Analysis
-
max time kernel
150s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 04:47
Static task
static1
Behavioral task
behavioral1
Sample
a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe
-
Size
512KB
-
MD5
a3de7251d0458eb2be565d7d8fa507b5
-
SHA1
91b1fc30a6d24762041c6480a54556a61fd4651b
-
SHA256
d35754568c165dbe399f20e5783bed3a45196b1b864ad8ed76892f56dafbfcb5
-
SHA512
7fab8cf478068812cb25d44e39987989d921aa2e7ca02cec1c52491bded48a3ff58037ebe32430267c1c695fecfe83dda1ea378ff574e0da0c12b3c7aae21802
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5R
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
jmuanrtted.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" jmuanrtted.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
jmuanrtted.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jmuanrtted.exe -
Processes:
jmuanrtted.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jmuanrtted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jmuanrtted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jmuanrtted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jmuanrtted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" jmuanrtted.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
jmuanrtted.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jmuanrtted.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
jmuanrtted.exevzocqspvvuegchu.exebnvpakjt.execbisjjfmrzuia.exebnvpakjt.exepid process 3344 jmuanrtted.exe 3312 vzocqspvvuegchu.exe 3596 bnvpakjt.exe 1608 cbisjjfmrzuia.exe 4544 bnvpakjt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
jmuanrtted.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jmuanrtted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" jmuanrtted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jmuanrtted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" jmuanrtted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jmuanrtted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jmuanrtted.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
vzocqspvvuegchu.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qprakwbf = "jmuanrtted.exe" vzocqspvvuegchu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xxadzuye = "vzocqspvvuegchu.exe" vzocqspvvuegchu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cbisjjfmrzuia.exe" vzocqspvvuegchu.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
bnvpakjt.exejmuanrtted.exebnvpakjt.exedescription ioc process File opened (read-only) \??\q: bnvpakjt.exe File opened (read-only) \??\s: bnvpakjt.exe File opened (read-only) \??\v: bnvpakjt.exe File opened (read-only) \??\w: bnvpakjt.exe File opened (read-only) \??\j: jmuanrtted.exe File opened (read-only) \??\n: jmuanrtted.exe File opened (read-only) \??\b: bnvpakjt.exe File opened (read-only) \??\l: bnvpakjt.exe File opened (read-only) \??\o: bnvpakjt.exe File opened (read-only) \??\g: bnvpakjt.exe File opened (read-only) \??\j: bnvpakjt.exe File opened (read-only) \??\o: bnvpakjt.exe File opened (read-only) \??\m: bnvpakjt.exe File opened (read-only) \??\o: jmuanrtted.exe File opened (read-only) \??\p: jmuanrtted.exe File opened (read-only) \??\t: jmuanrtted.exe File opened (read-only) \??\w: jmuanrtted.exe File opened (read-only) \??\q: bnvpakjt.exe File opened (read-only) \??\u: bnvpakjt.exe File opened (read-only) \??\z: bnvpakjt.exe File opened (read-only) \??\u: bnvpakjt.exe File opened (read-only) \??\m: jmuanrtted.exe File opened (read-only) \??\q: jmuanrtted.exe File opened (read-only) \??\a: bnvpakjt.exe File opened (read-only) \??\p: bnvpakjt.exe File opened (read-only) \??\v: jmuanrtted.exe File opened (read-only) \??\b: bnvpakjt.exe File opened (read-only) \??\l: bnvpakjt.exe File opened (read-only) \??\x: bnvpakjt.exe File opened (read-only) \??\s: jmuanrtted.exe File opened (read-only) \??\e: bnvpakjt.exe File opened (read-only) \??\a: bnvpakjt.exe File opened (read-only) \??\k: bnvpakjt.exe File opened (read-only) \??\h: jmuanrtted.exe File opened (read-only) \??\y: bnvpakjt.exe File opened (read-only) \??\r: bnvpakjt.exe File opened (read-only) \??\y: bnvpakjt.exe File opened (read-only) \??\h: bnvpakjt.exe File opened (read-only) \??\p: bnvpakjt.exe File opened (read-only) \??\w: bnvpakjt.exe File opened (read-only) \??\y: jmuanrtted.exe File opened (read-only) \??\i: bnvpakjt.exe File opened (read-only) \??\t: bnvpakjt.exe File opened (read-only) \??\b: jmuanrtted.exe File opened (read-only) \??\m: bnvpakjt.exe File opened (read-only) \??\n: bnvpakjt.exe File opened (read-only) \??\h: bnvpakjt.exe File opened (read-only) \??\g: jmuanrtted.exe File opened (read-only) \??\r: jmuanrtted.exe File opened (read-only) \??\e: bnvpakjt.exe File opened (read-only) \??\s: bnvpakjt.exe File opened (read-only) \??\a: jmuanrtted.exe File opened (read-only) \??\e: jmuanrtted.exe File opened (read-only) \??\i: bnvpakjt.exe File opened (read-only) \??\j: bnvpakjt.exe File opened (read-only) \??\k: jmuanrtted.exe File opened (read-only) \??\l: jmuanrtted.exe File opened (read-only) \??\t: bnvpakjt.exe File opened (read-only) \??\z: bnvpakjt.exe File opened (read-only) \??\u: jmuanrtted.exe File opened (read-only) \??\g: bnvpakjt.exe File opened (read-only) \??\n: bnvpakjt.exe File opened (read-only) \??\v: bnvpakjt.exe File opened (read-only) \??\i: jmuanrtted.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
jmuanrtted.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" jmuanrtted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" jmuanrtted.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/972-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\vzocqspvvuegchu.exe autoit_exe C:\Windows\SysWOW64\jmuanrtted.exe autoit_exe C:\Windows\SysWOW64\bnvpakjt.exe autoit_exe C:\Windows\SysWOW64\cbisjjfmrzuia.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\CopyRead.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exebnvpakjt.exejmuanrtted.exebnvpakjt.exedescription ioc process File opened for modification C:\Windows\SysWOW64\jmuanrtted.exe a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe File created C:\Windows\SysWOW64\cbisjjfmrzuia.exe a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bnvpakjt.exe File created C:\Windows\SysWOW64\jmuanrtted.exe a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vzocqspvvuegchu.exe a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe File created C:\Windows\SysWOW64\bnvpakjt.exe a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bnvpakjt.exe a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cbisjjfmrzuia.exe a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll jmuanrtted.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bnvpakjt.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bnvpakjt.exe File created C:\Windows\SysWOW64\vzocqspvvuegchu.exe a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bnvpakjt.exe -
Drops file in Program Files directory 15 IoCs
Processes:
bnvpakjt.exebnvpakjt.exedescription ioc process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bnvpakjt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bnvpakjt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bnvpakjt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bnvpakjt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bnvpakjt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bnvpakjt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bnvpakjt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bnvpakjt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bnvpakjt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bnvpakjt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bnvpakjt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bnvpakjt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bnvpakjt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bnvpakjt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bnvpakjt.exe -
Drops file in Windows directory 19 IoCs
Processes:
bnvpakjt.exebnvpakjt.exeWINWORD.EXEa3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exedescription ioc process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bnvpakjt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bnvpakjt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bnvpakjt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bnvpakjt.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bnvpakjt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bnvpakjt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bnvpakjt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bnvpakjt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bnvpakjt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bnvpakjt.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bnvpakjt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bnvpakjt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bnvpakjt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bnvpakjt.exe File opened for modification C:\Windows\mydoc.rtf a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bnvpakjt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bnvpakjt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exejmuanrtted.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFFFC482982129132D72D7D93BDE0E630583666426337D7EC" a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat jmuanrtted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh jmuanrtted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc jmuanrtted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg jmuanrtted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302C0C9D2C83276A3277D277222DDA7DF464DD" a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B15D449338E253CFBAA0329FD4BB" a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" jmuanrtted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf jmuanrtted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" jmuanrtted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" jmuanrtted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F068B5FF6621D9D27BD1A98A7B9117" a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" jmuanrtted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" jmuanrtted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs jmuanrtted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" jmuanrtted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAF9BEF962F1E3840E3A42819B3E97B38903F14314033EE1CD42E809D6" a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C77915E3DABFB9CE7FE1EC9734CC" a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2444 WINWORD.EXE 2444 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exejmuanrtted.exevzocqspvvuegchu.execbisjjfmrzuia.exebnvpakjt.exebnvpakjt.exepid process 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 3344 jmuanrtted.exe 3312 vzocqspvvuegchu.exe 3344 jmuanrtted.exe 3312 vzocqspvvuegchu.exe 3312 vzocqspvvuegchu.exe 3344 jmuanrtted.exe 3344 jmuanrtted.exe 3312 vzocqspvvuegchu.exe 3344 jmuanrtted.exe 3344 jmuanrtted.exe 3312 vzocqspvvuegchu.exe 3312 vzocqspvvuegchu.exe 3344 jmuanrtted.exe 3312 vzocqspvvuegchu.exe 3344 jmuanrtted.exe 3312 vzocqspvvuegchu.exe 3344 jmuanrtted.exe 3344 jmuanrtted.exe 3312 vzocqspvvuegchu.exe 3312 vzocqspvvuegchu.exe 1608 cbisjjfmrzuia.exe 1608 cbisjjfmrzuia.exe 1608 cbisjjfmrzuia.exe 1608 cbisjjfmrzuia.exe 1608 cbisjjfmrzuia.exe 1608 cbisjjfmrzuia.exe 1608 cbisjjfmrzuia.exe 1608 cbisjjfmrzuia.exe 3596 bnvpakjt.exe 3596 bnvpakjt.exe 3596 bnvpakjt.exe 3596 bnvpakjt.exe 3596 bnvpakjt.exe 3596 bnvpakjt.exe 3596 bnvpakjt.exe 3596 bnvpakjt.exe 1608 cbisjjfmrzuia.exe 1608 cbisjjfmrzuia.exe 1608 cbisjjfmrzuia.exe 1608 cbisjjfmrzuia.exe 3312 vzocqspvvuegchu.exe 3312 vzocqspvvuegchu.exe 4544 bnvpakjt.exe 4544 bnvpakjt.exe 4544 bnvpakjt.exe 4544 bnvpakjt.exe 4544 bnvpakjt.exe 4544 bnvpakjt.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exejmuanrtted.exevzocqspvvuegchu.execbisjjfmrzuia.exebnvpakjt.exebnvpakjt.exepid process 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 3344 jmuanrtted.exe 3344 jmuanrtted.exe 3344 jmuanrtted.exe 3312 vzocqspvvuegchu.exe 3312 vzocqspvvuegchu.exe 3312 vzocqspvvuegchu.exe 1608 cbisjjfmrzuia.exe 1608 cbisjjfmrzuia.exe 3596 bnvpakjt.exe 1608 cbisjjfmrzuia.exe 3596 bnvpakjt.exe 3596 bnvpakjt.exe 4544 bnvpakjt.exe 4544 bnvpakjt.exe 4544 bnvpakjt.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exejmuanrtted.exevzocqspvvuegchu.execbisjjfmrzuia.exebnvpakjt.exebnvpakjt.exepid process 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe 3344 jmuanrtted.exe 3344 jmuanrtted.exe 3344 jmuanrtted.exe 3312 vzocqspvvuegchu.exe 3312 vzocqspvvuegchu.exe 3312 vzocqspvvuegchu.exe 1608 cbisjjfmrzuia.exe 1608 cbisjjfmrzuia.exe 3596 bnvpakjt.exe 1608 cbisjjfmrzuia.exe 3596 bnvpakjt.exe 3596 bnvpakjt.exe 4544 bnvpakjt.exe 4544 bnvpakjt.exe 4544 bnvpakjt.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2444 WINWORD.EXE 2444 WINWORD.EXE 2444 WINWORD.EXE 2444 WINWORD.EXE 2444 WINWORD.EXE 2444 WINWORD.EXE 2444 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exejmuanrtted.exedescription pid process target process PID 972 wrote to memory of 3344 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe jmuanrtted.exe PID 972 wrote to memory of 3344 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe jmuanrtted.exe PID 972 wrote to memory of 3344 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe jmuanrtted.exe PID 972 wrote to memory of 3312 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe vzocqspvvuegchu.exe PID 972 wrote to memory of 3312 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe vzocqspvvuegchu.exe PID 972 wrote to memory of 3312 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe vzocqspvvuegchu.exe PID 972 wrote to memory of 3596 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe bnvpakjt.exe PID 972 wrote to memory of 3596 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe bnvpakjt.exe PID 972 wrote to memory of 3596 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe bnvpakjt.exe PID 972 wrote to memory of 1608 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe cbisjjfmrzuia.exe PID 972 wrote to memory of 1608 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe cbisjjfmrzuia.exe PID 972 wrote to memory of 1608 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe cbisjjfmrzuia.exe PID 972 wrote to memory of 2444 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe WINWORD.EXE PID 972 wrote to memory of 2444 972 a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe WINWORD.EXE PID 3344 wrote to memory of 4544 3344 jmuanrtted.exe bnvpakjt.exe PID 3344 wrote to memory of 4544 3344 jmuanrtted.exe bnvpakjt.exe PID 3344 wrote to memory of 4544 3344 jmuanrtted.exe bnvpakjt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a3de7251d0458eb2be565d7d8fa507b5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\jmuanrtted.exejmuanrtted.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\bnvpakjt.exeC:\Windows\system32\bnvpakjt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4544 -
C:\Windows\SysWOW64\vzocqspvvuegchu.exevzocqspvvuegchu.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3312 -
C:\Windows\SysWOW64\bnvpakjt.exebnvpakjt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3596 -
C:\Windows\SysWOW64\cbisjjfmrzuia.execbisjjfmrzuia.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1608 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2444
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD55fd079560259c99fa2e8c7ce26a9a9c3
SHA10f4be585acbbf7acbf3538cbeabfbe72237738d7
SHA2562060f39d45395d6e36251d28ff8e173ee6528111316db3cdc9de7073bfedad38
SHA5120f5ab3a1e9fd93126d09fc0330c695f41422a6ad47b02e7554307b155bddb77d8bf94f1d94dd1d931d5878c4e2049e7c9ecabf8bc7c7a5b10667cd9cb3f45b12
-
Filesize
512KB
MD552c0d1d70562d836c33eb8f11bb6a44f
SHA1e7a9c86c317597ef79a4ef99bcb513e0d3fd0531
SHA25629ad5e1e50e64a6570455bac227418a03f3ed15d131fc85d605b847fa9e66f15
SHA512f571e34461d3e889a6e09cb5c8c3b9426373280d3aefa8db944f793f3671f9a14b9cbb5387a1c1a52015feae8642c4b2201d6ba06042105f38b73dec432cb060
-
Filesize
239B
MD5c7667c3371d5d84c2c3d9801baa3dc0f
SHA125838b0056cd399422f492754b6437a95f318e52
SHA2565596446f922d237efed146d488ec6e529f0d66a064960eeb6013773cfa45ab9d
SHA5127e42fc3aad97260c7973eb4adb8dca390a207f2f8dee0c45f74e7e91441d9f548aa8ae03f7f6109e772bc67a8e6124e74bc37a0496120a0200f58d9e96451a09
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5572e32a6eeb59d8b39bb6c8adb3fad88
SHA19fa0d9577a50954cfdbf4451079a95e8e075f944
SHA25688cb066e83a2b63ecf91f3eb6e2c44c6e5fa85872504ce33d18bf2d27d84ab75
SHA51299e7e567ee0d14ef3ff07b8b39c97ae36d13851976bb1c9583e2d1d1b1d1a4f89994b89aff5d3343195e44ce2245a59fe58d34624e794ed75bd0c88600acec96
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD54bc6f56ff8351d6f6134c65cd8f50526
SHA14e70609de0d4373aad79b69e69d831546a45c064
SHA256cd09358de2d7a02a3699e49168c2cbeef3fff0c8603a4a7da037c0e115a303d6
SHA512872dfc910df9ab64a4b72208cab7b1046c15752610969373db2d39dac5fdf87571cbc0c42e109c2c8fa7d570e30017eb0cc5b939f3d5a531c65459aa5e3ba33b
-
Filesize
512KB
MD57417b59e219b3201e39920be3f819003
SHA18f941ed282726f80eb6e8347de24f3bc7df92e00
SHA256a5cda9f8e10c80c8806e08fc2f3d2a5a36c58201d6317ca6f60bc1e877fcfa79
SHA5126f8217226f07e171b30ac3999025a2a75efcf1f1f2bfd131aa2e03814bd44f4755e3cf00db8c6891d83ec593d11e39ddecbe6af30ddecfb36a9e9ad0e2342235
-
Filesize
512KB
MD5e68d4bab895a85a6d99fadfd857006e4
SHA181d64cb60cd8c428025e4d4b304885be0363e4a6
SHA2560058b8c3160aff7dc8f5d62969e82185f5d59845cb8bf59f1ef84572a980197c
SHA51259c760ceb35744521724054c098906a14b0c25b608d783e22b36065b2cf4970406d04c2955af5028eed909d30c59323cdacdf94b73e2c32ccadbfcac89927f2c
-
Filesize
512KB
MD5e915394999bcf77d6f10ecd1993dab02
SHA104e344d18dabcfef8b53cc994400f6edf6d596f6
SHA25658be5b03b23678f44e3cc5e7b0695bdbba838fae63a3401c2a52b11fbac91644
SHA512fe167cb9c2f3d5019e2ef98f31620fa86cedff9563283146556f0686fd6d2dd433e5bc5cbf454eaf96b8155681b882bfc4c61e329faf137737b13ac188b00f95
-
Filesize
512KB
MD5b0b5795b78f341b74a5f3e03cf8750ac
SHA155da1f5a7f09a0383929a233a480407e27ca855a
SHA256e7b64efbb8c98151ef77f498bb67befeddbb5ff8dbad0b08245535e2d6968a20
SHA512c474fe6fe8d358f3102d3c68bcb40b5b1661b5a4b5c5aa716bbae79e784314107820704cb94f35d47ae0229389bf6ad28e0486c5ae40f0e6aeb6b5532271bb09
-
Filesize
512KB
MD5b4fed0cd0bec5b6e467ba52e251898f6
SHA1735be4416fc460abcaea2e56f46d25ffc14a2c0c
SHA2563393cd76725ee88dadac0c9864b11a2d0c2a0ef9e2d6a89a6383a751139f0d10
SHA512ae19c04c3fa2e05808f722ac5ee3a68214908ca8a7924d12ada4cb13f72d59d728455aecbc6f39d3324044d4484fee9ae007d15d043bd9a6d7200d1d47bff03d
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD509216370719345370b903ec2928f11de
SHA1d44aafd417bb399b34635e6a5baf67d34e857c71
SHA256c2d8de36cbba2566ce0504fac32d8a4fe8621b602f934491d8d4820129c3d67f
SHA512e63245eb90c8c1f50a18bd694cba523a8677bbb6f602c0f331ecd7616553989476649aa9cdf7b26fb428f3e9bd51e6298dd871c8ea598caab76f4a7cff84d3d2
-
Filesize
512KB
MD58625e2fed627b011717db9c18c658329
SHA1b22bd00f8286b9a9b6c729a1b8a9fe0d50775fe8
SHA256d4c6f13b27efbf0e66152b975af800e7a49efa47ff51859adfd82793737177fb
SHA5126e5e5351a663ce622e703a7b54532de8bb0f205f2616f8872fe963f769a4572875756f3ff6ebb3127778c076d982295526a55e60cee9456e75f8fab9821562da