Analysis
-
max time kernel
150s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 04:42
Static task
static1
Behavioral task
behavioral1
Sample
a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe
-
Size
512KB
-
MD5
a3daef70f8e18e75bc011c85e07c4105
-
SHA1
34fdfe6ef72db4c150cae13db62084441fa313e8
-
SHA256
96b225fb8a884b687523bc93abf93879662f3b8fba963e151fa49718fe41d03a
-
SHA512
651e9418c91ad741ad8ec08afad25f4ed8003b10a5f3e8d820fdc93080f29fbef1796ff5723e7f73f4f1b41267b7e8bcc11c696ade0c9558ae4d8ac52e68c0e1
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6H:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5S
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
gkbxbblfpu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" gkbxbblfpu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
gkbxbblfpu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gkbxbblfpu.exe -
Processes:
gkbxbblfpu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gkbxbblfpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gkbxbblfpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gkbxbblfpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gkbxbblfpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gkbxbblfpu.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
gkbxbblfpu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gkbxbblfpu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
gkbxbblfpu.exechyirpliscvridn.exezetofspu.exekagcvjkayfinl.exezetofspu.exepid process 1888 gkbxbblfpu.exe 2400 chyirpliscvridn.exe 4324 zetofspu.exe 220 kagcvjkayfinl.exe 4224 zetofspu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
gkbxbblfpu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gkbxbblfpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gkbxbblfpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gkbxbblfpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" gkbxbblfpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gkbxbblfpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gkbxbblfpu.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
chyirpliscvridn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ryaxjnnv = "gkbxbblfpu.exe" chyirpliscvridn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yhewjryq = "chyirpliscvridn.exe" chyirpliscvridn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kagcvjkayfinl.exe" chyirpliscvridn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
gkbxbblfpu.exezetofspu.exezetofspu.exedescription ioc process File opened (read-only) \??\w: gkbxbblfpu.exe File opened (read-only) \??\n: zetofspu.exe File opened (read-only) \??\v: zetofspu.exe File opened (read-only) \??\x: zetofspu.exe File opened (read-only) \??\q: gkbxbblfpu.exe File opened (read-only) \??\b: zetofspu.exe File opened (read-only) \??\i: zetofspu.exe File opened (read-only) \??\p: gkbxbblfpu.exe File opened (read-only) \??\i: zetofspu.exe File opened (read-only) \??\w: zetofspu.exe File opened (read-only) \??\k: zetofspu.exe File opened (read-only) \??\s: zetofspu.exe File opened (read-only) \??\n: gkbxbblfpu.exe File opened (read-only) \??\b: gkbxbblfpu.exe File opened (read-only) \??\x: gkbxbblfpu.exe File opened (read-only) \??\o: zetofspu.exe File opened (read-only) \??\q: zetofspu.exe File opened (read-only) \??\a: gkbxbblfpu.exe File opened (read-only) \??\y: gkbxbblfpu.exe File opened (read-only) \??\j: zetofspu.exe File opened (read-only) \??\m: zetofspu.exe File opened (read-only) \??\o: zetofspu.exe File opened (read-only) \??\x: zetofspu.exe File opened (read-only) \??\u: gkbxbblfpu.exe File opened (read-only) \??\s: gkbxbblfpu.exe File opened (read-only) \??\v: gkbxbblfpu.exe File opened (read-only) \??\k: zetofspu.exe File opened (read-only) \??\r: zetofspu.exe File opened (read-only) \??\u: zetofspu.exe File opened (read-only) \??\e: gkbxbblfpu.exe File opened (read-only) \??\t: gkbxbblfpu.exe File opened (read-only) \??\j: gkbxbblfpu.exe File opened (read-only) \??\h: zetofspu.exe File opened (read-only) \??\m: zetofspu.exe File opened (read-only) \??\i: gkbxbblfpu.exe File opened (read-only) \??\b: zetofspu.exe File opened (read-only) \??\r: gkbxbblfpu.exe File opened (read-only) \??\u: zetofspu.exe File opened (read-only) \??\e: zetofspu.exe File opened (read-only) \??\l: zetofspu.exe File opened (read-only) \??\w: zetofspu.exe File opened (read-only) \??\z: zetofspu.exe File opened (read-only) \??\e: zetofspu.exe File opened (read-only) \??\l: zetofspu.exe File opened (read-only) \??\y: zetofspu.exe File opened (read-only) \??\l: gkbxbblfpu.exe File opened (read-only) \??\k: gkbxbblfpu.exe File opened (read-only) \??\p: zetofspu.exe File opened (read-only) \??\t: zetofspu.exe File opened (read-only) \??\y: zetofspu.exe File opened (read-only) \??\r: zetofspu.exe File opened (read-only) \??\h: gkbxbblfpu.exe File opened (read-only) \??\o: gkbxbblfpu.exe File opened (read-only) \??\g: zetofspu.exe File opened (read-only) \??\a: zetofspu.exe File opened (read-only) \??\g: gkbxbblfpu.exe File opened (read-only) \??\z: gkbxbblfpu.exe File opened (read-only) \??\q: zetofspu.exe File opened (read-only) \??\h: zetofspu.exe File opened (read-only) \??\m: gkbxbblfpu.exe File opened (read-only) \??\n: zetofspu.exe File opened (read-only) \??\v: zetofspu.exe File opened (read-only) \??\g: zetofspu.exe File opened (read-only) \??\j: zetofspu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
gkbxbblfpu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" gkbxbblfpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" gkbxbblfpu.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/5076-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\chyirpliscvridn.exe autoit_exe C:\Windows\SysWOW64\gkbxbblfpu.exe autoit_exe C:\Windows\SysWOW64\kagcvjkayfinl.exe autoit_exe C:\Windows\SysWOW64\zetofspu.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exezetofspu.exegkbxbblfpu.exezetofspu.exedescription ioc process File opened for modification C:\Windows\SysWOW64\gkbxbblfpu.exe a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe File created C:\Windows\SysWOW64\zetofspu.exe a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe File created C:\Windows\SysWOW64\kagcvjkayfinl.exe a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kagcvjkayfinl.exe a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zetofspu.exe File created C:\Windows\SysWOW64\gkbxbblfpu.exe a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\chyirpliscvridn.exe a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zetofspu.exe a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll gkbxbblfpu.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zetofspu.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zetofspu.exe File created C:\Windows\SysWOW64\chyirpliscvridn.exe a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
Processes:
zetofspu.exezetofspu.exedescription ioc process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zetofspu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zetofspu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zetofspu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zetofspu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zetofspu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zetofspu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zetofspu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zetofspu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zetofspu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zetofspu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zetofspu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zetofspu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zetofspu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zetofspu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zetofspu.exe -
Drops file in Windows directory 19 IoCs
Processes:
WINWORD.EXEzetofspu.exezetofspu.exea3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exedescription ioc process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zetofspu.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zetofspu.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zetofspu.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zetofspu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zetofspu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zetofspu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zetofspu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zetofspu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zetofspu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zetofspu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zetofspu.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zetofspu.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zetofspu.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zetofspu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zetofspu.exe File opened for modification C:\Windows\mydoc.rtf a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zetofspu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
gkbxbblfpu.exea3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc gkbxbblfpu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs gkbxbblfpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B12F449539ED53C8B9D133EED4B8" a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F368C3FE1C22D0D27AD0A08A0C9017" a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat gkbxbblfpu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf gkbxbblfpu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg gkbxbblfpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" gkbxbblfpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442C0A9C5282576A3E76D270532CD87C8E65DC" a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFABCFE64F190840B3A4186973998B38C028C4215023BE1BE429D08A4" a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" gkbxbblfpu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh gkbxbblfpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" gkbxbblfpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" gkbxbblfpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" gkbxbblfpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" gkbxbblfpu.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFFF9482785129045D72D7DE5BD97E6405941674E6330D798" a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C67915E7DBC7B8CE7FE6EC9737C8" a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1284 WINWORD.EXE 1284 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exegkbxbblfpu.exekagcvjkayfinl.exezetofspu.exechyirpliscvridn.exezetofspu.exepid process 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 1888 gkbxbblfpu.exe 1888 gkbxbblfpu.exe 1888 gkbxbblfpu.exe 1888 gkbxbblfpu.exe 1888 gkbxbblfpu.exe 1888 gkbxbblfpu.exe 1888 gkbxbblfpu.exe 1888 gkbxbblfpu.exe 1888 gkbxbblfpu.exe 1888 gkbxbblfpu.exe 220 kagcvjkayfinl.exe 220 kagcvjkayfinl.exe 220 kagcvjkayfinl.exe 220 kagcvjkayfinl.exe 220 kagcvjkayfinl.exe 220 kagcvjkayfinl.exe 220 kagcvjkayfinl.exe 220 kagcvjkayfinl.exe 220 kagcvjkayfinl.exe 220 kagcvjkayfinl.exe 220 kagcvjkayfinl.exe 220 kagcvjkayfinl.exe 4324 zetofspu.exe 4324 zetofspu.exe 2400 chyirpliscvridn.exe 2400 chyirpliscvridn.exe 2400 chyirpliscvridn.exe 2400 chyirpliscvridn.exe 2400 chyirpliscvridn.exe 2400 chyirpliscvridn.exe 4324 zetofspu.exe 4324 zetofspu.exe 2400 chyirpliscvridn.exe 2400 chyirpliscvridn.exe 4324 zetofspu.exe 4324 zetofspu.exe 4324 zetofspu.exe 4324 zetofspu.exe 2400 chyirpliscvridn.exe 2400 chyirpliscvridn.exe 4224 zetofspu.exe 4224 zetofspu.exe 4224 zetofspu.exe 4224 zetofspu.exe 4224 zetofspu.exe 4224 zetofspu.exe 4224 zetofspu.exe 4224 zetofspu.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exegkbxbblfpu.exekagcvjkayfinl.exezetofspu.exechyirpliscvridn.exezetofspu.exepid process 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 1888 gkbxbblfpu.exe 1888 gkbxbblfpu.exe 1888 gkbxbblfpu.exe 220 kagcvjkayfinl.exe 220 kagcvjkayfinl.exe 220 kagcvjkayfinl.exe 4324 zetofspu.exe 2400 chyirpliscvridn.exe 4324 zetofspu.exe 2400 chyirpliscvridn.exe 4324 zetofspu.exe 2400 chyirpliscvridn.exe 4224 zetofspu.exe 4224 zetofspu.exe 4224 zetofspu.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exegkbxbblfpu.exekagcvjkayfinl.exezetofspu.exechyirpliscvridn.exezetofspu.exepid process 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe 1888 gkbxbblfpu.exe 1888 gkbxbblfpu.exe 1888 gkbxbblfpu.exe 220 kagcvjkayfinl.exe 220 kagcvjkayfinl.exe 220 kagcvjkayfinl.exe 4324 zetofspu.exe 2400 chyirpliscvridn.exe 4324 zetofspu.exe 2400 chyirpliscvridn.exe 4324 zetofspu.exe 2400 chyirpliscvridn.exe 4224 zetofspu.exe 4224 zetofspu.exe 4224 zetofspu.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1284 WINWORD.EXE 1284 WINWORD.EXE 1284 WINWORD.EXE 1284 WINWORD.EXE 1284 WINWORD.EXE 1284 WINWORD.EXE 1284 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exegkbxbblfpu.exedescription pid process target process PID 5076 wrote to memory of 1888 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe gkbxbblfpu.exe PID 5076 wrote to memory of 1888 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe gkbxbblfpu.exe PID 5076 wrote to memory of 1888 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe gkbxbblfpu.exe PID 5076 wrote to memory of 2400 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe chyirpliscvridn.exe PID 5076 wrote to memory of 2400 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe chyirpliscvridn.exe PID 5076 wrote to memory of 2400 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe chyirpliscvridn.exe PID 5076 wrote to memory of 4324 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe zetofspu.exe PID 5076 wrote to memory of 4324 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe zetofspu.exe PID 5076 wrote to memory of 4324 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe zetofspu.exe PID 5076 wrote to memory of 220 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe kagcvjkayfinl.exe PID 5076 wrote to memory of 220 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe kagcvjkayfinl.exe PID 5076 wrote to memory of 220 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe kagcvjkayfinl.exe PID 1888 wrote to memory of 4224 1888 gkbxbblfpu.exe zetofspu.exe PID 1888 wrote to memory of 4224 1888 gkbxbblfpu.exe zetofspu.exe PID 1888 wrote to memory of 4224 1888 gkbxbblfpu.exe zetofspu.exe PID 5076 wrote to memory of 1284 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe WINWORD.EXE PID 5076 wrote to memory of 1284 5076 a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a3daef70f8e18e75bc011c85e07c4105_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\gkbxbblfpu.exegkbxbblfpu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\zetofspu.exeC:\Windows\system32\zetofspu.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4224 -
C:\Windows\SysWOW64\chyirpliscvridn.exechyirpliscvridn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2400 -
C:\Windows\SysWOW64\zetofspu.exezetofspu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4324 -
C:\Windows\SysWOW64\kagcvjkayfinl.exekagcvjkayfinl.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:220 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1284
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD53590a4ffa2f0eb2d3bbe65e88b044589
SHA15325523da1847c9455c2e5160a128b8939674af4
SHA2566f9b7ed96fbc50c833161b4c23a8226f9706d3772b8332073ec078badfc32fc3
SHA5121b4efee9e8a3c6be7bd7fa3f4c060fc16aedd148a53521bb89c77f61cb62ed98a9931f63ea9bb2460ba3b4080926f093d431a9e49ee81dc5cc7dcabeaaab0a63
-
Filesize
512KB
MD58e6e5bc910b9911bd4d38b06f6ba19b6
SHA1aa0d589796ac6dfa3969930f35c1aaac97ad317d
SHA256989e457fd7c88c88392d5d40ff8e9c62657f2d889117a2c41fdb21c9469f5f71
SHA5125b6c82fb3cff042454d4fc460b0917105735c1b2c4c02dcb4ebd889f80ffb73723a897da4f8169a8a59ed79430da7ef21311ef55c052db637a2c9c382d8aa176
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5d2aa39f3e8d9eccc12128c53e4c428a4
SHA18d6cf827cf5e62dc31a468c860eb92a5573c0294
SHA256b3ba80098f3eb6b6c597e6c1c525b7eff5e0df9db5de510713786882b587c41e
SHA512d28f625e9639bcb835fa2174e226a80879206a3fbf162ca775290d3b7075aa5bb2444f752c08a3528c0d5f559c6bd6ff4883e4f3b9c4cefe4421d26de3d78d50
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e9c4bc67e190134c3a96709ba0be93cc
SHA1422ec2f478b9ec6f798d92c86bc25708976baba4
SHA2563acfe6b16d12349232d290eeeb40a800015a14a27c6a431b6ff9f3c71481534f
SHA5120500c74b18dc38f40fddac67aed69310d75562dc967ee22ad67f6e87b5122852c205d94df3739196d92414dc55d1cf0253f057ba87950221fb799d7c7a2b2b2c
-
Filesize
512KB
MD500b855f298e0f772b744a81f02195776
SHA1a4c7ecd3c46fb973909a13968c2502cb3bb16d7a
SHA2565101bc7379bfd040d796496974cd8b7f0dc9a79428a93bd7d19114a11298efad
SHA51214529f4e8d7985b962076a564d208a2912fcb184be4a4b05fb96a19526141ee0f243cd7fd6409f4b86acedd3ca621cd80daf474b9f9113a915baec71de270515
-
Filesize
512KB
MD5410fb8b91113eec7e362e71d9133b8a8
SHA14a04f040d1808118176a53ba59e1a67174e1183c
SHA256572e59f5ed2991215dc5c49c2870e5d877d962a9d24d0fae9892a4402c3ddf1f
SHA51280d1ec4bf3c576a2f0d2b9cc3614a5e0bfae8c88427aa869b0b5a6c30cdb7cb57ff99dcbe4ea0805879aec8500868e5c9f8a6c8266c7988802dbf49aec0c7fea
-
Filesize
512KB
MD5d0498a7e1c5790c226b712220979dca4
SHA1f9e59a88c6d582c138c908ef1810f39a8c60f9ed
SHA256a29f19f5544fbb3158ba9301b7d11f8384cd85ace0bc34f3eaec5821e785b8f2
SHA5125d5c1e5212250ef0cc843d74cbb764886cfc05f56ee2670777f8991a551579cd422ee1389187074d8ce13c1ad5876c2d348afe5d95c4024b5514d7312e36bd5a
-
Filesize
512KB
MD5be9298a812c66637a2139c9cf434cd55
SHA1084b6dd49f37cb159482ce7794e9191385ef0bf9
SHA2566574432d01c0e63dfec7f7b228576accb58d310373b8322a9db1c02d7511bec1
SHA5127fdd1bc061208b9202be5d811dfc3b7ce1ed88e1a6ac92c7175cb2c9163018ebf547dc7010cf7803d22993b00777a623323f40283ca92e3b94a97662bdce7642
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD51a0bd2069e74c29c2fd9ce81736debae
SHA1ae914d28c721ca21640f468cac7aab73cb3c7d60
SHA2567f523d9a4c6a7d850e6c29101930208b214b43f2bdd63f3daab816b2c8b04075
SHA5120def22fbad98e6aa99fdc743f5f38b49b9c1f9e2eb918ab2cfd511140ce9fe578aec4dcda2cb02d2b5978e9362d691432766aab7b749fefe85cc2062583f170a
-
Filesize
512KB
MD5bde0b944d12eca94441e1754bee52f1d
SHA16fa50b00da72e3571b32eeb6dcdbe17e763dbf98
SHA256673699d5083b76afc6dd4a609e1933941e7ed04f0ddc34b0bc403b057310a854
SHA512567de4439869f4f928845f6cceb760c6e91006f1eb9daba271d05d7f8b727edb5b290b343fbbc3c07fd7d3ca14c8e36c7063864057180294e7a1031494a1c956