Analysis
-
max time kernel
149s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 00:20
Static task
static1
Behavioral task
behavioral1
Sample
a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe
-
Size
512KB
-
MD5
a31da94f9abda3681199df91e2cc364a
-
SHA1
118550ed6b4e99cb117c2e1409af456499d549c3
-
SHA256
0def2b2922ba6a3ccdc47a8b0b7c7685772f0fd3d0a4c35d90cf423e54e58041
-
SHA512
d53c5bb3bfe3737483f17e1796cd2960147d1a7cf45882424801a912410ca624e9d94d6fce784daa8b2674827b12b47d956c87e622fc447135c92b786df8caf5
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6n:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5C
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
vuqdslaqgw.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vuqdslaqgw.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
vuqdslaqgw.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vuqdslaqgw.exe -
Processes:
vuqdslaqgw.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vuqdslaqgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vuqdslaqgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vuqdslaqgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vuqdslaqgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vuqdslaqgw.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
vuqdslaqgw.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vuqdslaqgw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
vuqdslaqgw.exegceqfznzigtyffl.execaqckuag.exeesrywywaywwbw.execaqckuag.exepid Process 5076 vuqdslaqgw.exe 4848 gceqfznzigtyffl.exe 2716 caqckuag.exe 5016 esrywywaywwbw.exe 3084 caqckuag.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
vuqdslaqgw.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vuqdslaqgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vuqdslaqgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vuqdslaqgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vuqdslaqgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vuqdslaqgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vuqdslaqgw.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
gceqfznzigtyffl.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qbfjqnvl = "vuqdslaqgw.exe" gceqfznzigtyffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hxppvuco = "gceqfznzigtyffl.exe" gceqfznzigtyffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "esrywywaywwbw.exe" gceqfznzigtyffl.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vuqdslaqgw.execaqckuag.execaqckuag.exedescription ioc Process File opened (read-only) \??\n: vuqdslaqgw.exe File opened (read-only) \??\h: caqckuag.exe File opened (read-only) \??\l: caqckuag.exe File opened (read-only) \??\n: caqckuag.exe File opened (read-only) \??\t: vuqdslaqgw.exe File opened (read-only) \??\u: vuqdslaqgw.exe File opened (read-only) \??\k: caqckuag.exe File opened (read-only) \??\q: caqckuag.exe File opened (read-only) \??\w: caqckuag.exe File opened (read-only) \??\r: caqckuag.exe File opened (read-only) \??\l: vuqdslaqgw.exe File opened (read-only) \??\j: caqckuag.exe File opened (read-only) \??\m: caqckuag.exe File opened (read-only) \??\q: caqckuag.exe File opened (read-only) \??\m: caqckuag.exe File opened (read-only) \??\o: caqckuag.exe File opened (read-only) \??\e: vuqdslaqgw.exe File opened (read-only) \??\i: vuqdslaqgw.exe File opened (read-only) \??\m: vuqdslaqgw.exe File opened (read-only) \??\g: caqckuag.exe File opened (read-only) \??\i: caqckuag.exe File opened (read-only) \??\z: caqckuag.exe File opened (read-only) \??\g: vuqdslaqgw.exe File opened (read-only) \??\h: vuqdslaqgw.exe File opened (read-only) \??\k: vuqdslaqgw.exe File opened (read-only) \??\q: vuqdslaqgw.exe File opened (read-only) \??\p: caqckuag.exe File opened (read-only) \??\r: caqckuag.exe File opened (read-only) \??\u: caqckuag.exe File opened (read-only) \??\v: caqckuag.exe File opened (read-only) \??\b: caqckuag.exe File opened (read-only) \??\j: vuqdslaqgw.exe File opened (read-only) \??\s: caqckuag.exe File opened (read-only) \??\h: caqckuag.exe File opened (read-only) \??\b: vuqdslaqgw.exe File opened (read-only) \??\a: caqckuag.exe File opened (read-only) \??\v: caqckuag.exe File opened (read-only) \??\b: caqckuag.exe File opened (read-only) \??\e: caqckuag.exe File opened (read-only) \??\x: caqckuag.exe File opened (read-only) \??\k: caqckuag.exe File opened (read-only) \??\s: caqckuag.exe File opened (read-only) \??\s: vuqdslaqgw.exe File opened (read-only) \??\w: vuqdslaqgw.exe File opened (read-only) \??\x: vuqdslaqgw.exe File opened (read-only) \??\g: caqckuag.exe File opened (read-only) \??\o: caqckuag.exe File opened (read-only) \??\p: caqckuag.exe File opened (read-only) \??\a: caqckuag.exe File opened (read-only) \??\l: caqckuag.exe File opened (read-only) \??\t: caqckuag.exe File opened (read-only) \??\u: caqckuag.exe File opened (read-only) \??\a: vuqdslaqgw.exe File opened (read-only) \??\o: vuqdslaqgw.exe File opened (read-only) \??\y: vuqdslaqgw.exe File opened (read-only) \??\z: vuqdslaqgw.exe File opened (read-only) \??\i: caqckuag.exe File opened (read-only) \??\p: vuqdslaqgw.exe File opened (read-only) \??\n: caqckuag.exe File opened (read-only) \??\y: caqckuag.exe File opened (read-only) \??\t: caqckuag.exe File opened (read-only) \??\z: caqckuag.exe File opened (read-only) \??\y: caqckuag.exe File opened (read-only) \??\v: vuqdslaqgw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
vuqdslaqgw.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vuqdslaqgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vuqdslaqgw.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3096-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002340f-5.dat autoit_exe behavioral2/files/0x000900000002340b-18.dat autoit_exe behavioral2/files/0x0007000000023410-24.dat autoit_exe behavioral2/files/0x0007000000023411-27.dat autoit_exe behavioral2/files/0x000b000000016299-57.dat autoit_exe behavioral2/files/0x0005000000016927-63.dat autoit_exe behavioral2/files/0x000200000001e5c8-69.dat autoit_exe behavioral2/files/0x000200000001e5c8-88.dat autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
a31da94f9abda3681199df91e2cc364a_JaffaCakes118.execaqckuag.execaqckuag.exevuqdslaqgw.exedescription ioc Process File created C:\Windows\SysWOW64\caqckuag.exe a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe caqckuag.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe caqckuag.exe File opened for modification C:\Windows\SysWOW64\esrywywaywwbw.exe a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vuqdslaqgw.exe File created C:\Windows\SysWOW64\vuqdslaqgw.exe a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vuqdslaqgw.exe a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe File created C:\Windows\SysWOW64\gceqfznzigtyffl.exe a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gceqfznzigtyffl.exe a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\caqckuag.exe a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe File created C:\Windows\SysWOW64\esrywywaywwbw.exe a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe caqckuag.exe -
Drops file in Program Files directory 15 IoCs
Processes:
caqckuag.execaqckuag.exedescription ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe caqckuag.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe caqckuag.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe caqckuag.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe caqckuag.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal caqckuag.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe caqckuag.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe caqckuag.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal caqckuag.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe caqckuag.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe caqckuag.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal caqckuag.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe caqckuag.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe caqckuag.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe caqckuag.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal caqckuag.exe -
Drops file in Windows directory 19 IoCs
Processes:
caqckuag.execaqckuag.exeWINWORD.EXEa31da94f9abda3681199df91e2cc364a_JaffaCakes118.exedescription ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe caqckuag.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe caqckuag.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe caqckuag.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe caqckuag.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe caqckuag.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe caqckuag.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe caqckuag.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe caqckuag.exe File opened for modification C:\Windows\mydoc.rtf a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe caqckuag.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe caqckuag.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe caqckuag.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe caqckuag.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe caqckuag.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe caqckuag.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe caqckuag.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe caqckuag.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exevuqdslaqgw.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F06BB7FE1D21A9D108D0A08B7F9166" a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vuqdslaqgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FCFF4F5D82189046D62E7E92BD97E640584066406345D6EA" a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vuqdslaqgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vuqdslaqgw.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452D7D9D5783206D3F76DC70272DDF7DF265DE" a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B12B44EF399A53C5B9D732EDD7BE" a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C77914E2DBC2B9B97FE1EDE434C6" a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vuqdslaqgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vuqdslaqgw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vuqdslaqgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vuqdslaqgw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vuqdslaqgw.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9FACEF913F298830F3A4B86EE3EE2B0FD02884213024BE1C842E608A6" a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vuqdslaqgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vuqdslaqgw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vuqdslaqgw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vuqdslaqgw.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid Process 3652 WINWORD.EXE 3652 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exevuqdslaqgw.exegceqfznzigtyffl.exeesrywywaywwbw.execaqckuag.execaqckuag.exepid Process 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 5076 vuqdslaqgw.exe 5076 vuqdslaqgw.exe 5076 vuqdslaqgw.exe 5076 vuqdslaqgw.exe 5076 vuqdslaqgw.exe 5076 vuqdslaqgw.exe 5076 vuqdslaqgw.exe 5076 vuqdslaqgw.exe 5076 vuqdslaqgw.exe 5076 vuqdslaqgw.exe 4848 gceqfznzigtyffl.exe 4848 gceqfznzigtyffl.exe 4848 gceqfznzigtyffl.exe 4848 gceqfznzigtyffl.exe 4848 gceqfznzigtyffl.exe 4848 gceqfznzigtyffl.exe 4848 gceqfznzigtyffl.exe 4848 gceqfznzigtyffl.exe 5016 esrywywaywwbw.exe 5016 esrywywaywwbw.exe 5016 esrywywaywwbw.exe 5016 esrywywaywwbw.exe 5016 esrywywaywwbw.exe 5016 esrywywaywwbw.exe 5016 esrywywaywwbw.exe 5016 esrywywaywwbw.exe 5016 esrywywaywwbw.exe 5016 esrywywaywwbw.exe 5016 esrywywaywwbw.exe 5016 esrywywaywwbw.exe 2716 caqckuag.exe 2716 caqckuag.exe 2716 caqckuag.exe 2716 caqckuag.exe 2716 caqckuag.exe 2716 caqckuag.exe 2716 caqckuag.exe 2716 caqckuag.exe 4848 gceqfznzigtyffl.exe 4848 gceqfznzigtyffl.exe 3084 caqckuag.exe 3084 caqckuag.exe 3084 caqckuag.exe 3084 caqckuag.exe 3084 caqckuag.exe 3084 caqckuag.exe 3084 caqckuag.exe 3084 caqckuag.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exevuqdslaqgw.exeesrywywaywwbw.execaqckuag.exegceqfznzigtyffl.execaqckuag.exepid Process 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 5076 vuqdslaqgw.exe 5076 vuqdslaqgw.exe 5076 vuqdslaqgw.exe 5016 esrywywaywwbw.exe 5016 esrywywaywwbw.exe 5016 esrywywaywwbw.exe 2716 caqckuag.exe 2716 caqckuag.exe 2716 caqckuag.exe 4848 gceqfznzigtyffl.exe 4848 gceqfznzigtyffl.exe 4848 gceqfznzigtyffl.exe 3084 caqckuag.exe 3084 caqckuag.exe 3084 caqckuag.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exevuqdslaqgw.exeesrywywaywwbw.execaqckuag.exegceqfznzigtyffl.execaqckuag.exepid Process 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 5076 vuqdslaqgw.exe 5076 vuqdslaqgw.exe 5076 vuqdslaqgw.exe 5016 esrywywaywwbw.exe 5016 esrywywaywwbw.exe 5016 esrywywaywwbw.exe 2716 caqckuag.exe 2716 caqckuag.exe 2716 caqckuag.exe 4848 gceqfznzigtyffl.exe 4848 gceqfznzigtyffl.exe 4848 gceqfznzigtyffl.exe 3084 caqckuag.exe 3084 caqckuag.exe 3084 caqckuag.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid Process 3652 WINWORD.EXE 3652 WINWORD.EXE 3652 WINWORD.EXE 3652 WINWORD.EXE 3652 WINWORD.EXE 3652 WINWORD.EXE 3652 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exevuqdslaqgw.exedescription pid Process procid_target PID 3096 wrote to memory of 5076 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 82 PID 3096 wrote to memory of 5076 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 82 PID 3096 wrote to memory of 5076 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 82 PID 3096 wrote to memory of 4848 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 83 PID 3096 wrote to memory of 4848 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 83 PID 3096 wrote to memory of 4848 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 83 PID 3096 wrote to memory of 2716 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 84 PID 3096 wrote to memory of 2716 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 84 PID 3096 wrote to memory of 2716 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 84 PID 3096 wrote to memory of 5016 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 85 PID 3096 wrote to memory of 5016 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 85 PID 3096 wrote to memory of 5016 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 85 PID 3096 wrote to memory of 3652 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 86 PID 3096 wrote to memory of 3652 3096 a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe 86 PID 5076 wrote to memory of 3084 5076 vuqdslaqgw.exe 89 PID 5076 wrote to memory of 3084 5076 vuqdslaqgw.exe 89 PID 5076 wrote to memory of 3084 5076 vuqdslaqgw.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\vuqdslaqgw.exevuqdslaqgw.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\caqckuag.exeC:\Windows\system32\caqckuag.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3084
-
-
-
C:\Windows\SysWOW64\gceqfznzigtyffl.exegceqfznzigtyffl.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4848
-
-
C:\Windows\SysWOW64\caqckuag.execaqckuag.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2716
-
-
C:\Windows\SysWOW64\esrywywaywwbw.exeesrywywaywwbw.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5016
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3652
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5b3e2360020de0543038cd1dd37d9c63e
SHA10c9199b2d7bb8a76b62e27b12d3ac08d758deab0
SHA256a8cbb3d48f815bcd38131b03ad686aa838cc9bb4963fc85e456200a08b62e981
SHA512163139b88725a2af1deb25cbe6477b8a1717fc02fbe120068d8bed078d0a6777ea2137ccae241bb7ecacfb495920c20107c2c92ee5af2fba1eeed939412ec303
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD56bdb066cb6c008a7060f69d6f0e5a68f
SHA167780197ba54a01c07f79ba285e863ef7bd1bb5c
SHA256a413418215ab89663bdda44da089c9e2d8de434508cb05bee47ece09c44bc44d
SHA5125df2a60e4ab349e0d2e8e3df7304cef17f274d044b8e5de3fe916a12a69333e33684c5e5e2fa17b6c789ddb8e31ddcb417392e727dd959737c8e19796b5c261f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD53dddb578ec9cec548169ca988348d291
SHA1ce3cc250142f882bec42a8f16a203b3feef631f6
SHA256ba3f20392e5e8ea594a1045e455533cf678c019cb3ba2b821deec371e3b2c916
SHA5127f0dd0fc4e924bc126a1c9b282d4ca82e536ba48e82f7684d39561c0c77ff4cdd0c823cab18f26be66bbd2430cf4b0288f588b74bda799a3763a70164343b4ea
-
Filesize
512KB
MD55e0846ddfaeb2fa39c74459a49893a70
SHA1e5cdf9d0e9532820de49ec3ff0c68ded49661f7f
SHA256f7fdaf457516b0b9ec8e81d607c03efd61680246f968dc01fc3dfdb9653c6b11
SHA5125048c65f7f16d3dcf2d8b81da0c0a4a9d676e3ce0d020287b24cb199dda2835b078fbd9763f8a7f7f2e2ca3c5b42fe1ede16c306da8976edea2c4d98260f1339
-
Filesize
512KB
MD52aaba6dfa9bd0fafead0c14a32bd2577
SHA1a01a2a3311e7b92cd7e22951d9a2ab44bc03931a
SHA256c6e99fab1f10ea94fab4a22ce9fb7457c648c33eab83ccb4488c495d6cc3d3ee
SHA5123581692b9124c82c5a170c5a9890e1139d9b8f2cb11ed2c79a97224dc0ea8e51ad767b65fe7690d13212339db1ba71f961d1e8b136431b6e773db26f98340ffb
-
Filesize
512KB
MD5d85aa3f4674d276535648f7098570fea
SHA11be33e113391730bbc82e5380aba74f02eba5bf3
SHA256283d59f7db29c7d1bd24b81b848a6e4ca557194a84ced79cd35935739fd0d620
SHA51273e1afe1f9ac43981e199316f5732ab667a20ae7455eb4762e830e6f480f4033c298c28b015ce044f9665e570b61a05f016759d701cd9d186965e64512b317a9
-
Filesize
512KB
MD5bef9db029985d581cfac2b7552531918
SHA1ef56d3e9f7f2600b97ec2e1c21f43e2b347dcd82
SHA256a177f24f9e62bebb1db2579f5d79c9748da9996695530eddcb390c06ab656616
SHA5129ddf93083cb8684bc95678483aea4acce91cb3ce3018b66aa1c7e437606b6fb252ef53516dcd90d166557687c5e84c191749da133db139e46c3a148dcc05008c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD524026aca0d8cdb9fb8056e791871d40b
SHA14f40f85eb8d66a637c75126768fea63b105db8fa
SHA256dd7bfa56173679f4688b7c06462ad172a32e83a9086117356436c0f31f4d1df2
SHA51291904595050ee48b1a8fbbfc6ed6aea1598b212074a92738066adb4bf124eb8cb51766056d9ca7d1febeed0617d542099eea29dbdae4a219ae53d9d3c51dd37d
-
Filesize
512KB
MD52c515395ae306a044f82caee4b3f4bd9
SHA18ea7e3ae84d8d0c393b04084cd2ba0ac9e597251
SHA25677adc4b863288fb2cdf03f9e17a5b7e28da6e0937cac98e280526ffbb3c17eaf
SHA512eb90d38b99c61acf9e5bf39a6b5df700958a00ab353e719815431a280380349b1b3687d22105c4f035c04b7eccf671aca5de87246beabd6c96015099e3fe7ddf
-
Filesize
512KB
MD5a21db77de178be5d6cca3b8786122be1
SHA14c3ad726076306d8bea98ecc5197064e4b66fdee
SHA256bf27594c12380d322617af359e36ba285c60a5d7e4aa5c2be2b5e95faec867cc
SHA512f0349bc016014f452065d81cace1cd968c1872d36f41e38723d4f25a9608496725dd615e9325a1300bdc951793b8d551f004840e3b5dc37ecca939a1fe779c02