Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 04:15
Static task
static1
Behavioral task
behavioral1
Sample
a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe
-
Size
512KB
-
MD5
a3cba6af2053213e5c97c7e1cf3e54d6
-
SHA1
12c3245fa21cd0a84a78f0178ba6181509c6fe4e
-
SHA256
c2f3050f83b17739dc4ed6343275ec86e69d658e06b1230d18bf2fd1669351d6
-
SHA512
c881faa0900d2b8be206772866519cd3acb9723b602988968fa3edcec3182af429389d11dd2d4939bf950c302fc15671db6a9ca73efb6e7082393bdac14a291c
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6j:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5M
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
wisgfwkcof.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wisgfwkcof.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
wisgfwkcof.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wisgfwkcof.exe -
Processes:
wisgfwkcof.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wisgfwkcof.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wisgfwkcof.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wisgfwkcof.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wisgfwkcof.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wisgfwkcof.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
wisgfwkcof.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wisgfwkcof.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
wisgfwkcof.exeasceuwbuvxoiwlv.exezcucxclu.exezclowptyihkin.exezcucxclu.exepid process 2964 wisgfwkcof.exe 4688 asceuwbuvxoiwlv.exe 2876 zcucxclu.exe 1804 zclowptyihkin.exe 1344 zcucxclu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
wisgfwkcof.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wisgfwkcof.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wisgfwkcof.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wisgfwkcof.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wisgfwkcof.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wisgfwkcof.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wisgfwkcof.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
asceuwbuvxoiwlv.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctkxguzs = "asceuwbuvxoiwlv.exe" asceuwbuvxoiwlv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zclowptyihkin.exe" asceuwbuvxoiwlv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmrqzcnj = "wisgfwkcof.exe" asceuwbuvxoiwlv.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
zcucxclu.exezcucxclu.exewisgfwkcof.exedescription ioc process File opened (read-only) \??\i: zcucxclu.exe File opened (read-only) \??\l: zcucxclu.exe File opened (read-only) \??\p: zcucxclu.exe File opened (read-only) \??\y: zcucxclu.exe File opened (read-only) \??\t: zcucxclu.exe File opened (read-only) \??\k: zcucxclu.exe File opened (read-only) \??\g: zcucxclu.exe File opened (read-only) \??\u: wisgfwkcof.exe File opened (read-only) \??\g: zcucxclu.exe File opened (read-only) \??\h: zcucxclu.exe File opened (read-only) \??\y: zcucxclu.exe File opened (read-only) \??\x: zcucxclu.exe File opened (read-only) \??\e: wisgfwkcof.exe File opened (read-only) \??\m: wisgfwkcof.exe File opened (read-only) \??\r: wisgfwkcof.exe File opened (read-only) \??\z: wisgfwkcof.exe File opened (read-only) \??\m: zcucxclu.exe File opened (read-only) \??\b: zcucxclu.exe File opened (read-only) \??\t: wisgfwkcof.exe File opened (read-only) \??\k: zcucxclu.exe File opened (read-only) \??\o: zcucxclu.exe File opened (read-only) \??\w: zcucxclu.exe File opened (read-only) \??\u: zcucxclu.exe File opened (read-only) \??\w: zcucxclu.exe File opened (read-only) \??\z: zcucxclu.exe File opened (read-only) \??\x: zcucxclu.exe File opened (read-only) \??\s: zcucxclu.exe File opened (read-only) \??\o: wisgfwkcof.exe File opened (read-only) \??\y: wisgfwkcof.exe File opened (read-only) \??\o: zcucxclu.exe File opened (read-only) \??\p: wisgfwkcof.exe File opened (read-only) \??\j: zcucxclu.exe File opened (read-only) \??\z: zcucxclu.exe File opened (read-only) \??\a: zcucxclu.exe File opened (read-only) \??\m: zcucxclu.exe File opened (read-only) \??\v: zcucxclu.exe File opened (read-only) \??\h: wisgfwkcof.exe File opened (read-only) \??\n: wisgfwkcof.exe File opened (read-only) \??\a: zcucxclu.exe File opened (read-only) \??\t: zcucxclu.exe File opened (read-only) \??\b: wisgfwkcof.exe File opened (read-only) \??\g: wisgfwkcof.exe File opened (read-only) \??\l: wisgfwkcof.exe File opened (read-only) \??\x: wisgfwkcof.exe File opened (read-only) \??\v: zcucxclu.exe File opened (read-only) \??\i: wisgfwkcof.exe File opened (read-only) \??\s: wisgfwkcof.exe File opened (read-only) \??\w: wisgfwkcof.exe File opened (read-only) \??\e: zcucxclu.exe File opened (read-only) \??\h: zcucxclu.exe File opened (read-only) \??\l: zcucxclu.exe File opened (read-only) \??\n: zcucxclu.exe File opened (read-only) \??\s: zcucxclu.exe File opened (read-only) \??\e: zcucxclu.exe File opened (read-only) \??\j: zcucxclu.exe File opened (read-only) \??\q: zcucxclu.exe File opened (read-only) \??\j: wisgfwkcof.exe File opened (read-only) \??\k: wisgfwkcof.exe File opened (read-only) \??\v: wisgfwkcof.exe File opened (read-only) \??\b: zcucxclu.exe File opened (read-only) \??\p: zcucxclu.exe File opened (read-only) \??\q: zcucxclu.exe File opened (read-only) \??\n: zcucxclu.exe File opened (read-only) \??\q: wisgfwkcof.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
wisgfwkcof.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wisgfwkcof.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wisgfwkcof.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2636-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe autoit_exe C:\Windows\SysWOW64\wisgfwkcof.exe autoit_exe C:\Windows\SysWOW64\zcucxclu.exe autoit_exe C:\Windows\SysWOW64\zclowptyihkin.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\AppData\Roaming\UnlockWatch.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
zcucxclu.exea3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exewisgfwkcof.exezcucxclu.exedescription ioc process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zcucxclu.exe File created C:\Windows\SysWOW64\wisgfwkcof.exe a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe File created C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe File created C:\Windows\SysWOW64\zclowptyihkin.exe a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zclowptyihkin.exe a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wisgfwkcof.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zcucxclu.exe File opened for modification C:\Windows\SysWOW64\wisgfwkcof.exe a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe File created C:\Windows\SysWOW64\zcucxclu.exe a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zcucxclu.exe a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zcucxclu.exe -
Drops file in Program Files directory 15 IoCs
Processes:
zcucxclu.exezcucxclu.exedescription ioc process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zcucxclu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zcucxclu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zcucxclu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zcucxclu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zcucxclu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zcucxclu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zcucxclu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zcucxclu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zcucxclu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zcucxclu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zcucxclu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zcucxclu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zcucxclu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zcucxclu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zcucxclu.exe -
Drops file in Windows directory 3 IoCs
Processes:
WINWORD.EXEa3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exedescription ioc process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
wisgfwkcof.exea3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" wisgfwkcof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442C089D5183586A4377D770562CDD7D8164DF" a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4F9CEF911F1E584753A4686993E94B38903FC4367034BE2C942EC09D3" a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf wisgfwkcof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wisgfwkcof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" wisgfwkcof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" wisgfwkcof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wisgfwkcof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wisgfwkcof.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wisgfwkcof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh wisgfwkcof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wisgfwkcof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" wisgfwkcof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wisgfwkcof.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B1294492399A52BDBAD13299D4B8" a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFFFF482C851E9046D65C7E91BCE4E140593067356337D79A" a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F26BB8FF6622D9D17AD0D48A0C9160" a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC7751596DBB3B8BA7FE1EC9437CA" a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4056 WINWORD.EXE 4056 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exewisgfwkcof.exeasceuwbuvxoiwlv.exezcucxclu.exezclowptyihkin.exepid process 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2964 wisgfwkcof.exe 2964 wisgfwkcof.exe 2964 wisgfwkcof.exe 2964 wisgfwkcof.exe 2964 wisgfwkcof.exe 2964 wisgfwkcof.exe 2964 wisgfwkcof.exe 2964 wisgfwkcof.exe 2964 wisgfwkcof.exe 2964 wisgfwkcof.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe 2876 zcucxclu.exe 2876 zcucxclu.exe 2876 zcucxclu.exe 2876 zcucxclu.exe 2876 zcucxclu.exe 2876 zcucxclu.exe 2876 zcucxclu.exe 2876 zcucxclu.exe 1804 zclowptyihkin.exe 1804 zclowptyihkin.exe 1804 zclowptyihkin.exe 1804 zclowptyihkin.exe 1804 zclowptyihkin.exe 1804 zclowptyihkin.exe 1804 zclowptyihkin.exe 1804 zclowptyihkin.exe 1804 zclowptyihkin.exe 1804 zclowptyihkin.exe 1804 zclowptyihkin.exe 1804 zclowptyihkin.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe 1804 zclowptyihkin.exe 1804 zclowptyihkin.exe 1804 zclowptyihkin.exe 1804 zclowptyihkin.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe -
Suspicious use of FindShellTrayWindow 20 IoCs
Processes:
a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exewisgfwkcof.exeasceuwbuvxoiwlv.exezclowptyihkin.exezcucxclu.exezcucxclu.exepid process 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2964 wisgfwkcof.exe 2964 wisgfwkcof.exe 2964 wisgfwkcof.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe 1804 zclowptyihkin.exe 2876 zcucxclu.exe 1804 zclowptyihkin.exe 2876 zcucxclu.exe 1804 zclowptyihkin.exe 2876 zcucxclu.exe 1804 zclowptyihkin.exe 1344 zcucxclu.exe 1344 zcucxclu.exe 1344 zcucxclu.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exewisgfwkcof.exeasceuwbuvxoiwlv.exezclowptyihkin.exezcucxclu.exezcucxclu.exepid process 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe 2964 wisgfwkcof.exe 2964 wisgfwkcof.exe 2964 wisgfwkcof.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe 4688 asceuwbuvxoiwlv.exe 1804 zclowptyihkin.exe 2876 zcucxclu.exe 1804 zclowptyihkin.exe 2876 zcucxclu.exe 1804 zclowptyihkin.exe 2876 zcucxclu.exe 1804 zclowptyihkin.exe 1344 zcucxclu.exe 1344 zcucxclu.exe 1344 zcucxclu.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exewisgfwkcof.exedescription pid process target process PID 2636 wrote to memory of 2964 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe wisgfwkcof.exe PID 2636 wrote to memory of 2964 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe wisgfwkcof.exe PID 2636 wrote to memory of 2964 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe wisgfwkcof.exe PID 2636 wrote to memory of 4688 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe asceuwbuvxoiwlv.exe PID 2636 wrote to memory of 4688 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe asceuwbuvxoiwlv.exe PID 2636 wrote to memory of 4688 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe asceuwbuvxoiwlv.exe PID 2636 wrote to memory of 2876 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe zcucxclu.exe PID 2636 wrote to memory of 2876 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe zcucxclu.exe PID 2636 wrote to memory of 2876 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe zcucxclu.exe PID 2636 wrote to memory of 1804 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe zclowptyihkin.exe PID 2636 wrote to memory of 1804 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe zclowptyihkin.exe PID 2636 wrote to memory of 1804 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe zclowptyihkin.exe PID 2964 wrote to memory of 1344 2964 wisgfwkcof.exe zcucxclu.exe PID 2964 wrote to memory of 1344 2964 wisgfwkcof.exe zcucxclu.exe PID 2964 wrote to memory of 1344 2964 wisgfwkcof.exe zcucxclu.exe PID 2636 wrote to memory of 4056 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe WINWORD.EXE PID 2636 wrote to memory of 4056 2636 a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\wisgfwkcof.exewisgfwkcof.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\zcucxclu.exeC:\Windows\system32\zcucxclu.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1344
-
-
-
C:\Windows\SysWOW64\asceuwbuvxoiwlv.exeasceuwbuvxoiwlv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4688
-
-
C:\Windows\SysWOW64\zcucxclu.exezcucxclu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2876
-
-
C:\Windows\SysWOW64\zclowptyihkin.exezclowptyihkin.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1804
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:2352
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD52b425ba0453d8dae977556a430ec48cb
SHA100ef4e5aa853ca2d58022b198debe52f710dcf05
SHA256932161d69a7a82e68c5cac1f6d0837d9b1b538c9d0951a002fe712e0252c4103
SHA5125fc73c6e2530ad67801d371dd88d70831291036b5ac4c5b98411edc5a8b7a872e4c458c755aad830b47bdb0d23965b120a0cb757d2c65586d75d6b9d3ece5a89
-
Filesize
512KB
MD51c7ad6c130469c8161786beb9f42e0f2
SHA1b1f8001c814666990ee05e2342c6bff06e1288b6
SHA256e8a9f0eb4019466dc43e9b9f962edf8fd4f5b5e296634547fb51e8787990097f
SHA51223e66ed26112f95cd574e4833ed3fe170e455e30b1de828386a7454c75ea488d561366c79fda200db9d36c1b70ed11924e6c8c32eac27f0bd040e7db841d4f1b
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5ca3c4f94255e73f27ae128cb0893c796
SHA1e1132c806759bba253f8239db0838e849c910534
SHA2562c8e204011969f8e2cc2a8e9503d695218c3710793f9fd06b6237fdd2b4403d4
SHA5122b53824460c35de5c470c09447542692003f9e418ebb0523c5ab394e97d34bef0ce5f7e8027d99887dfa3fa9db4461e97e646a88e42e7a24b3067ba3c12cd22b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RFe58561a.TMP
Filesize3KB
MD5bbd6302e4eb6c20dc5508083fb672412
SHA14a616d0d854ead779da89b10600b722d52615a72
SHA2563fee187f29bac2885388b8314a3bfd148adcdcc79cb91b13894fbbf30f8f3a8c
SHA51202c9b1714170bd24c5ad7acdc18920911704578f28c6a2174b561fb8a7f66a06ae25e74775ffd762a4dd7a183d40463e0d8d542a20fbcecfb0cc7a0c654093d9
-
Filesize
512KB
MD5316f4c076bab357826b5dabdb7e82415
SHA14f9fe728b14c29080dffe1d0eb45c3dfa15bcb88
SHA25659b9555f625a39d43d2464bab74a37dbd03e57287ec7e0c067843a3e8e20e466
SHA5120c6d9780c97e905b3998bcc17eba53da70347f8418b144dca17f57d022160d6c8b6c70c44c3c9ccd04b53ae4f2d91cc4766fd8249036c7cf9354802cc3779a90
-
Filesize
512KB
MD560f3d57abd84fe8bbf1eae4dad364d3d
SHA1190691c709b42276d47c5ea97286e00553236634
SHA256e8a50e1f1ac678d5c810ab0c43a00b366feb238b21eec579333bb406d35daea3
SHA512b94e4f6d8800769d9d9f924dd49998dbf94f6392b655d015388de154ae8591f06529aaa0731111c9e71af322e632106504a57f4767cc20b804b2a0acc17274ee
-
Filesize
512KB
MD518fe070c2f9c8197337da47c7cba2cae
SHA10dc45ee6fa98f1b3f87cc7ba470ff008a3c3a55a
SHA256d0407a319c0c7114d29d5b6190534ff489ef90629a6bcae98967c830c7a96d88
SHA512f28dd120b87b78d9f0a1669c601cc7fb3d5613ca3de6f083e85395765ec0c0ec77fe324313c3916782ff53009c27ee572c02c9da682b397248bcc30e6bbd18ba
-
Filesize
512KB
MD5eadb28e40caa864fa056647127250cce
SHA1f8b00a0e7fd6a0475c998ee60183b168b0228f18
SHA256d04fe65edd4e7e2a4a2f3a5d087b7b02b45c17186082f3c1e7be67419c295592
SHA512c9153df1099ba6b995266f364aadca2a37d2f26fb8a611b2edb17498d527050dcca04cf8844885dde0c4670fead975de54e7763fd3d3b31ffb8a2adf776e8000
-
Filesize
512KB
MD53f367a8b10c382093f7a396dbb0329f6
SHA1ed695bb07f2e9586938749b0764970484b5b81c3
SHA2560e5f7fc870e1b12a744a68769ca8284154f1cdc7a97c98809dfc4fec9a134ecc
SHA512ef2422bb2630cffd6081e1e12d81fdd8ed233a6165378b51aabf5beac77d3b633915d1a5301dcba4ad8332a2c56f020f2d11cca047bcfe3433e715fc06e06c64
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD516eab06899fbed02ba487d372dab640c
SHA11c2678eb5282871d9d1f49f46e853304b163e50d
SHA256d15f717d31c0d95fb852beecd727c187dbe9a476996c8424d55ae1a279c87369
SHA512929fc52cdafeeb66b371a112646d37d0b56132d575033326aec0116cd714228160fc2342b6d4b224fad8c785a98cf4cb8c9abacd0412c029229ed1a809ee0806