Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 05:57
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe
Resource
win7-20240611-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe
-
Size
512KB
-
MD5
a418451e9a22dd1421f511b39a92cba3
-
SHA1
f452a3562ce7623521da143ffa1e82791ba49b4c
-
SHA256
774aec47c8a9c924538b9a267a995a64ebc8ecf4ee3edc33d537bfa0b2f3e686
-
SHA512
8147adc7a0868e821ac914207c5d6330badf7cd0340c040c4a8ae6cb2f2b24da3fb9d835bc4cc00c9725287d05cfa0906ac7769bd01be2d4889cb7c43693275c
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6n:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" skdcwthkmg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" skdcwthkmg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" skdcwthkmg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" skdcwthkmg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" skdcwthkmg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" skdcwthkmg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" skdcwthkmg.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" skdcwthkmg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 504 skdcwthkmg.exe 5580 exvpewpwyiuwixo.exe 536 bmrlcamo.exe 5292 zdpfpauowxenq.exe 2172 bmrlcamo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" skdcwthkmg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" skdcwthkmg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" skdcwthkmg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" skdcwthkmg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" skdcwthkmg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" skdcwthkmg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dlkuubip = "exvpewpwyiuwixo.exe" exvpewpwyiuwixo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zdpfpauowxenq.exe" exvpewpwyiuwixo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scwmcwbz = "skdcwthkmg.exe" exvpewpwyiuwixo.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: bmrlcamo.exe File opened (read-only) \??\h: skdcwthkmg.exe File opened (read-only) \??\m: skdcwthkmg.exe File opened (read-only) \??\u: skdcwthkmg.exe File opened (read-only) \??\m: bmrlcamo.exe File opened (read-only) \??\i: bmrlcamo.exe File opened (read-only) \??\y: bmrlcamo.exe File opened (read-only) \??\s: skdcwthkmg.exe File opened (read-only) \??\b: bmrlcamo.exe File opened (read-only) \??\g: bmrlcamo.exe File opened (read-only) \??\g: skdcwthkmg.exe File opened (read-only) \??\o: skdcwthkmg.exe File opened (read-only) \??\q: skdcwthkmg.exe File opened (read-only) \??\a: bmrlcamo.exe File opened (read-only) \??\i: bmrlcamo.exe File opened (read-only) \??\j: bmrlcamo.exe File opened (read-only) \??\y: bmrlcamo.exe File opened (read-only) \??\u: bmrlcamo.exe File opened (read-only) \??\u: bmrlcamo.exe File opened (read-only) \??\z: bmrlcamo.exe File opened (read-only) \??\r: bmrlcamo.exe File opened (read-only) \??\r: bmrlcamo.exe File opened (read-only) \??\a: skdcwthkmg.exe File opened (read-only) \??\t: skdcwthkmg.exe File opened (read-only) \??\z: skdcwthkmg.exe File opened (read-only) \??\e: bmrlcamo.exe File opened (read-only) \??\x: bmrlcamo.exe File opened (read-only) \??\v: skdcwthkmg.exe File opened (read-only) \??\w: skdcwthkmg.exe File opened (read-only) \??\w: bmrlcamo.exe File opened (read-only) \??\k: bmrlcamo.exe File opened (read-only) \??\o: bmrlcamo.exe File opened (read-only) \??\b: skdcwthkmg.exe File opened (read-only) \??\x: skdcwthkmg.exe File opened (read-only) \??\q: bmrlcamo.exe File opened (read-only) \??\e: skdcwthkmg.exe File opened (read-only) \??\n: skdcwthkmg.exe File opened (read-only) \??\m: bmrlcamo.exe File opened (read-only) \??\t: bmrlcamo.exe File opened (read-only) \??\l: bmrlcamo.exe File opened (read-only) \??\z: bmrlcamo.exe File opened (read-only) \??\j: bmrlcamo.exe File opened (read-only) \??\n: bmrlcamo.exe File opened (read-only) \??\h: bmrlcamo.exe File opened (read-only) \??\g: bmrlcamo.exe File opened (read-only) \??\h: bmrlcamo.exe File opened (read-only) \??\s: bmrlcamo.exe File opened (read-only) \??\t: bmrlcamo.exe File opened (read-only) \??\b: bmrlcamo.exe File opened (read-only) \??\o: bmrlcamo.exe File opened (read-only) \??\s: bmrlcamo.exe File opened (read-only) \??\i: skdcwthkmg.exe File opened (read-only) \??\p: bmrlcamo.exe File opened (read-only) \??\x: bmrlcamo.exe File opened (read-only) \??\a: bmrlcamo.exe File opened (read-only) \??\k: skdcwthkmg.exe File opened (read-only) \??\p: skdcwthkmg.exe File opened (read-only) \??\e: bmrlcamo.exe File opened (read-only) \??\q: bmrlcamo.exe File opened (read-only) \??\w: bmrlcamo.exe File opened (read-only) \??\l: skdcwthkmg.exe File opened (read-only) \??\k: bmrlcamo.exe File opened (read-only) \??\p: bmrlcamo.exe File opened (read-only) \??\j: skdcwthkmg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" skdcwthkmg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" skdcwthkmg.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1620-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000233fb-5.dat autoit_exe behavioral2/files/0x00090000000233e9-19.dat autoit_exe behavioral2/files/0x00070000000233fd-32.dat autoit_exe behavioral2/files/0x00070000000233fc-25.dat autoit_exe behavioral2/files/0x000300000000070b-57.dat autoit_exe behavioral2/files/0x0003000000000715-63.dat autoit_exe behavioral2/files/0x001600000001e4f7-88.dat autoit_exe behavioral2/files/0x001600000001e4f7-96.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bmrlcamo.exe a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zdpfpauowxenq.exe a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bmrlcamo.exe File created C:\Windows\SysWOW64\skdcwthkmg.exe a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\skdcwthkmg.exe a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe File created C:\Windows\SysWOW64\exvpewpwyiuwixo.exe a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\exvpewpwyiuwixo.exe a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll skdcwthkmg.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bmrlcamo.exe File created C:\Windows\SysWOW64\zdpfpauowxenq.exe a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe File created C:\Windows\SysWOW64\bmrlcamo.exe a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bmrlcamo.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bmrlcamo.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bmrlcamo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bmrlcamo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bmrlcamo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bmrlcamo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bmrlcamo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bmrlcamo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bmrlcamo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bmrlcamo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bmrlcamo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bmrlcamo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bmrlcamo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bmrlcamo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bmrlcamo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bmrlcamo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bmrlcamo.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bmrlcamo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bmrlcamo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bmrlcamo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bmrlcamo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bmrlcamo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bmrlcamo.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bmrlcamo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bmrlcamo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bmrlcamo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bmrlcamo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bmrlcamo.exe File opened for modification C:\Windows\mydoc.rtf a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bmrlcamo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bmrlcamo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bmrlcamo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bmrlcamo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bmrlcamo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg skdcwthkmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" skdcwthkmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B15C449739EE53CDBAD33298D7C9" a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat skdcwthkmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" skdcwthkmg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh skdcwthkmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" skdcwthkmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" skdcwthkmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFF834F5B85689047D75F7E90BDE2E635583067426330D6EC" a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F26BB6FF1A21ACD273D1A98A7B9060" a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C67D1596DBBEB9C17CE6ED9737C9" a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" skdcwthkmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs skdcwthkmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" skdcwthkmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc skdcwthkmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf skdcwthkmg.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402C0A9C2D83256D4477D4702E2CAE7D8364DE" a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFF9BCFE6BF29983753A46819B3E96B3FD02FD4214023EE1BE45E808A5" a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2324 WINWORD.EXE 2324 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 504 skdcwthkmg.exe 504 skdcwthkmg.exe 504 skdcwthkmg.exe 504 skdcwthkmg.exe 504 skdcwthkmg.exe 504 skdcwthkmg.exe 504 skdcwthkmg.exe 504 skdcwthkmg.exe 504 skdcwthkmg.exe 504 skdcwthkmg.exe 5580 exvpewpwyiuwixo.exe 5580 exvpewpwyiuwixo.exe 5580 exvpewpwyiuwixo.exe 5580 exvpewpwyiuwixo.exe 5580 exvpewpwyiuwixo.exe 5580 exvpewpwyiuwixo.exe 5580 exvpewpwyiuwixo.exe 5580 exvpewpwyiuwixo.exe 536 bmrlcamo.exe 536 bmrlcamo.exe 536 bmrlcamo.exe 536 bmrlcamo.exe 536 bmrlcamo.exe 536 bmrlcamo.exe 536 bmrlcamo.exe 536 bmrlcamo.exe 5580 exvpewpwyiuwixo.exe 5580 exvpewpwyiuwixo.exe 5292 zdpfpauowxenq.exe 5292 zdpfpauowxenq.exe 5292 zdpfpauowxenq.exe 5292 zdpfpauowxenq.exe 5292 zdpfpauowxenq.exe 5292 zdpfpauowxenq.exe 5292 zdpfpauowxenq.exe 5292 zdpfpauowxenq.exe 5292 zdpfpauowxenq.exe 5292 zdpfpauowxenq.exe 5292 zdpfpauowxenq.exe 5292 zdpfpauowxenq.exe 5580 exvpewpwyiuwixo.exe 5580 exvpewpwyiuwixo.exe 2172 bmrlcamo.exe 2172 bmrlcamo.exe 2172 bmrlcamo.exe 2172 bmrlcamo.exe 2172 bmrlcamo.exe 2172 bmrlcamo.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 504 skdcwthkmg.exe 504 skdcwthkmg.exe 504 skdcwthkmg.exe 536 bmrlcamo.exe 5292 zdpfpauowxenq.exe 5580 exvpewpwyiuwixo.exe 536 bmrlcamo.exe 5292 zdpfpauowxenq.exe 5580 exvpewpwyiuwixo.exe 536 bmrlcamo.exe 5292 zdpfpauowxenq.exe 5580 exvpewpwyiuwixo.exe 2172 bmrlcamo.exe 2172 bmrlcamo.exe 2172 bmrlcamo.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 504 skdcwthkmg.exe 504 skdcwthkmg.exe 504 skdcwthkmg.exe 536 bmrlcamo.exe 5292 zdpfpauowxenq.exe 5580 exvpewpwyiuwixo.exe 536 bmrlcamo.exe 5292 zdpfpauowxenq.exe 5580 exvpewpwyiuwixo.exe 536 bmrlcamo.exe 5292 zdpfpauowxenq.exe 5580 exvpewpwyiuwixo.exe 2172 bmrlcamo.exe 2172 bmrlcamo.exe 2172 bmrlcamo.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2324 WINWORD.EXE 2324 WINWORD.EXE 2324 WINWORD.EXE 2324 WINWORD.EXE 2324 WINWORD.EXE 2324 WINWORD.EXE 2324 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1620 wrote to memory of 504 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 81 PID 1620 wrote to memory of 504 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 81 PID 1620 wrote to memory of 504 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 81 PID 1620 wrote to memory of 5580 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 82 PID 1620 wrote to memory of 5580 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 82 PID 1620 wrote to memory of 5580 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 82 PID 1620 wrote to memory of 536 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 83 PID 1620 wrote to memory of 536 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 83 PID 1620 wrote to memory of 536 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 83 PID 1620 wrote to memory of 5292 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 84 PID 1620 wrote to memory of 5292 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 84 PID 1620 wrote to memory of 5292 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 84 PID 1620 wrote to memory of 2324 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 85 PID 1620 wrote to memory of 2324 1620 a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe 85 PID 504 wrote to memory of 2172 504 skdcwthkmg.exe 87 PID 504 wrote to memory of 2172 504 skdcwthkmg.exe 87 PID 504 wrote to memory of 2172 504 skdcwthkmg.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a418451e9a22dd1421f511b39a92cba3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\skdcwthkmg.exeskdcwthkmg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Windows\SysWOW64\bmrlcamo.exeC:\Windows\system32\bmrlcamo.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2172
-
-
-
C:\Windows\SysWOW64\exvpewpwyiuwixo.exeexvpewpwyiuwixo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5580
-
-
C:\Windows\SysWOW64\bmrlcamo.exebmrlcamo.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:536
-
-
C:\Windows\SysWOW64\zdpfpauowxenq.exezdpfpauowxenq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5292
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2324
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD51533793e6f24803dfae49c0b3c823a30
SHA1abbd75157f8c8613b06c07d0643b36fcaf7199bb
SHA25611ef922d4b496b981960107664e9ea4faf9ad8435e4e84c0a8b57afa766dac06
SHA512ad33854b034dc58bb56d3b014b751e0e0d9197bd09e94fb8bba0d230eb56d80144c6576e7e1f82f00f5f2e6ef7d5b5426480e0b2073da72f913de8ef7b6b1a2f
-
Filesize
512KB
MD5bd30dada7495ba29303310d6e093eaec
SHA1062b0761541b5b21588dcdf192ddcffd0ed8f75c
SHA25627cad25ce1ef2b1607d3b3335f113f10f2eea315b9ee2b8a6c7b1c344d726fa4
SHA5121689962d4c4a21f5dffe62edc2a31a3fe0ade7f4cf50fd1f6b5e8c2622ac94e77a74c034a950b6a1a012c264a1ff125381bb717267ddc4697d255f75ee95dbf9
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c65f4a30df4cbde1a833d86cf32da86d
SHA11041df6987b2121a1422f93bf66b164c381bc0d8
SHA2568b5963328648f1baf00fb394277e894b29c98dae013df2f1282d6d207d5ebceb
SHA512f2e43455992187a22ba411958cd42fe7b98adf3f80b1a365a3b6fd61461b01b8fb672695d4365969a62a2c519e95e8c90919f60bf3d3f7b5e880d30938d096aa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a6c30875421f51b6d695aabb7f464342
SHA180e01f3459cf44aebb7971eabf68af53e1810caf
SHA2563e2477c594bf915951225ad92f97881265670c53b10be47e346cfa36057f0784
SHA512b85b75bf7d8888f73fb69145e8f10d60d50d6c28227659361486ac3ad997323fa1633cab90f5f4bfc8cf4a94dc3e6cb9614385d002d8305e65ba8f4a2da1e862
-
Filesize
512KB
MD52289fda84a61b1764e57fbe60dba1a35
SHA1b52691cd19841fd1f33f3b8e13e766b9635fc5ab
SHA2568f2205c80f0614fb241b6021a0002115a612cb7a07f80ad2e85ad2ed6db800c2
SHA5123af9eb8b5d707e08e0be21c794b02c00a7193f1d509c0662fd85bc82f27f28c06ad1f99dff9492e9f0549d80b4838a92af72e9baf23ed2dcde89e25a8439a94d
-
Filesize
512KB
MD59ae62fef6c770fecee0c7d5d06d75ec0
SHA1c930baf1fa3f64654dc727dfc2cf61862f08def8
SHA256cdca2490fa8cea008d76e6da1c42d7b37d55ea73c20513156cc5c10d73011e3e
SHA512af040ce3a2eeb7a37d6ecfe259888fe3afe457ffd675b0720ff24546ef3531f57757c57782cbb851f2bc84c767a314075051abcd2fd8879f1e97a2d7c012d760
-
Filesize
512KB
MD542e33a87246f1063ce8a9e6718176365
SHA1b93f6e9b9e1681df1462c3e69773dc6af9a631c2
SHA256a9c2bfd90b3e41612cbd4d197319de2357c100667870838960901980340c332d
SHA51244ae6938f43ad3fd3c82900c82e700c8b84fa127bd602307e07fb8e8d1ebc07a1d1e6cd071458fa11feabc74f842ea7012fc307778b2a94b5ad7f0c362aaf428
-
Filesize
512KB
MD5f2d9db9e36a8f79db14c2606c491adaa
SHA197e7f556ee6ec2656d108369b1a5561177e824c8
SHA256c6ad5e0b0d9f82ad3f92f9594b4c1faec3465de808dfbc8035c8c3eb3bf19c7f
SHA5123526c32e2e3bb75ffcbb3668a260f1b397da42c5a9c156cae0317676a3df460a4360d8a8c2fa0e97f90eec1ffdce8da0a2b32be0ceb41159c0161590f92fdb88
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5e54eadabedb227397399604b07e18aa3
SHA1b9198be7e9c448877f2366c77d294506bdddf07e
SHA256c5836565a033e5cd28b16c376e1feab20eeeac4727ccb1fcc2c8488bb6d72195
SHA512df39d180d56e2ec8ba8da81c0fc8a6df80bdb598e60c0b96b48c767b0f0b86cdcc5883c7f52b4446c00090551fd4839d622e60c9b25f767078dd6f73004bc4bd
-
Filesize
512KB
MD505aaa217959727bc35eee51ba32cf8f6
SHA1001ac93f8d99a86ea9d0be6cde167d79dce9ea85
SHA2566c2710047a82020e9dac627d62c7b8ddb2291a70a3375637e83636a899c55b8d
SHA5128bd39dee800f95c5e89668adf7bdae1df3e329d00ccfd3cc200c59cd83b957e1b2bb1c26c97c2098746c288fa8c7ad5d40fe4d4dc1fa2114a17e5e0a75c82e20