Analysis
-
max time kernel
149s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 04:33
Static task
static1
Behavioral task
behavioral1
Sample
a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe
-
Size
512KB
-
MD5
a3d4cfe513c883044de3b8fd4a1ed5f0
-
SHA1
d92972584ba16cfca2260219f792daacd100797f
-
SHA256
7a1fef7798f1bd2b7918626286e4a77c51674e9d4fbadf35951b96da6871129e
-
SHA512
bed8b70377c727330fcfe510a2b704738acc8ac12e9ddbf81c99c0db051302500f174815652322237f2cda0c76f7aecd37bc03a441ca05f84db6d26ae380b828
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6i:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5L
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
youhviwmvu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" youhviwmvu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
youhviwmvu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" youhviwmvu.exe -
Processes:
youhviwmvu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" youhviwmvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" youhviwmvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" youhviwmvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" youhviwmvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" youhviwmvu.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
youhviwmvu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" youhviwmvu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
youhviwmvu.exebolcjqqdetygepm.exegyxqrrxh.exeawxxtfcbqaqkx.exegyxqrrxh.exepid process 1064 youhviwmvu.exe 412 bolcjqqdetygepm.exe 2840 gyxqrrxh.exe 2480 awxxtfcbqaqkx.exe 3000 gyxqrrxh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
youhviwmvu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" youhviwmvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" youhviwmvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" youhviwmvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" youhviwmvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" youhviwmvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" youhviwmvu.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
bolcjqqdetygepm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfptihbv = "youhviwmvu.exe" bolcjqqdetygepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycywreaw = "bolcjqqdetygepm.exe" bolcjqqdetygepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "awxxtfcbqaqkx.exe" bolcjqqdetygepm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
youhviwmvu.exegyxqrrxh.exegyxqrrxh.exedescription ioc process File opened (read-only) \??\g: youhviwmvu.exe File opened (read-only) \??\j: youhviwmvu.exe File opened (read-only) \??\e: gyxqrrxh.exe File opened (read-only) \??\g: gyxqrrxh.exe File opened (read-only) \??\p: youhviwmvu.exe File opened (read-only) \??\o: gyxqrrxh.exe File opened (read-only) \??\w: gyxqrrxh.exe File opened (read-only) \??\i: gyxqrrxh.exe File opened (read-only) \??\y: gyxqrrxh.exe File opened (read-only) \??\w: youhviwmvu.exe File opened (read-only) \??\j: gyxqrrxh.exe File opened (read-only) \??\x: gyxqrrxh.exe File opened (read-only) \??\w: gyxqrrxh.exe File opened (read-only) \??\t: youhviwmvu.exe File opened (read-only) \??\e: gyxqrrxh.exe File opened (read-only) \??\s: gyxqrrxh.exe File opened (read-only) \??\a: gyxqrrxh.exe File opened (read-only) \??\h: gyxqrrxh.exe File opened (read-only) \??\s: youhviwmvu.exe File opened (read-only) \??\m: gyxqrrxh.exe File opened (read-only) \??\q: gyxqrrxh.exe File opened (read-only) \??\t: gyxqrrxh.exe File opened (read-only) \??\o: gyxqrrxh.exe File opened (read-only) \??\s: gyxqrrxh.exe File opened (read-only) \??\m: youhviwmvu.exe File opened (read-only) \??\j: gyxqrrxh.exe File opened (read-only) \??\t: gyxqrrxh.exe File opened (read-only) \??\y: youhviwmvu.exe File opened (read-only) \??\r: gyxqrrxh.exe File opened (read-only) \??\x: gyxqrrxh.exe File opened (read-only) \??\h: youhviwmvu.exe File opened (read-only) \??\k: youhviwmvu.exe File opened (read-only) \??\n: gyxqrrxh.exe File opened (read-only) \??\v: gyxqrrxh.exe File opened (read-only) \??\z: gyxqrrxh.exe File opened (read-only) \??\n: gyxqrrxh.exe File opened (read-only) \??\u: gyxqrrxh.exe File opened (read-only) \??\y: gyxqrrxh.exe File opened (read-only) \??\b: gyxqrrxh.exe File opened (read-only) \??\b: gyxqrrxh.exe File opened (read-only) \??\r: youhviwmvu.exe File opened (read-only) \??\k: gyxqrrxh.exe File opened (read-only) \??\m: gyxqrrxh.exe File opened (read-only) \??\q: youhviwmvu.exe File opened (read-only) \??\x: youhviwmvu.exe File opened (read-only) \??\z: youhviwmvu.exe File opened (read-only) \??\g: gyxqrrxh.exe File opened (read-only) \??\h: gyxqrrxh.exe File opened (read-only) \??\k: gyxqrrxh.exe File opened (read-only) \??\u: youhviwmvu.exe File opened (read-only) \??\v: youhviwmvu.exe File opened (read-only) \??\i: gyxqrrxh.exe File opened (read-only) \??\l: gyxqrrxh.exe File opened (read-only) \??\u: gyxqrrxh.exe File opened (read-only) \??\l: gyxqrrxh.exe File opened (read-only) \??\q: gyxqrrxh.exe File opened (read-only) \??\e: youhviwmvu.exe File opened (read-only) \??\p: gyxqrrxh.exe File opened (read-only) \??\b: youhviwmvu.exe File opened (read-only) \??\r: gyxqrrxh.exe File opened (read-only) \??\v: gyxqrrxh.exe File opened (read-only) \??\i: youhviwmvu.exe File opened (read-only) \??\l: youhviwmvu.exe File opened (read-only) \??\n: youhviwmvu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
youhviwmvu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" youhviwmvu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" youhviwmvu.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3112-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\bolcjqqdetygepm.exe autoit_exe C:\Windows\SysWOW64\youhviwmvu.exe autoit_exe C:\Windows\SysWOW64\awxxtfcbqaqkx.exe autoit_exe C:\Windows\SysWOW64\gyxqrrxh.exe autoit_exe C:\Program Files\InvokeSend.doc.exe autoit_exe \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Desktop\DismountResolve.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exegyxqrrxh.exeyouhviwmvu.exegyxqrrxh.exedescription ioc process File created C:\Windows\SysWOW64\bolcjqqdetygepm.exe a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe File created C:\Windows\SysWOW64\awxxtfcbqaqkx.exe a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gyxqrrxh.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gyxqrrxh.exe File opened for modification C:\Windows\SysWOW64\gyxqrrxh.exe a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll youhviwmvu.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gyxqrrxh.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gyxqrrxh.exe File opened for modification C:\Windows\SysWOW64\awxxtfcbqaqkx.exe a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe File created C:\Windows\SysWOW64\youhviwmvu.exe a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\youhviwmvu.exe a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bolcjqqdetygepm.exe a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe File created C:\Windows\SysWOW64\gyxqrrxh.exe a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe -
Drops file in Program Files directory 22 IoCs
Processes:
gyxqrrxh.exegyxqrrxh.exedescription ioc process File created \??\c:\Program Files\InvokeSend.doc.exe gyxqrrxh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gyxqrrxh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gyxqrrxh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gyxqrrxh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gyxqrrxh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gyxqrrxh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gyxqrrxh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gyxqrrxh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gyxqrrxh.exe File opened for modification \??\c:\Program Files\InvokeSend.doc.exe gyxqrrxh.exe File opened for modification C:\Program Files\InvokeSend.doc.exe gyxqrrxh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gyxqrrxh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gyxqrrxh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gyxqrrxh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gyxqrrxh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gyxqrrxh.exe File opened for modification \??\c:\Program Files\InvokeSend.doc.exe gyxqrrxh.exe File opened for modification C:\Program Files\InvokeSend.doc.exe gyxqrrxh.exe File opened for modification C:\Program Files\InvokeSend.nal gyxqrrxh.exe File opened for modification C:\Program Files\InvokeSend.nal gyxqrrxh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gyxqrrxh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gyxqrrxh.exe -
Drops file in Windows directory 19 IoCs
Processes:
WINWORD.EXEgyxqrrxh.exegyxqrrxh.exea3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exedescription ioc process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gyxqrrxh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gyxqrrxh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gyxqrrxh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gyxqrrxh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gyxqrrxh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gyxqrrxh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gyxqrrxh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gyxqrrxh.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gyxqrrxh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gyxqrrxh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gyxqrrxh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gyxqrrxh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gyxqrrxh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gyxqrrxh.exe File opened for modification C:\Windows\mydoc.rtf a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gyxqrrxh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gyxqrrxh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exeyouhviwmvu.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B05844E638E352CCB9D0339DD7CE" a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat youhviwmvu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh youhviwmvu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" youhviwmvu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg youhviwmvu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" youhviwmvu.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFABBF961F1E3837A3A40819A3995B08A03F04261033EE1CB459908A7" a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FCFB4F288219903CD7217D96BDEFE633594666466335D69C" a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf youhviwmvu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" youhviwmvu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C779D2C83576D4376A077212CAC7CF165DC" a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C60B1490DBC7B9BD7CE1ED9F37CE" a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" youhviwmvu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc youhviwmvu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" youhviwmvu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs youhviwmvu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F26BB3FF1F22DCD279D0A68A7B9017" a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" youhviwmvu.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4968 WINWORD.EXE 4968 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exeyouhviwmvu.exebolcjqqdetygepm.exegyxqrrxh.exeawxxtfcbqaqkx.exegyxqrrxh.exepid process 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 1064 youhviwmvu.exe 1064 youhviwmvu.exe 1064 youhviwmvu.exe 1064 youhviwmvu.exe 1064 youhviwmvu.exe 1064 youhviwmvu.exe 1064 youhviwmvu.exe 1064 youhviwmvu.exe 1064 youhviwmvu.exe 1064 youhviwmvu.exe 412 bolcjqqdetygepm.exe 412 bolcjqqdetygepm.exe 412 bolcjqqdetygepm.exe 412 bolcjqqdetygepm.exe 412 bolcjqqdetygepm.exe 412 bolcjqqdetygepm.exe 412 bolcjqqdetygepm.exe 412 bolcjqqdetygepm.exe 2840 gyxqrrxh.exe 2840 gyxqrrxh.exe 2840 gyxqrrxh.exe 412 bolcjqqdetygepm.exe 412 bolcjqqdetygepm.exe 2840 gyxqrrxh.exe 2840 gyxqrrxh.exe 2840 gyxqrrxh.exe 2840 gyxqrrxh.exe 2840 gyxqrrxh.exe 2480 awxxtfcbqaqkx.exe 2480 awxxtfcbqaqkx.exe 2480 awxxtfcbqaqkx.exe 2480 awxxtfcbqaqkx.exe 2480 awxxtfcbqaqkx.exe 2480 awxxtfcbqaqkx.exe 2480 awxxtfcbqaqkx.exe 2480 awxxtfcbqaqkx.exe 2480 awxxtfcbqaqkx.exe 2480 awxxtfcbqaqkx.exe 2480 awxxtfcbqaqkx.exe 2480 awxxtfcbqaqkx.exe 3000 gyxqrrxh.exe 3000 gyxqrrxh.exe 3000 gyxqrrxh.exe 3000 gyxqrrxh.exe 3000 gyxqrrxh.exe 3000 gyxqrrxh.exe 3000 gyxqrrxh.exe 3000 gyxqrrxh.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exeyouhviwmvu.exebolcjqqdetygepm.exegyxqrrxh.exeawxxtfcbqaqkx.exegyxqrrxh.exepid process 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 1064 youhviwmvu.exe 1064 youhviwmvu.exe 1064 youhviwmvu.exe 412 bolcjqqdetygepm.exe 2840 gyxqrrxh.exe 412 bolcjqqdetygepm.exe 2840 gyxqrrxh.exe 412 bolcjqqdetygepm.exe 2840 gyxqrrxh.exe 2480 awxxtfcbqaqkx.exe 2480 awxxtfcbqaqkx.exe 2480 awxxtfcbqaqkx.exe 3000 gyxqrrxh.exe 3000 gyxqrrxh.exe 3000 gyxqrrxh.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exeyouhviwmvu.exebolcjqqdetygepm.exegyxqrrxh.exeawxxtfcbqaqkx.exegyxqrrxh.exepid process 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe 1064 youhviwmvu.exe 1064 youhviwmvu.exe 1064 youhviwmvu.exe 412 bolcjqqdetygepm.exe 2840 gyxqrrxh.exe 412 bolcjqqdetygepm.exe 2840 gyxqrrxh.exe 412 bolcjqqdetygepm.exe 2840 gyxqrrxh.exe 2480 awxxtfcbqaqkx.exe 2480 awxxtfcbqaqkx.exe 2480 awxxtfcbqaqkx.exe 3000 gyxqrrxh.exe 3000 gyxqrrxh.exe 3000 gyxqrrxh.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4968 WINWORD.EXE 4968 WINWORD.EXE 4968 WINWORD.EXE 4968 WINWORD.EXE 4968 WINWORD.EXE 4968 WINWORD.EXE 4968 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exeyouhviwmvu.exedescription pid process target process PID 3112 wrote to memory of 1064 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe youhviwmvu.exe PID 3112 wrote to memory of 1064 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe youhviwmvu.exe PID 3112 wrote to memory of 1064 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe youhviwmvu.exe PID 3112 wrote to memory of 412 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe bolcjqqdetygepm.exe PID 3112 wrote to memory of 412 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe bolcjqqdetygepm.exe PID 3112 wrote to memory of 412 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe bolcjqqdetygepm.exe PID 3112 wrote to memory of 2840 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe gyxqrrxh.exe PID 3112 wrote to memory of 2840 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe gyxqrrxh.exe PID 3112 wrote to memory of 2840 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe gyxqrrxh.exe PID 3112 wrote to memory of 2480 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe awxxtfcbqaqkx.exe PID 3112 wrote to memory of 2480 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe awxxtfcbqaqkx.exe PID 3112 wrote to memory of 2480 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe awxxtfcbqaqkx.exe PID 3112 wrote to memory of 4968 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe WINWORD.EXE PID 3112 wrote to memory of 4968 3112 a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe WINWORD.EXE PID 1064 wrote to memory of 3000 1064 youhviwmvu.exe gyxqrrxh.exe PID 1064 wrote to memory of 3000 1064 youhviwmvu.exe gyxqrrxh.exe PID 1064 wrote to memory of 3000 1064 youhviwmvu.exe gyxqrrxh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a3d4cfe513c883044de3b8fd4a1ed5f0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\youhviwmvu.exeyouhviwmvu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\gyxqrrxh.exeC:\Windows\system32\gyxqrrxh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3000 -
C:\Windows\SysWOW64\bolcjqqdetygepm.exebolcjqqdetygepm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:412 -
C:\Windows\SysWOW64\gyxqrrxh.exegyxqrrxh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2840 -
C:\Windows\SysWOW64\awxxtfcbqaqkx.exeawxxtfcbqaqkx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2480 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4968
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5680cf6820b893368ddbbae6f888bb556
SHA1232e864d29f5f69d1fa9eb57e5e11d80ea560cbe
SHA25679b77a0419f1b5bf206184dced1f0af09473b507ef5f94dc837aa10cb4e4cd01
SHA5121c84172e2e3812b4b6008f01cba6af339aaf6d456153971f1473a2c102c4ac2c7712a2f639b4e0690527bdaf5118bf85427c325668fa66ee458a4b420c6014e6
-
Filesize
512KB
MD58e88428409eee8b27193e509f7565fa1
SHA1ee1a6145f6e1aa29270b57c3f9ba2506c05ccce6
SHA256c1f53c1138238dc6999dc8990db0e4a13d079a33b4acea3b1701791e9f7c25e6
SHA5121b050294d751d1bc0bd63f92d74570e68728fe55b8abc7b6c788a27c6ab8c7bec498717304ed8aadd4be8c755fd06c7003a3a2e8834ff371fca4ffacb2f315ea
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD51af8ee46bd5b3ad794faf4a88ba9215d
SHA12791143bde7d7ede72cf4fd771dccf112fd1aea0
SHA256d2560b91ee6d8cd16760517bef6194794e84493d75c41984f222f266e1d13d24
SHA512f61a2e3bd6d5ea148bf4b647c12c08465ca3996a3ee3d6df47d57eb145dbd68f323f05fed1b8c9a072845ee74be67a1c28766fd0a9357e5336c92abd3c702ac2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5ae1e9a33488b618ca6c3d26627fdba8a
SHA1455e344e3f9a9d004fcbcf748ea4776dada5278a
SHA25601bd815591c48ec786cadccf446df8b948e8504fdbfc477118901cc49a388cd5
SHA512fecc08de32bc22bbcac10ee3089cf041b4d7cdef06617294bad485a7d10c673d40863006b2b044250056eed93d8a80d6ccd2d6c07ba62bbca96a080d6722e5ab
-
Filesize
512KB
MD59b93d392101a800cae76595335269823
SHA11679ee0b2e04c3e0c542fd318178ec7e0468a503
SHA25657455b02ca52acb226eb68fb43e2e580dd236512c7a423c3a62c24d0c3486474
SHA512537fbc414193ced82b81327379a259a1e6cbd61b209d0e523e4f38038f33825cec3bd10d988eeec25dea96f8f221ead947271617fdfb605140a570642a643e48
-
Filesize
512KB
MD52e7488902cb8b32a48753b8e2a3e7491
SHA196a5cf3ee30d97294e316d23fdb62bfc94eb39db
SHA256ef59cf30fc287d2bc2cfc1b6b71396a3d0b5a025b1aefa168b998ad9a6ccbf32
SHA512e59189bce0d5365651d8e82efe792cb263cc41da8e98cd13a12ae3c264aef09b7c1bd8cf2ca110ef98b85357f8459d8fb64c3b06111bd4a78d705ba5dd538f43
-
Filesize
512KB
MD52aa715a33d34db9b08d3fad41b20daa6
SHA1b43b4e7b78b04168bb8bdd8fec68cc9514aab9de
SHA2564c643fc6106a02155c1d879c7246174038a9780371cc2076300898da07f420b3
SHA512436535f31e8ea6289673146f0c32bcc148ce9d8ac02f9b69672ce7eec7d30bda90bfb541f1dd833eaf573246b47592ca475cf263056f8383eec363f1229a524c
-
Filesize
512KB
MD5153bb693bb70257c1d5215b7902253f3
SHA12da9ffcd69a8bd625af996f372f93a8336bd50d8
SHA2563517620eaec1639b5fdcee18e45b54dfe5750e432d0215235780f55231592bc2
SHA512743aedbf0d5fdc924a7a84d3f7455cdbafc77b6b0eac85428f9c5dceab7c17dde7105381be377e8082312af4e4fc2ba9a7634514df280368aaf6ee5e46b2c79c
-
Filesize
512KB
MD5a397301c5a421d3110e557ee12dae517
SHA15b1b27ed0e299a395d77a2e6776ccc42b2bd160e
SHA2563dad4ea15b7fffec42af0a4c06a164f02277df6dc7d0f00928f23bf7e44b47af
SHA51282000f522eec7bf9d6b668fb049267920a7ac7d56f3d9de699a47e239f8b115b52be3f1fdbb39a29a8268f98810fc499853f681726c1143fc0959c849a912754
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5142ee775e95ade3b0506ac99a344e1e6
SHA17cab6589cd4bf30943e2ae53caee3111d3dac338
SHA2568339bf352e207501738dd211206f8d50fb5b4bec666c87899f1a0b8b5b3c2260
SHA512af93fb8f7d0a1c8cb1833b801ee4c78b52f41930dcd8b9e6e18f21162c5dc44e79d755254145a45728abe0f5f4e8b1f4c2a2641dcce3a766aee428eccbe491e0
-
Filesize
512KB
MD5d05f3760517def08d9f25a8b0582b414
SHA1a5b546df6a0a419f160d579d0486e43d36fb2b43
SHA2565fbf008a0fb695f883526e3045a0003ddba1c135a2c698a00b12585348ebe742
SHA5128c1da98ef91286b939f004dfee67578183c9a88968f7c0d07e90e9961a761593fdf87a7ada9706338950df76b4a6f779fc4767f867eb0f78865ba94e58618707