c59a05399_JaffaCakes118.exekhfjvspmqr.exemkvnsxlhfzfsvde.exebxzdtjoj.exeviadpnxblugim.exebxzdtjoj.exepid Process 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 1592 khfjvspmqr.exe 3256 mkvnsxlhfzfsvde.exe 1592 khfjvspmqr.exe 3256 mkvnsxlhfzfsvde.exe 1592 khfjvspmqr.exe 3256 mkvnsxlhfzfsvde.exe 928 bxzdtjoj.exe 928 bxzdtjoj.exe 928 bxzdtjoj.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 4088 bxzdtjoj.exe 4088 bxzdtjoj.exe 4088 bxzdtjoj.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
a31224d26b26443ef664482c59a05399_JaffaCakes118.exekhfjvspmqr.exemkvnsxlhfzfsvde.exebxzdtjoj.exeviadpnxblugim.exebxzdtjoj.exepid Process 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 1592 khfjvspmqr.exe 3256 mkvnsxlhfzfsvde.exe 1592 khfjvspmqr.exe 3256 mkvnsxlhfzfsvde.exe 1592 khfjvspmqr.exe 3256 mkvnsxlhfzfsvde.exe 928 bxzdtjoj.exe 928 bxzdtjoj.exe 928 bxzdtjoj.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 908 viadpnxblugim.exe 4088 bxzdtjoj.exe 4088 bxzdtjoj.exe 4088 bxzdtjoj.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid Process 2440 WINWORD.EXE 2440 WINWORD.EXE 2440 WINWORD.EXE 2440 WINWORD.EXE 2440 WINWORD.EXE 2440 WINWORD.EXE 2440 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a31224d26b26443ef664482c59a05399_JaffaCakes118.exekhfjvspmqr.exedescription pid Process procid_target PID 4784 wrote to memory of 1592 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 89 PID 4784 wrote to memory of 1592 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 89 PID 4784 wrote to memory of 1592 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 89 PID 4784 wrote to memory of 3256 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 90 PID 4784 wrote to memory of 3256 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 90 PID 4784 wrote to memory of 3256 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 90 PID 4784 wrote to memory of 928 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 91 PID 4784 wrote to memory of 928 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 91 PID 4784 wrote to memory of 928 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 91 PID 4784 wrote to memory of 908 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 92 PID 4784 wrote to memory of 908 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 92 PID 4784 wrote to memory of 908 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 92 PID 1592 wrote to memory of 4088 1592 khfjvspmqr.exe 93 PID 1592 wrote to memory of 4088 1592 khfjvspmqr.exe 93 PID 1592 wrote to memory of 4088 1592 khfjvspmqr.exe 93 PID 4784 wrote to memory of 2440 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 94 PID 4784 wrote to memory of 2440 4784 a31224d26b26443ef664482c59a05399_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\khfjvspmqr.exekhfjvspmqr.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\bxzdtjoj.exeC:\Windows\system32\bxzdtjoj.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4088
-
-
-
C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exemkvnsxlhfzfsvde.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3256
-
-
C:\Windows\SysWOW64\bxzdtjoj.exebxzdtjoj.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:928
-
-
C:\Windows\SysWOW64\viadpnxblugim.exeviadpnxblugim.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:908
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3856 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:1860
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5d0e5684864f804a4f95d9a06ab6bfcdd
SHA12009f0938b656b74fa5ad6ed3a7257eda133cd3d
SHA256242047e03c58dc864a7f4de842bcc5bdfacc5caf00ae0a28b4e5bb36e226bba3
SHA512df4130851bd6dcc79dcefa5a19bd2cc0d037acd30e5cceb68990614c3e04945b38ff71cef0b35cade8b3198335ac62dde8cc57d041feba49e446c6dcd7409eb2
-
Filesize
239B
MD5602dad6ee0e60cde6698692534ef100b
SHA1c3e20be4cf62746964ff865964f4f354d412bfac
SHA256596069f7c5d4c9cea8266af60fcc730fbaec42eb5dd0c6f4203e463b742fb598
SHA512bc1fdcc479d9d46977847557985ca1744f1d4f135da27d82dd2f131419c16fbc70968eb27458a1769e59a9a166847be39aa81b82936e39e753d578ee13df8669
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD555c27537c347caba196e23fedf90d237
SHA1776731812ca395ccf78b05b516a9e0908d0221d4
SHA25647f7ddc977ca297d926c1d4f77dd43eed357ce9e13510a3cc0d8e47d248e1339
SHA512fe7cb75fd04f2bf2676778691f417a9dd9e9418a9012770a2bef10041d27b36c820a8a87a4204c32ff15e72188bfbec35839ec4c86c1cd9699645582636ac914
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e261ebdae6427430eafea91bc845b4ce
SHA18f439096f4304e466bc8b7063ba85848163ead97
SHA2569f1e612bf961065fd846d8aa7ef04c120e7da6c8c081dcca7a17f5d4de4a51ac
SHA51299fc8f8a409a990746668304c7658194a40879802cb4df2d87527ba1dd06d64106901a23e3b943f41fd0ad2fed9a126ce12281dead6d2d7fe9c15f424689bbde
-
Filesize
512KB
MD568acc8f3ce4c13bdd3ec5773a093303a
SHA141f02e3d517f2b1bad9377e1fd382f41396d6975
SHA2563397ce39b9ed1d8f1eed74e5a3db270c957e2acf41ed04b4353218163157f83d
SHA512b03de2ba2919b37a9ba469d18160fd3cbde60b34bf8279dff4241317b12529bf1eb5fe501cdafeadae9caf7dd6d4b19a9e460daf856878ff98e05655200a4aaf
-
Filesize
512KB
MD573ee09f7103bac531804f85d0a6bc9e2
SHA1f1e87adb44e6f63b3afef6a6ec0153b18840ba4a
SHA256d930c61f1e763f62a2d0009ae92775914679a25c8f1bb0daf68e6ba6ac555449
SHA512d91f36a219a86876973713c2a8e90b16001d320ce0532bac57001fe827c121ff5137ef92969a05c702de5d8639bfd563ab61589bb4477dc646f43ec4fcdd1308
-
Filesize
512KB
MD54562b7d80bbcf6fd5f68b7aa61c709cc
SHA1745a0b9136ba4877d3702c1c5a49d074aea242e6
SHA25693110ecfe7468f9f7b873ea6c15f380f79c7df16f4685d1198df07ee5bd3e085
SHA51238dc64dacdbdc7f0a31d4dbae409d1ebe308f7ce2febafa6b3b2d4a5cc48b90178ed26efd0a991b79c33a4b5ebda6e442ea948882dbb83e05c8aa2956c7c3342
-
Filesize
512KB
MD50e87d44ab0a1013a6be5e2d86442cfe8
SHA1b8bf113444abf556b2186cee80f087e8b02e98d8
SHA256e09594bab95b1f2dd1b7c1c5c5648eddc16c44396de07d121eb248bf0d7b0005
SHA5128ca9ba8661e4ec1050c7cbb3974323982a66691cf8d06f968159f1c995d12ce5a7be3e849e75f002c936b3e16c6cf221283c1dc99bc8e4988f9dcf540b877c04
-
Filesize
512KB
MD5ef6c9fcc248f967d371993a0ca402ded
SHA152e8924d8e08faa2fa49cf11dbb9b024a8f26d37
SHA256b58f83d694a5edffbb75c2d551e8187b0bf27588874d33b335703e2092f5f417
SHA512be2101c4e52a8b8b7f7e1ddcc4a0fe736154cdc1bb57eebad43b35e945cd531479b3b39a46fcc6bafbff818f75d7a5244cf8ca6f85ef0f6f6add5cc624322773
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD54d084adb041ef0e20fdb5e13c024e4ca
SHA19eb721b46e7ed524630f693e810fbd0dbd68624c
SHA25602295b36eab9b17503d71ee85e1b0a1e4e095c365bfbb1de99329715f54d303e
SHA512c0b277de5c22e5395123c0ef220bce924428dfcbb00b5e36a8bf5cba85ac39cbe4514f9c3b45ecbba3eda041850e8b0e7ab0c5969a696e4a4c74e302e13e56f2
-
Filesize
512KB
MD54e1882104e7967744af0c335c5568096
SHA1dbf95c1a383cfaa02f2796f003647ae0aa5987b2
SHA256425430c2a55dfa7b4983571f36eba787fa68d1e4136c4869fc56d52ad1792b79
SHA51244c41ef11ce169c9be9761191c14c29655d3003c5c50611c056c59f93d7fba607c5d365ab793a9f36e2ae436f904a789561a614b587ede8bd259ca7aecc3af26