Analysis
-
max time kernel
149s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 03:56
Static task
static1
Behavioral task
behavioral1
Sample
a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe
-
Size
512KB
-
MD5
a3c059f6e292c34cdb25843d8d476568
-
SHA1
70cdebf5cb35849003faa7b46234ac41d9729d10
-
SHA256
17fe9527a24327cb25e9d87429e849a87e99f871d1848d71220b59f63e960847
-
SHA512
be3d976b244aad841a887a0fb5e41737bc77ef75188272eba9c3866f1208dab0b75416e87d9441767684275b5bccfea08bb6d7d5e5cf796d3b4e5f33acefbd16
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5t
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
fxwyzdnyiq.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fxwyzdnyiq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
fxwyzdnyiq.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fxwyzdnyiq.exe -
Processes:
fxwyzdnyiq.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fxwyzdnyiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fxwyzdnyiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fxwyzdnyiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fxwyzdnyiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fxwyzdnyiq.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
fxwyzdnyiq.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fxwyzdnyiq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
fxwyzdnyiq.exegwqcmizudworijd.exefhaerkjn.exeyruipirqpnmsh.exefhaerkjn.exepid process 724 fxwyzdnyiq.exe 2280 gwqcmizudworijd.exe 2720 fhaerkjn.exe 692 yruipirqpnmsh.exe 4992 fhaerkjn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
fxwyzdnyiq.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fxwyzdnyiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fxwyzdnyiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fxwyzdnyiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fxwyzdnyiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" fxwyzdnyiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fxwyzdnyiq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
gwqcmizudworijd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gktmgmfo = "gwqcmizudworijd.exe" gwqcmizudworijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yruipirqpnmsh.exe" gwqcmizudworijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lyynpxqw = "fxwyzdnyiq.exe" gwqcmizudworijd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
fhaerkjn.exefhaerkjn.exefxwyzdnyiq.exedescription ioc process File opened (read-only) \??\b: fhaerkjn.exe File opened (read-only) \??\z: fhaerkjn.exe File opened (read-only) \??\l: fhaerkjn.exe File opened (read-only) \??\b: fxwyzdnyiq.exe File opened (read-only) \??\y: fxwyzdnyiq.exe File opened (read-only) \??\k: fhaerkjn.exe File opened (read-only) \??\q: fxwyzdnyiq.exe File opened (read-only) \??\s: fxwyzdnyiq.exe File opened (read-only) \??\z: fhaerkjn.exe File opened (read-only) \??\g: fhaerkjn.exe File opened (read-only) \??\q: fhaerkjn.exe File opened (read-only) \??\w: fhaerkjn.exe File opened (read-only) \??\a: fhaerkjn.exe File opened (read-only) \??\i: fhaerkjn.exe File opened (read-only) \??\t: fxwyzdnyiq.exe File opened (read-only) \??\e: fhaerkjn.exe File opened (read-only) \??\q: fhaerkjn.exe File opened (read-only) \??\t: fhaerkjn.exe File opened (read-only) \??\w: fhaerkjn.exe File opened (read-only) \??\h: fxwyzdnyiq.exe File opened (read-only) \??\p: fxwyzdnyiq.exe File opened (read-only) \??\e: fhaerkjn.exe File opened (read-only) \??\p: fhaerkjn.exe File opened (read-only) \??\e: fxwyzdnyiq.exe File opened (read-only) \??\j: fhaerkjn.exe File opened (read-only) \??\v: fxwyzdnyiq.exe File opened (read-only) \??\h: fhaerkjn.exe File opened (read-only) \??\l: fxwyzdnyiq.exe File opened (read-only) \??\o: fxwyzdnyiq.exe File opened (read-only) \??\k: fxwyzdnyiq.exe File opened (read-only) \??\y: fhaerkjn.exe File opened (read-only) \??\i: fhaerkjn.exe File opened (read-only) \??\k: fhaerkjn.exe File opened (read-only) \??\g: fxwyzdnyiq.exe File opened (read-only) \??\r: fxwyzdnyiq.exe File opened (read-only) \??\x: fxwyzdnyiq.exe File opened (read-only) \??\i: fxwyzdnyiq.exe File opened (read-only) \??\n: fxwyzdnyiq.exe File opened (read-only) \??\z: fxwyzdnyiq.exe File opened (read-only) \??\s: fhaerkjn.exe File opened (read-only) \??\v: fhaerkjn.exe File opened (read-only) \??\y: fhaerkjn.exe File opened (read-only) \??\s: fhaerkjn.exe File opened (read-only) \??\v: fhaerkjn.exe File opened (read-only) \??\j: fxwyzdnyiq.exe File opened (read-only) \??\u: fxwyzdnyiq.exe File opened (read-only) \??\t: fhaerkjn.exe File opened (read-only) \??\b: fhaerkjn.exe File opened (read-only) \??\m: fxwyzdnyiq.exe File opened (read-only) \??\m: fhaerkjn.exe File opened (read-only) \??\a: fhaerkjn.exe File opened (read-only) \??\o: fhaerkjn.exe File opened (read-only) \??\u: fhaerkjn.exe File opened (read-only) \??\j: fhaerkjn.exe File opened (read-only) \??\p: fhaerkjn.exe File opened (read-only) \??\l: fhaerkjn.exe File opened (read-only) \??\n: fhaerkjn.exe File opened (read-only) \??\r: fhaerkjn.exe File opened (read-only) \??\u: fhaerkjn.exe File opened (read-only) \??\x: fhaerkjn.exe File opened (read-only) \??\m: fhaerkjn.exe File opened (read-only) \??\a: fxwyzdnyiq.exe File opened (read-only) \??\h: fhaerkjn.exe File opened (read-only) \??\n: fhaerkjn.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
fxwyzdnyiq.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" fxwyzdnyiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" fxwyzdnyiq.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1184-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\gwqcmizudworijd.exe autoit_exe C:\Windows\SysWOW64\fxwyzdnyiq.exe autoit_exe C:\Windows\SysWOW64\fhaerkjn.exe autoit_exe C:\Windows\SysWOW64\yruipirqpnmsh.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exefhaerkjn.exefhaerkjn.exefxwyzdnyiq.exedescription ioc process File opened for modification C:\Windows\SysWOW64\fxwyzdnyiq.exe a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gwqcmizudworijd.exe a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe File created C:\Windows\SysWOW64\fhaerkjn.exe a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fhaerkjn.exe File opened for modification C:\Windows\SysWOW64\fhaerkjn.exe a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe File created C:\Windows\SysWOW64\yruipirqpnmsh.exe a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fhaerkjn.exe File opened for modification C:\Windows\SysWOW64\yruipirqpnmsh.exe a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fhaerkjn.exe File created C:\Windows\SysWOW64\fxwyzdnyiq.exe a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe File created C:\Windows\SysWOW64\gwqcmizudworijd.exe a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll fxwyzdnyiq.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fhaerkjn.exe -
Drops file in Program Files directory 14 IoCs
Processes:
fhaerkjn.exefhaerkjn.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fhaerkjn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fhaerkjn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal fhaerkjn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal fhaerkjn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fhaerkjn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fhaerkjn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal fhaerkjn.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fhaerkjn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal fhaerkjn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fhaerkjn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fhaerkjn.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fhaerkjn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fhaerkjn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fhaerkjn.exe -
Drops file in Windows directory 19 IoCs
Processes:
a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exefhaerkjn.exefhaerkjn.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fhaerkjn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fhaerkjn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fhaerkjn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fhaerkjn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fhaerkjn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fhaerkjn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fhaerkjn.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fhaerkjn.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fhaerkjn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fhaerkjn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fhaerkjn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fhaerkjn.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fhaerkjn.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fhaerkjn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fhaerkjn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fhaerkjn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
fxwyzdnyiq.exea3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" fxwyzdnyiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" fxwyzdnyiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" fxwyzdnyiq.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9F9CAFE17F1E3837D3B3181EA3E94B08B03884367023BE1BE42EA08D5" a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD68C3FF6D21ADD10BD1A68B789014" a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC67A14E6DAB6B8BA7CE9EDE334C6" a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" fxwyzdnyiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat fxwyzdnyiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc fxwyzdnyiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf fxwyzdnyiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg fxwyzdnyiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" fxwyzdnyiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" fxwyzdnyiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs fxwyzdnyiq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452D0B9D5582566D3676D470512DD77D8765D8" a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B15B47EF399852CCBAA0329FD7C8" a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FCFC4F5C85189047D72E7E97BC97E632593267336246D79C" a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh fxwyzdnyiq.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1940 WINWORD.EXE 1940 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exefxwyzdnyiq.exegwqcmizudworijd.exefhaerkjn.exeyruipirqpnmsh.exefhaerkjn.exepid process 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 724 fxwyzdnyiq.exe 724 fxwyzdnyiq.exe 724 fxwyzdnyiq.exe 724 fxwyzdnyiq.exe 724 fxwyzdnyiq.exe 724 fxwyzdnyiq.exe 724 fxwyzdnyiq.exe 724 fxwyzdnyiq.exe 724 fxwyzdnyiq.exe 724 fxwyzdnyiq.exe 2280 gwqcmizudworijd.exe 2280 gwqcmizudworijd.exe 2280 gwqcmizudworijd.exe 2280 gwqcmizudworijd.exe 2280 gwqcmizudworijd.exe 2280 gwqcmizudworijd.exe 2280 gwqcmizudworijd.exe 2280 gwqcmizudworijd.exe 2280 gwqcmizudworijd.exe 2280 gwqcmizudworijd.exe 2720 fhaerkjn.exe 2720 fhaerkjn.exe 2720 fhaerkjn.exe 2720 fhaerkjn.exe 2720 fhaerkjn.exe 2720 fhaerkjn.exe 2720 fhaerkjn.exe 2720 fhaerkjn.exe 692 yruipirqpnmsh.exe 692 yruipirqpnmsh.exe 692 yruipirqpnmsh.exe 692 yruipirqpnmsh.exe 692 yruipirqpnmsh.exe 692 yruipirqpnmsh.exe 692 yruipirqpnmsh.exe 692 yruipirqpnmsh.exe 692 yruipirqpnmsh.exe 692 yruipirqpnmsh.exe 692 yruipirqpnmsh.exe 692 yruipirqpnmsh.exe 4992 fhaerkjn.exe 4992 fhaerkjn.exe 4992 fhaerkjn.exe 4992 fhaerkjn.exe 4992 fhaerkjn.exe 4992 fhaerkjn.exe 4992 fhaerkjn.exe 4992 fhaerkjn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exefxwyzdnyiq.exegwqcmizudworijd.exefhaerkjn.exeyruipirqpnmsh.exefhaerkjn.exepid process 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 724 fxwyzdnyiq.exe 724 fxwyzdnyiq.exe 724 fxwyzdnyiq.exe 2280 gwqcmizudworijd.exe 2280 gwqcmizudworijd.exe 2280 gwqcmizudworijd.exe 2720 fhaerkjn.exe 2720 fhaerkjn.exe 2720 fhaerkjn.exe 692 yruipirqpnmsh.exe 692 yruipirqpnmsh.exe 692 yruipirqpnmsh.exe 4992 fhaerkjn.exe 4992 fhaerkjn.exe 4992 fhaerkjn.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exefxwyzdnyiq.exegwqcmizudworijd.exefhaerkjn.exeyruipirqpnmsh.exefhaerkjn.exepid process 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe 724 fxwyzdnyiq.exe 724 fxwyzdnyiq.exe 724 fxwyzdnyiq.exe 2280 gwqcmizudworijd.exe 2280 gwqcmizudworijd.exe 2280 gwqcmizudworijd.exe 2720 fhaerkjn.exe 2720 fhaerkjn.exe 2720 fhaerkjn.exe 692 yruipirqpnmsh.exe 692 yruipirqpnmsh.exe 692 yruipirqpnmsh.exe 4992 fhaerkjn.exe 4992 fhaerkjn.exe 4992 fhaerkjn.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1940 WINWORD.EXE 1940 WINWORD.EXE 1940 WINWORD.EXE 1940 WINWORD.EXE 1940 WINWORD.EXE 1940 WINWORD.EXE 1940 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exefxwyzdnyiq.exedescription pid process target process PID 1184 wrote to memory of 724 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe fxwyzdnyiq.exe PID 1184 wrote to memory of 724 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe fxwyzdnyiq.exe PID 1184 wrote to memory of 724 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe fxwyzdnyiq.exe PID 1184 wrote to memory of 2280 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe gwqcmizudworijd.exe PID 1184 wrote to memory of 2280 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe gwqcmizudworijd.exe PID 1184 wrote to memory of 2280 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe gwqcmizudworijd.exe PID 1184 wrote to memory of 2720 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe fhaerkjn.exe PID 1184 wrote to memory of 2720 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe fhaerkjn.exe PID 1184 wrote to memory of 2720 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe fhaerkjn.exe PID 1184 wrote to memory of 692 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe yruipirqpnmsh.exe PID 1184 wrote to memory of 692 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe yruipirqpnmsh.exe PID 1184 wrote to memory of 692 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe yruipirqpnmsh.exe PID 724 wrote to memory of 4992 724 fxwyzdnyiq.exe fhaerkjn.exe PID 724 wrote to memory of 4992 724 fxwyzdnyiq.exe fhaerkjn.exe PID 724 wrote to memory of 4992 724 fxwyzdnyiq.exe fhaerkjn.exe PID 1184 wrote to memory of 1940 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe WINWORD.EXE PID 1184 wrote to memory of 1940 1184 a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\fxwyzdnyiq.exefxwyzdnyiq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\fhaerkjn.exeC:\Windows\system32\fhaerkjn.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4992
-
-
-
C:\Windows\SysWOW64\gwqcmizudworijd.exegwqcmizudworijd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2280
-
-
C:\Windows\SysWOW64\fhaerkjn.exefhaerkjn.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2720
-
-
C:\Windows\SysWOW64\yruipirqpnmsh.exeyruipirqpnmsh.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:692
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1940
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD59c3f1e2ae59f97a25815a62fe9e0cb34
SHA191ef92e30c0ddc32a13cd805cbe892acb0f5c059
SHA25685a5f7860089d47de05c76a95d6c5d4777c85cb80097a15b89da23ec5451090f
SHA512f92181230dec3767f96c611a0e280cdf3eb271e3304117fddeab8aaafdd7a9574bd1974aa8bf889f19169b1254cc52628dc0278c9ca90cf38cfd7e78d20bac60
-
Filesize
512KB
MD58ae4a27d3edcd1e154e530ed0407cfe7
SHA10b8c16c7cf09f0866915b69a2408fca2c91a3899
SHA256d2c566242160611a35365e354b9272195f218b61b2d3eb99976918302613bd5e
SHA51216447ca0a7f5b35af676bcb9ae121edb2f181d3a26673ea43eae84bd60f1b065c25afecf0a394581821edfced3782a22f42cca6626c6b7e4bffefc3c45061424
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD58f5c44e1551e133335388ab8900e956f
SHA11c115828a253459d609ebc7beb11283e6f94d2be
SHA2568e4f760f7ddc9edb116aa6dfd13e9a7171b9c088ca201ce13238c62e745bd3c4
SHA5127d5c83f19c5ebb15ef54a738c8352e457328019a0e209bb754a3049c0617f20f360a1dd5863304fc3e3c2946b1f0a994b4facc20fcd16668ad1f615c4bc2461c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c2d8b34f0559f63b157ae8a75090f341
SHA1ae20a342ab7bc08149dce71b96bec5c94541362e
SHA2561acbe893259c639ceb26cb6596dbc4fb3b3521079aba3262e45088bed9495d05
SHA512a1b97dd9e7929267407b16e6cf51d4dbc6f5eb920cbfafb497b54e7e74c1ad0b6c3ff787b877f45358802d703cdde67212abc385af2b413540bf9735dc0f7f97
-
Filesize
512KB
MD5407df293b5887f17853bf76153584693
SHA1bf1f601df9aff0e6cdb5f946968225a6482d5ba7
SHA2561036fb08179cb716bef7e77d4e8ca67644d66b90e544f883a2ed52a5025d443d
SHA51208b6e2712d8f9cdf7929ad46264b7b62a937213b718ab8aa7d6581604dac2014c7405cedc4ccffd37b305e365dc0d986eff72c7ce575595f7acac7c76d04bf6d
-
Filesize
512KB
MD574be7c489d44fb5f4bdf0a13bfbf761d
SHA1e562f2dd22baa77029be723fdedadcfc267d56b3
SHA25659a85f76326ea05b56c1706dcb2ffce9f07e5fa4365732cc251a116e7cc5aaa4
SHA512eb0d6529638d00d6441e849b851660d982db9ae23edb413c1cf8e194731da71ead0a5076b2edf875ba828f242adcfe85d5a675b935457ca522f2073364947534
-
Filesize
512KB
MD5da96b0b2544130ce7ff6c8756ef68319
SHA1eb930787c8892f4ad7a8fa277ee33b48c7bb289a
SHA25660c57cf80609f9866a3308433f967564397bba40a34c27ed8b3241fd382a41f0
SHA512ae5103ddaa916f43a688d05d3818584a0d3a153ac77d18d125323367628434976b4d1419ec9b3d5326b65d642f2c19359b4a84cdc841c9c727b2f8516b9da2e4
-
Filesize
512KB
MD52698d60e65f55656f96b8da07b80ec8d
SHA113fec9150aba07ec26df8da497f55866bb0f2cdc
SHA2568f1f5ea66610b82d42b32759bf17a9deeb4db2399371c98dcad23ea08a7853d1
SHA5121a7b1c7c26be65bed93e9cde84e21416045198b7102757df5a08a53c03e475739ca93ce4dd758096d8804f420d0a8ee0c1681f06db07923a879ec003bbffbe6a
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5f4ab3aaed00ff5461e4237464f4fbb91
SHA1b6ef20a2cce50efca0a67df9827d5b674343ff66
SHA2569f126d99783935695b56b021efa3d5ee37f79ee8dae6561d7a17fca573f20201
SHA5125e6247bb63efdc5943d9326d2f55b1f52c0ae44c30d4b565777cc27b7a36f111e333f3a2b304065213a171523867eb97084cb136c1b6a0dd79d10c093795d7b2
-
Filesize
512KB
MD5d08872027844dc610b55026dc9f9ad46
SHA120d182a8d5f6a0c34d7bb6f89cd2a690b3bd3380
SHA256ae6c0a52f6f31efc947d991c94ec76673bfa4c07dc21fe7f93b1d569aa738de0
SHA512a0fed8fce3c0b9f7df6816b7be27ec7dd7d6e0fdc3c115f7c7b4d72dd0c506fed61d3766410e11e3ba738148a1367890087cbaafe6ad24957513b72169bf1391