Analysis
-
max time kernel
150s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 00:12
Static task
static1
Behavioral task
behavioral1
Sample
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe
-
Size
512KB
-
MD5
a316428effee4f96edee4b7601cfc78c
-
SHA1
62c62a83b191db7672a7aa45235c8446335b6e30
-
SHA256
3c6d66ea64e12029bda1fa7c1f9432980342dff406af07f91c12156c4e27220b
-
SHA512
601302185a305d95dddb19aba0dc7f3b34b6028db5d8c0ee32efcad8c1962942f6a49a8587557eb8b20e54279670f8b0f7118411ff38b99ecd5a2443953db831
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
mkwiblghqr.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mkwiblghqr.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
mkwiblghqr.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mkwiblghqr.exe -
Processes:
mkwiblghqr.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mkwiblghqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mkwiblghqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mkwiblghqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mkwiblghqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mkwiblghqr.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
mkwiblghqr.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mkwiblghqr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
mkwiblghqr.execmqklxkydwvdrqh.exeohuurgda.exewmuddujoyhdlo.exeohuurgda.exepid Process 3792 mkwiblghqr.exe 3392 cmqklxkydwvdrqh.exe 1756 ohuurgda.exe 4240 wmuddujoyhdlo.exe 1068 ohuurgda.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
mkwiblghqr.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mkwiblghqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mkwiblghqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mkwiblghqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mkwiblghqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mkwiblghqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mkwiblghqr.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
cmqklxkydwvdrqh.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kvilvcgx = "cmqklxkydwvdrqh.exe" cmqklxkydwvdrqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wmuddujoyhdlo.exe" cmqklxkydwvdrqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wxgobefu = "mkwiblghqr.exe" cmqklxkydwvdrqh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ohuurgda.exeohuurgda.exemkwiblghqr.exedescription ioc Process File opened (read-only) \??\a: ohuurgda.exe File opened (read-only) \??\t: ohuurgda.exe File opened (read-only) \??\a: ohuurgda.exe File opened (read-only) \??\j: ohuurgda.exe File opened (read-only) \??\v: ohuurgda.exe File opened (read-only) \??\g: ohuurgda.exe File opened (read-only) \??\u: ohuurgda.exe File opened (read-only) \??\z: ohuurgda.exe File opened (read-only) \??\b: mkwiblghqr.exe File opened (read-only) \??\e: mkwiblghqr.exe File opened (read-only) \??\m: mkwiblghqr.exe File opened (read-only) \??\t: mkwiblghqr.exe File opened (read-only) \??\u: ohuurgda.exe File opened (read-only) \??\i: mkwiblghqr.exe File opened (read-only) \??\p: mkwiblghqr.exe File opened (read-only) \??\s: ohuurgda.exe File opened (read-only) \??\s: ohuurgda.exe File opened (read-only) \??\w: ohuurgda.exe File opened (read-only) \??\i: ohuurgda.exe File opened (read-only) \??\q: ohuurgda.exe File opened (read-only) \??\o: ohuurgda.exe File opened (read-only) \??\q: ohuurgda.exe File opened (read-only) \??\y: ohuurgda.exe File opened (read-only) \??\o: ohuurgda.exe File opened (read-only) \??\l: ohuurgda.exe File opened (read-only) \??\m: ohuurgda.exe File opened (read-only) \??\k: mkwiblghqr.exe File opened (read-only) \??\o: mkwiblghqr.exe File opened (read-only) \??\q: mkwiblghqr.exe File opened (read-only) \??\y: mkwiblghqr.exe File opened (read-only) \??\k: ohuurgda.exe File opened (read-only) \??\r: ohuurgda.exe File opened (read-only) \??\g: ohuurgda.exe File opened (read-only) \??\p: ohuurgda.exe File opened (read-only) \??\r: ohuurgda.exe File opened (read-only) \??\u: mkwiblghqr.exe File opened (read-only) \??\h: ohuurgda.exe File opened (read-only) \??\k: ohuurgda.exe File opened (read-only) \??\v: ohuurgda.exe File opened (read-only) \??\j: mkwiblghqr.exe File opened (read-only) \??\v: mkwiblghqr.exe File opened (read-only) \??\y: ohuurgda.exe File opened (read-only) \??\r: mkwiblghqr.exe File opened (read-only) \??\b: ohuurgda.exe File opened (read-only) \??\n: ohuurgda.exe File opened (read-only) \??\p: ohuurgda.exe File opened (read-only) \??\t: ohuurgda.exe File opened (read-only) \??\l: ohuurgda.exe File opened (read-only) \??\w: mkwiblghqr.exe File opened (read-only) \??\x: mkwiblghqr.exe File opened (read-only) \??\j: ohuurgda.exe File opened (read-only) \??\l: mkwiblghqr.exe File opened (read-only) \??\s: mkwiblghqr.exe File opened (read-only) \??\n: ohuurgda.exe File opened (read-only) \??\w: ohuurgda.exe File opened (read-only) \??\x: ohuurgda.exe File opened (read-only) \??\i: ohuurgda.exe File opened (read-only) \??\x: ohuurgda.exe File opened (read-only) \??\a: mkwiblghqr.exe File opened (read-only) \??\h: mkwiblghqr.exe File opened (read-only) \??\n: mkwiblghqr.exe File opened (read-only) \??\h: ohuurgda.exe File opened (read-only) \??\m: ohuurgda.exe File opened (read-only) \??\b: ohuurgda.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
mkwiblghqr.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mkwiblghqr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mkwiblghqr.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4804-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000900000002353f-5.dat autoit_exe behavioral2/files/0x000700000002336e-18.dat autoit_exe behavioral2/files/0x0007000000023547-29.dat autoit_exe behavioral2/files/0x0008000000023546-32.dat autoit_exe behavioral2/files/0x000800000002351c-69.dat autoit_exe behavioral2/files/0x000900000002349e-75.dat autoit_exe behavioral2/files/0x000a0000000234a0-90.dat autoit_exe behavioral2/files/0x000a0000000234a0-92.dat autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exemkwiblghqr.exeohuurgda.exeohuurgda.exedescription ioc Process File created C:\Windows\SysWOW64\ohuurgda.exe a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll mkwiblghqr.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ohuurgda.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ohuurgda.exe File opened for modification C:\Windows\SysWOW64\mkwiblghqr.exe a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe File created C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cmqklxkydwvdrqh.exe a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ohuurgda.exe a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmuddujoyhdlo.exe a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ohuurgda.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ohuurgda.exe File created C:\Windows\SysWOW64\mkwiblghqr.exe a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmuddujoyhdlo.exe a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
Processes:
ohuurgda.exeohuurgda.exedescription ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ohuurgda.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ohuurgda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ohuurgda.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ohuurgda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ohuurgda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ohuurgda.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ohuurgda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ohuurgda.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ohuurgda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ohuurgda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ohuurgda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ohuurgda.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ohuurgda.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ohuurgda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ohuurgda.exe -
Drops file in Windows directory 19 IoCs
Processes:
WINWORD.EXEohuurgda.exeohuurgda.exea316428effee4f96edee4b7601cfc78c_JaffaCakes118.exedescription ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ohuurgda.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ohuurgda.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ohuurgda.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ohuurgda.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ohuurgda.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ohuurgda.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ohuurgda.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ohuurgda.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ohuurgda.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ohuurgda.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ohuurgda.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ohuurgda.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ohuurgda.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ohuurgda.exe File opened for modification C:\Windows\mydoc.rtf a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ohuurgda.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ohuurgda.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
mkwiblghqr.exea316428effee4f96edee4b7601cfc78c_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mkwiblghqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B15B4492389852CCBAD532EAD7BC" a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F668C4FE1A21AED272D0D28A7F9016" a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mkwiblghqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mkwiblghqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFF8A4F5C856E913CD65B7DE6BDE2E640593067436332D79B" a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mkwiblghqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mkwiblghqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mkwiblghqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mkwiblghqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2C0A9D5583566A3E76DC70212CD67C8F65DB" a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mkwiblghqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mkwiblghqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mkwiblghqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mkwiblghqr.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFAB9FE17F192837C3A3286E93E98B08B03884215033DE2CC459A08A2" a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC70C1590DAB7B9B97CE7EDE037BA" a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mkwiblghqr.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid Process 3896 WINWORD.EXE 3896 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.execmqklxkydwvdrqh.exewmuddujoyhdlo.exemkwiblghqr.exeohuurgda.exeohuurgda.exepid Process 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 3392 cmqklxkydwvdrqh.exe 3392 cmqklxkydwvdrqh.exe 3392 cmqklxkydwvdrqh.exe 3392 cmqklxkydwvdrqh.exe 3392 cmqklxkydwvdrqh.exe 3392 cmqklxkydwvdrqh.exe 3392 cmqklxkydwvdrqh.exe 3392 cmqklxkydwvdrqh.exe 3392 cmqklxkydwvdrqh.exe 3392 cmqklxkydwvdrqh.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 3792 mkwiblghqr.exe 3792 mkwiblghqr.exe 3792 mkwiblghqr.exe 3792 mkwiblghqr.exe 3792 mkwiblghqr.exe 3792 mkwiblghqr.exe 3792 mkwiblghqr.exe 3792 mkwiblghqr.exe 3792 mkwiblghqr.exe 3792 mkwiblghqr.exe 1756 ohuurgda.exe 1756 ohuurgda.exe 1756 ohuurgda.exe 1756 ohuurgda.exe 1756 ohuurgda.exe 1756 ohuurgda.exe 1756 ohuurgda.exe 1756 ohuurgda.exe 3392 cmqklxkydwvdrqh.exe 3392 cmqklxkydwvdrqh.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 1068 ohuurgda.exe 1068 ohuurgda.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.execmqklxkydwvdrqh.exewmuddujoyhdlo.exemkwiblghqr.exeohuurgda.exeohuurgda.exepid Process 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 3392 cmqklxkydwvdrqh.exe 3392 cmqklxkydwvdrqh.exe 3392 cmqklxkydwvdrqh.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 3792 mkwiblghqr.exe 4240 wmuddujoyhdlo.exe 3792 mkwiblghqr.exe 3792 mkwiblghqr.exe 1756 ohuurgda.exe 1756 ohuurgda.exe 1756 ohuurgda.exe 1068 ohuurgda.exe 1068 ohuurgda.exe 1068 ohuurgda.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.execmqklxkydwvdrqh.exewmuddujoyhdlo.exemkwiblghqr.exeohuurgda.exeohuurgda.exepid Process 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 3392 cmqklxkydwvdrqh.exe 3392 cmqklxkydwvdrqh.exe 3392 cmqklxkydwvdrqh.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 4240 wmuddujoyhdlo.exe 3792 mkwiblghqr.exe 3792 mkwiblghqr.exe 3792 mkwiblghqr.exe 1756 ohuurgda.exe 1756 ohuurgda.exe 1756 ohuurgda.exe 1068 ohuurgda.exe 1068 ohuurgda.exe 1068 ohuurgda.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid Process 3896 WINWORD.EXE 3896 WINWORD.EXE 3896 WINWORD.EXE 3896 WINWORD.EXE 3896 WINWORD.EXE 3896 WINWORD.EXE 3896 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exemkwiblghqr.exedescription pid Process procid_target PID 4804 wrote to memory of 3792 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 80 PID 4804 wrote to memory of 3792 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 80 PID 4804 wrote to memory of 3792 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 80 PID 4804 wrote to memory of 3392 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 81 PID 4804 wrote to memory of 3392 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 81 PID 4804 wrote to memory of 3392 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 81 PID 4804 wrote to memory of 1756 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 82 PID 4804 wrote to memory of 1756 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 82 PID 4804 wrote to memory of 1756 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 82 PID 4804 wrote to memory of 4240 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 83 PID 4804 wrote to memory of 4240 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 83 PID 4804 wrote to memory of 4240 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 83 PID 4804 wrote to memory of 3896 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 84 PID 4804 wrote to memory of 3896 4804 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 84 PID 3792 wrote to memory of 1068 3792 mkwiblghqr.exe 86 PID 3792 wrote to memory of 1068 3792 mkwiblghqr.exe 86 PID 3792 wrote to memory of 1068 3792 mkwiblghqr.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\mkwiblghqr.exemkwiblghqr.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\ohuurgda.exeC:\Windows\system32\ohuurgda.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1068
-
-
-
C:\Windows\SysWOW64\cmqklxkydwvdrqh.execmqklxkydwvdrqh.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3392
-
-
C:\Windows\SysWOW64\ohuurgda.exeohuurgda.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1756
-
-
C:\Windows\SysWOW64\wmuddujoyhdlo.exewmuddujoyhdlo.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4240
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3896
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD59553ab7ea22c5f8ce78baa57436b4abc
SHA1c0feef834ccbe82e0841af9ab3b77001ec8b8eff
SHA25614e2c90ec5341805e96949abc3c1e83ac392f8676858a63b75f24205bdd31346
SHA512c0203ec280c3c50447ba76e6f4c3d0a05acaccdfef8d3f06a914840c0c84adfb3c9fea9dcae8eb6eeb2d947084c614ec1559bd783381c4c63f8c03dd78cedc6b
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD55fe74d5b6d51a7d59897d088a3b30e30
SHA1d7ecb9f598eadde86b6aca2912196888cc858573
SHA2566c6991f1bdedd5a5ee1877d20722bc029173f53bda6ce8bbf698413841020b48
SHA5124f96f885946ab4ac32e831fa716fe315f9fea67a27fb4b0f11e0f501dd3c34699094007281a1efb8754130eaead3a27a2b627cd03f79300c5a6b03a744ea37c2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD53b1b2fa9638e9544c3677add890ef1a3
SHA11cfd0636dedbaa408164a4ca18bb72394c5f06d9
SHA2561f23b3baaa4c215a05d0341594cb89a410a73bbd8ca0922a6b23e7470d61363e
SHA5125bdc07bbb868f4525ee5661e33c70228e97c4a911adaf20121e25efa9058eb48d8ec4d1da7cb0161be04056c92f269a478bd7e359b74694b9b92aa718d838c08
-
Filesize
512KB
MD5c12534fb5833e15169a164aefacaf827
SHA11c46bfc2929880a0f94c5970777b402599256586
SHA256a231b66e1caa5b5f9fc134ae30cc24d3b3d9ee6ffd831819a6de5fbb7bb70ce3
SHA512c439273065a7e3ac57a02c5598f857115daf0d4607d548c9b2e76f6e5530d1de2be9ea0c6867d98c3d36a6ffa6b76ff1c55ede7c41fec6aae0901713383058fc
-
Filesize
512KB
MD5b39b83062a0aa3103a7dd6c6abc4ed1b
SHA15533ddb7a18e171771fcde47a952fddc2f9dd80f
SHA2562b36a9499febab2c444c5176bb022c57c690f379b442e5a6d64358c2904603b0
SHA512c57cffb3097dfad26e0572df57b952e6a57cdce973ed4d7f8ea4b7c25cb9deb8bcec8d9e11595854dc4a42478d9d3ec89f8edba1d21438874d39dadf764eb1d6
-
Filesize
512KB
MD5ce18a4d36dcd1e01885001269f6410b4
SHA1265fc188db1651aa75dd508f739dce7d3fd5a6d1
SHA25618b4b85656ce3b7ef114b6b0ac920e60855d82fce14ea3cdafca49436ec3b971
SHA512c4bb7ec0fa234a2ade1bdc38cd3044cc04372b7b8b424688d97aeeefcebcc7ac3a0cc2cb47158cce1755f90d68e96281393014d1576ef97ce39202dbd7390f14
-
Filesize
512KB
MD5d4a3afb70af4b3e2d144754d10d0f728
SHA15919aadbeb838b4586c2730969a69a62a5b0590b
SHA256b1644fb1fe3ed73c76a54542df14ba55ab6e441e8c3f1e3740cfecff3b08e108
SHA512fc698de6faf2376e1d1340aaa1bc7d4d9e074e22efb2513f1164b0447748c082a4ec43fbe2aaef6052f138d0f2fd966f434baabe17a20e180ca6d7321c7ed6e5
-
Filesize
512KB
MD5cbb4456a4bd50ad6d6dc5a6a1a9bea33
SHA132620b65c4da7c1fe1a450cad4409fe623d438f7
SHA25626d726ce75a621d66ca127b2c525fe97743106a75254ee9d02d2cfc0965a12b4
SHA512e5e7bb5d7059a1b13e07a7cfb4af570120b53ec72142310a378fd6eee048bd37ae9786444d9cbf39bfa3e548c5b733a84822195810249c7f8f099472220f6637
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD521c60b3e9e570e8d6641d75d0062d6a1
SHA1953dd0523594b4537bacc17e8b885a6eb2d83fff
SHA256803bfbfe5defdd769cf7023081cb49209e82b7fd53c6ce231cd12e2d8afaeaee
SHA5120bbf66999074a6295588f612b46cd8c7cd2e51fd774bdd626e2a4cc826d2e523559aafd207b1f5baa79e18db795508c96fd49c6a1f38971edc5b918d7ff8fb1f
-
Filesize
512KB
MD59510926baf33191bde745a3fa385130d
SHA1e3be3f65e95917e4b4e1eae6bbe077e5b0625504
SHA2569dfa3409c7185e8494906956ba19b17c4f1f05024b033b6027ebf9e24391c2f2
SHA512b827061fe0a150f4cca1d9fd6eab5c591cbfe34486263082081b7192235a99e9d6b9fbb955c8dc478fbfe3cc90e5070ed1061a69e54d5217974772469a22f9c5