Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 13:20
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe
-
Size
512KB
-
MD5
a5c0af96bf86097e088a09f7fe336495
-
SHA1
80c34112b82277d4e691efe9b8adc90377e5ffa2
-
SHA256
1ddba0cf6c8343a36b45a7c0bd4ac88c82db6ad8dc80f19cf9321f5f4b9fcfe9
-
SHA512
474589af262fea247570fdb923be7d2c66480cab91f9d6a49c3544b233934392a88a47067cabe103733b7a620921f8ef991639fbdb3c2658cbbd3a3cf49901e5
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5e
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" biixoykqit.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" biixoykqit.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" biixoykqit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" biixoykqit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" biixoykqit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" biixoykqit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" biixoykqit.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" biixoykqit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2824 biixoykqit.exe 1052 hhcwzhntzjbuevr.exe 3484 lmxtdhic.exe 2392 mxjiuraklfoqt.exe 1360 lmxtdhic.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" biixoykqit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" biixoykqit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" biixoykqit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" biixoykqit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" biixoykqit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" biixoykqit.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uvzhgkhl = "hhcwzhntzjbuevr.exe" hhcwzhntzjbuevr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mxjiuraklfoqt.exe" hhcwzhntzjbuevr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itcebpbz = "biixoykqit.exe" hhcwzhntzjbuevr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: biixoykqit.exe File opened (read-only) \??\b: lmxtdhic.exe File opened (read-only) \??\p: lmxtdhic.exe File opened (read-only) \??\s: lmxtdhic.exe File opened (read-only) \??\t: lmxtdhic.exe File opened (read-only) \??\x: lmxtdhic.exe File opened (read-only) \??\j: biixoykqit.exe File opened (read-only) \??\s: biixoykqit.exe File opened (read-only) \??\x: biixoykqit.exe File opened (read-only) \??\b: lmxtdhic.exe File opened (read-only) \??\o: lmxtdhic.exe File opened (read-only) \??\u: lmxtdhic.exe File opened (read-only) \??\h: biixoykqit.exe File opened (read-only) \??\n: biixoykqit.exe File opened (read-only) \??\s: lmxtdhic.exe File opened (read-only) \??\m: lmxtdhic.exe File opened (read-only) \??\w: lmxtdhic.exe File opened (read-only) \??\y: lmxtdhic.exe File opened (read-only) \??\n: lmxtdhic.exe File opened (read-only) \??\g: biixoykqit.exe File opened (read-only) \??\i: biixoykqit.exe File opened (read-only) \??\y: biixoykqit.exe File opened (read-only) \??\h: lmxtdhic.exe File opened (read-only) \??\k: lmxtdhic.exe File opened (read-only) \??\r: lmxtdhic.exe File opened (read-only) \??\v: lmxtdhic.exe File opened (read-only) \??\o: biixoykqit.exe File opened (read-only) \??\k: lmxtdhic.exe File opened (read-only) \??\n: lmxtdhic.exe File opened (read-only) \??\v: lmxtdhic.exe File opened (read-only) \??\b: biixoykqit.exe File opened (read-only) \??\e: biixoykqit.exe File opened (read-only) \??\m: lmxtdhic.exe File opened (read-only) \??\j: lmxtdhic.exe File opened (read-only) \??\k: biixoykqit.exe File opened (read-only) \??\u: lmxtdhic.exe File opened (read-only) \??\z: lmxtdhic.exe File opened (read-only) \??\a: lmxtdhic.exe File opened (read-only) \??\h: lmxtdhic.exe File opened (read-only) \??\p: biixoykqit.exe File opened (read-only) \??\e: lmxtdhic.exe File opened (read-only) \??\o: lmxtdhic.exe File opened (read-only) \??\q: lmxtdhic.exe File opened (read-only) \??\u: biixoykqit.exe File opened (read-only) \??\a: lmxtdhic.exe File opened (read-only) \??\l: lmxtdhic.exe File opened (read-only) \??\i: lmxtdhic.exe File opened (read-only) \??\x: lmxtdhic.exe File opened (read-only) \??\a: biixoykqit.exe File opened (read-only) \??\j: lmxtdhic.exe File opened (read-only) \??\w: lmxtdhic.exe File opened (read-only) \??\y: lmxtdhic.exe File opened (read-only) \??\p: lmxtdhic.exe File opened (read-only) \??\r: lmxtdhic.exe File opened (read-only) \??\r: biixoykqit.exe File opened (read-only) \??\w: biixoykqit.exe File opened (read-only) \??\g: lmxtdhic.exe File opened (read-only) \??\l: lmxtdhic.exe File opened (read-only) \??\t: lmxtdhic.exe File opened (read-only) \??\i: lmxtdhic.exe File opened (read-only) \??\q: biixoykqit.exe File opened (read-only) \??\t: biixoykqit.exe File opened (read-only) \??\z: lmxtdhic.exe File opened (read-only) \??\m: biixoykqit.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" biixoykqit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" biixoykqit.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1852-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000234f9-5.dat autoit_exe behavioral2/files/0x000700000002336e-19.dat autoit_exe behavioral2/files/0x00070000000234fa-25.dat autoit_exe behavioral2/files/0x00070000000234fb-32.dat autoit_exe behavioral2/files/0x0007000000023507-61.dat autoit_exe behavioral2/files/0x0007000000023508-68.dat autoit_exe behavioral2/files/0x0008000000023513-83.dat autoit_exe behavioral2/files/0x0008000000023513-88.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\biixoykqit.exe a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\biixoykqit.exe a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hhcwzhntzjbuevr.exe a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lmxtdhic.exe a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe File created C:\Windows\SysWOW64\mxjiuraklfoqt.exe a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lmxtdhic.exe File created C:\Windows\SysWOW64\hhcwzhntzjbuevr.exe a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe File created C:\Windows\SysWOW64\lmxtdhic.exe a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mxjiuraklfoqt.exe a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll biixoykqit.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lmxtdhic.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lmxtdhic.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lmxtdhic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lmxtdhic.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lmxtdhic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lmxtdhic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lmxtdhic.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lmxtdhic.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lmxtdhic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lmxtdhic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lmxtdhic.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lmxtdhic.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lmxtdhic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lmxtdhic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lmxtdhic.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lmxtdhic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lmxtdhic.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lmxtdhic.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lmxtdhic.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lmxtdhic.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lmxtdhic.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lmxtdhic.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lmxtdhic.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lmxtdhic.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lmxtdhic.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lmxtdhic.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lmxtdhic.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lmxtdhic.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lmxtdhic.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lmxtdhic.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lmxtdhic.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lmxtdhic.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lmxtdhic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFC8F482A8518903DD65A7D94BDE6E14759416731623FD690" a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78168B1FE6721DDD272D1D58A7B9060" a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat biixoykqit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" biixoykqit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" biixoykqit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B15C44E6389F53CABAA1329CD7C5" a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc biixoykqit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf biixoykqit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" biixoykqit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs biixoykqit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" biixoykqit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg biixoykqit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C089C2082576A3377A070562DDF7D8765DD" a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDFABCF911F2E7847A3B3286EE3E95B3FC02FE4311023CE1CB45E609A8" a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C70C1491DAB3B8BA7C94ED9634BE" a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh biixoykqit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" biixoykqit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" biixoykqit.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1472 WINWORD.EXE 1472 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1052 hhcwzhntzjbuevr.exe 1052 hhcwzhntzjbuevr.exe 1052 hhcwzhntzjbuevr.exe 1052 hhcwzhntzjbuevr.exe 1052 hhcwzhntzjbuevr.exe 1052 hhcwzhntzjbuevr.exe 1052 hhcwzhntzjbuevr.exe 1052 hhcwzhntzjbuevr.exe 2824 biixoykqit.exe 2824 biixoykqit.exe 2824 biixoykqit.exe 2824 biixoykqit.exe 2824 biixoykqit.exe 2824 biixoykqit.exe 2824 biixoykqit.exe 2824 biixoykqit.exe 2824 biixoykqit.exe 2824 biixoykqit.exe 1052 hhcwzhntzjbuevr.exe 1052 hhcwzhntzjbuevr.exe 2392 mxjiuraklfoqt.exe 2392 mxjiuraklfoqt.exe 2392 mxjiuraklfoqt.exe 2392 mxjiuraklfoqt.exe 2392 mxjiuraklfoqt.exe 2392 mxjiuraklfoqt.exe 2392 mxjiuraklfoqt.exe 2392 mxjiuraklfoqt.exe 2392 mxjiuraklfoqt.exe 2392 mxjiuraklfoqt.exe 2392 mxjiuraklfoqt.exe 2392 mxjiuraklfoqt.exe 1052 hhcwzhntzjbuevr.exe 1052 hhcwzhntzjbuevr.exe 3484 lmxtdhic.exe 3484 lmxtdhic.exe 3484 lmxtdhic.exe 3484 lmxtdhic.exe 3484 lmxtdhic.exe 3484 lmxtdhic.exe 3484 lmxtdhic.exe 3484 lmxtdhic.exe 1360 lmxtdhic.exe 1360 lmxtdhic.exe 1360 lmxtdhic.exe 1360 lmxtdhic.exe 1360 lmxtdhic.exe 1360 lmxtdhic.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 2824 biixoykqit.exe 2824 biixoykqit.exe 2824 biixoykqit.exe 1052 hhcwzhntzjbuevr.exe 1052 hhcwzhntzjbuevr.exe 1052 hhcwzhntzjbuevr.exe 3484 lmxtdhic.exe 2392 mxjiuraklfoqt.exe 3484 lmxtdhic.exe 3484 lmxtdhic.exe 2392 mxjiuraklfoqt.exe 2392 mxjiuraklfoqt.exe 1360 lmxtdhic.exe 1360 lmxtdhic.exe 1360 lmxtdhic.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 2824 biixoykqit.exe 2824 biixoykqit.exe 2824 biixoykqit.exe 1052 hhcwzhntzjbuevr.exe 1052 hhcwzhntzjbuevr.exe 1052 hhcwzhntzjbuevr.exe 3484 lmxtdhic.exe 3484 lmxtdhic.exe 2392 mxjiuraklfoqt.exe 3484 lmxtdhic.exe 2392 mxjiuraklfoqt.exe 2392 mxjiuraklfoqt.exe 1360 lmxtdhic.exe 1360 lmxtdhic.exe 1360 lmxtdhic.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1472 WINWORD.EXE 1472 WINWORD.EXE 1472 WINWORD.EXE 1472 WINWORD.EXE 1472 WINWORD.EXE 1472 WINWORD.EXE 1472 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1852 wrote to memory of 2824 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 81 PID 1852 wrote to memory of 2824 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 81 PID 1852 wrote to memory of 2824 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 81 PID 1852 wrote to memory of 1052 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 83 PID 1852 wrote to memory of 1052 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 83 PID 1852 wrote to memory of 1052 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 83 PID 1852 wrote to memory of 3484 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 84 PID 1852 wrote to memory of 3484 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 84 PID 1852 wrote to memory of 3484 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 84 PID 1852 wrote to memory of 2392 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 85 PID 1852 wrote to memory of 2392 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 85 PID 1852 wrote to memory of 2392 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 85 PID 1852 wrote to memory of 1472 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 86 PID 1852 wrote to memory of 1472 1852 a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe 86 PID 2824 wrote to memory of 1360 2824 biixoykqit.exe 88 PID 2824 wrote to memory of 1360 2824 biixoykqit.exe 88 PID 2824 wrote to memory of 1360 2824 biixoykqit.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\biixoykqit.exebiixoykqit.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\lmxtdhic.exeC:\Windows\system32\lmxtdhic.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1360
-
-
-
C:\Windows\SysWOW64\hhcwzhntzjbuevr.exehhcwzhntzjbuevr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1052
-
-
C:\Windows\SysWOW64\lmxtdhic.exelmxtdhic.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3484
-
-
C:\Windows\SysWOW64\mxjiuraklfoqt.exemxjiuraklfoqt.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2392
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1472
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5a43512835788b7e79d78a8a1453b4a28
SHA1f28c79112b382d1922be3fe2f585f41e4fb41f29
SHA256d5fb5fe8f0f41a3e960b8f9bb3e48a2dfc5136eba18cb015a8e9cfa13587a50b
SHA5124b1f9588ff6d06eca9abcf5b4b15a7fd9e40caa0a4ba1821a85fff6f996bfe0adfd51d570400efaff07cd17daa0d70231f47e4953b7dd1249e9e88b0af8af75c
-
Filesize
512KB
MD50532778125d3610b728ea81ddf4ec924
SHA1ec32ef5d83323591361a7174291453fb2274c098
SHA2568fa686d1357c1f8396aa3ff94410dabae921d9b9348bb2c5c2319791a31bae7d
SHA512e1df5ffb5d3c954c4335b825fbd940b41229d376c068a507926c77c563f7d4ab4c0869af093536e33fbd79275cc90f7bc5208d38f08ac5680312a7467231fe74
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD5f5f219efcf259c0c15a0521bf15fafcf
SHA168b81f987dbe56b2c44e1c2b8ef4a9c078ea7a5c
SHA256d72d7074d338c425e95ab938b674f45cf7afe1e96a1434d956df4bbd0ecdebf9
SHA512d798ed0683b4bc7b025f5ebe96c8b557948bb7570a3ba7efe4d1844014e4415eead9c06db7454f2f5bc8a83fabea619173cea271cf12945b451c8f357c36ac54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD58c91114879ed7c064eb5463a72b61b9f
SHA11bb0508e5d0477a01117ec7bafc9b0f5348bc796
SHA25675bf673720bbe292bc346266e9c01cfc925cb4816cf11a8e00ff3aa5c826e8d5
SHA512e22c2d4092b8af1405106eb163c4da68f1f585ffeced437b2135cbd34cc24077eabca3f46933ce67a3cc60aa4424d0720403175a80f99b3cdf3b342d14347cbc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD57423848e9a140329e405137207d29274
SHA13a8c2277901a65fe12723d5de9568cd98664115d
SHA256ccef8e6a7a7eae4d4e5fdd64127feb516b255fe8767617c93ed977ee7963c812
SHA5126efd5775868b3e7bdf5ab88163f82f8d3100a1a81699b0b91faa90697edf6b7134299f8cf838397c125441f86548f5cbffa40824fb88e2a95c91fe8681f8a87f
-
Filesize
512KB
MD5d0d4b2971bd2215800a1af23f27a56f1
SHA166fe2709d97c6a6a382b361b3e10bcc59ada17f1
SHA25645499dec7f2fe012fbc796c0f937ca6851136f91934cc229de92b7531c46af08
SHA512224f9aa89b4ed627b00bf6485e33ab5020e02ab149be4f77bb3707aeeef054cb482ec84f58fd541c2dcf8d2bea2ff261aa5e1ab1072246284dc4871b29cf72ce
-
Filesize
512KB
MD5cd25d69fc9a7ab0427bea9598e412c73
SHA18a51c528453442fd0e373e0ac71f78bde3f0c629
SHA25634a06ffe2b0653ea07c299cd1966edf777184be8e7a2c8d5ccb43d3b5a558be9
SHA512b931dc96c4a7851fb3823c60e5ea05a5dfd0e1c206e1f93ef6ae9f5fad92f84446d1727373ea65599e34808561229643d25b463c56b732a5b42a6eb4c68bed1e
-
Filesize
512KB
MD56fa91f624752f9c0f1697de021be80b5
SHA1c6f250cb242d2a18f3c35f089b384ad718a2bac2
SHA2564f4de8aa08f46ee44bfc88cd4cab7abaa899f76b4c6ad4ad6cfa408878ac0287
SHA512dfe8fdce8cfd47b2134efc88aa5d59a79f9572d5c83de32979b760df7237b13f58627c2b5043b2282363c8c97dfba58b5511dca748aea500a6aff1ea1476446d
-
Filesize
512KB
MD5bf034688b9404cc61474db0b899f6cf9
SHA198dba7a9e4ecf885aacd30b98c7e8a3d8b71faef
SHA256c54592e2b6a01e0c804f6503d0a14c11e93ba1b6eaf55e06d8634fc7291c2eed
SHA5128fb9aa11acfbd7695ec1e42cdb54af23a20906d799872eaefee9b0e878b4eba3248059ac6613902c7e26997543b8e311349af837350faa69e316a6395aa95793
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD515369e9421cd5dd3307b3f16d4504da7
SHA1f04946cd6b8fae0401a579f8ca4b2e200bc1d091
SHA25633a35dbf20faf92869f28424e90eadb64897f9344267217aaf092f3f7082ae5c
SHA5128244262da348238a0b684cc3c4468662f2c59f6b9d83746a741f297c14bcd2125341d3083e924e1bf8d02d22dd8a5b3ede4639516abb2871169dffb767484de0
-
Filesize
512KB
MD5e10c42435ca2df3c6de4ccc412d72050
SHA1967af76973935bbe86d6fddeb1b6a40726c6c360
SHA2562efed4f19160542d79cf16a8c0a2fabb1920df7412b561bb777be57edc8fff9b
SHA512bcd9b0e062e1e237d5e2a6c24d59bd293e8b671ccf8433db69d8439b47f5f973bd9c59d7aa5144f9c3ddba5ece2a284d3b6d1178611cb7ee782e327269cca29a