Analysis
-
max time kernel
149s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 04:26
Static task
static1
Behavioral task
behavioral1
Sample
a80146d37720556f31322741b751257a_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a80146d37720556f31322741b751257a_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a80146d37720556f31322741b751257a_JaffaCakes118.exe
-
Size
512KB
-
MD5
a80146d37720556f31322741b751257a
-
SHA1
e2ebcdcccc2fd8a6f16aba4162665aadce49ae82
-
SHA256
0dbc72585b456a451d16e64a461fd6c44af43948ad9e9301ac9e52ea061aaf98
-
SHA512
9a0b66c4a4ded4dd16338110d98f5b42bee4c96498f6c2beb73042ed9818f3fc38e14043ceedada9aa7ef4cf5a8ec94b2aa47978741f160881064efae59c224a
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6U:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5b
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
kkzvzpvypz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" kkzvzpvypz.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
kkzvzpvypz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kkzvzpvypz.exe -
Processes:
kkzvzpvypz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kkzvzpvypz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kkzvzpvypz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kkzvzpvypz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kkzvzpvypz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kkzvzpvypz.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
kkzvzpvypz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" kkzvzpvypz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a80146d37720556f31322741b751257a_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation a80146d37720556f31322741b751257a_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
kkzvzpvypz.exeeiimyumrfuwzziz.exevlrcxhud.exekqycnkylakphq.exevlrcxhud.exepid process 2880 kkzvzpvypz.exe 2368 eiimyumrfuwzziz.exe 1596 vlrcxhud.exe 2828 kqycnkylakphq.exe 976 vlrcxhud.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
kkzvzpvypz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kkzvzpvypz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kkzvzpvypz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kkzvzpvypz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" kkzvzpvypz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kkzvzpvypz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kkzvzpvypz.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
eiimyumrfuwzziz.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\reaysacm = "kkzvzpvypz.exe" eiimyumrfuwzziz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rrpfppgi = "eiimyumrfuwzziz.exe" eiimyumrfuwzziz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kqycnkylakphq.exe" eiimyumrfuwzziz.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
kkzvzpvypz.exevlrcxhud.exevlrcxhud.exedescription ioc process File opened (read-only) \??\i: kkzvzpvypz.exe File opened (read-only) \??\l: kkzvzpvypz.exe File opened (read-only) \??\n: kkzvzpvypz.exe File opened (read-only) \??\t: vlrcxhud.exe File opened (read-only) \??\z: kkzvzpvypz.exe File opened (read-only) \??\m: vlrcxhud.exe File opened (read-only) \??\o: kkzvzpvypz.exe File opened (read-only) \??\i: vlrcxhud.exe File opened (read-only) \??\j: vlrcxhud.exe File opened (read-only) \??\n: vlrcxhud.exe File opened (read-only) \??\k: vlrcxhud.exe File opened (read-only) \??\u: kkzvzpvypz.exe File opened (read-only) \??\q: kkzvzpvypz.exe File opened (read-only) \??\g: kkzvzpvypz.exe File opened (read-only) \??\r: kkzvzpvypz.exe File opened (read-only) \??\e: vlrcxhud.exe File opened (read-only) \??\l: vlrcxhud.exe File opened (read-only) \??\x: vlrcxhud.exe File opened (read-only) \??\b: vlrcxhud.exe File opened (read-only) \??\p: kkzvzpvypz.exe File opened (read-only) \??\w: kkzvzpvypz.exe File opened (read-only) \??\a: vlrcxhud.exe File opened (read-only) \??\y: vlrcxhud.exe File opened (read-only) \??\b: kkzvzpvypz.exe File opened (read-only) \??\r: vlrcxhud.exe File opened (read-only) \??\j: kkzvzpvypz.exe File opened (read-only) \??\y: kkzvzpvypz.exe File opened (read-only) \??\g: vlrcxhud.exe File opened (read-only) \??\z: vlrcxhud.exe File opened (read-only) \??\r: vlrcxhud.exe File opened (read-only) \??\w: vlrcxhud.exe File opened (read-only) \??\n: vlrcxhud.exe File opened (read-only) \??\y: vlrcxhud.exe File opened (read-only) \??\a: kkzvzpvypz.exe File opened (read-only) \??\x: kkzvzpvypz.exe File opened (read-only) \??\u: vlrcxhud.exe File opened (read-only) \??\u: vlrcxhud.exe File opened (read-only) \??\e: vlrcxhud.exe File opened (read-only) \??\j: vlrcxhud.exe File opened (read-only) \??\e: kkzvzpvypz.exe File opened (read-only) \??\k: kkzvzpvypz.exe File opened (read-only) \??\s: vlrcxhud.exe File opened (read-only) \??\z: vlrcxhud.exe File opened (read-only) \??\a: vlrcxhud.exe File opened (read-only) \??\m: vlrcxhud.exe File opened (read-only) \??\s: vlrcxhud.exe File opened (read-only) \??\o: vlrcxhud.exe File opened (read-only) \??\i: vlrcxhud.exe File opened (read-only) \??\p: vlrcxhud.exe File opened (read-only) \??\v: vlrcxhud.exe File opened (read-only) \??\w: vlrcxhud.exe File opened (read-only) \??\h: kkzvzpvypz.exe File opened (read-only) \??\p: vlrcxhud.exe File opened (read-only) \??\o: vlrcxhud.exe File opened (read-only) \??\x: vlrcxhud.exe File opened (read-only) \??\m: kkzvzpvypz.exe File opened (read-only) \??\v: kkzvzpvypz.exe File opened (read-only) \??\b: vlrcxhud.exe File opened (read-only) \??\q: vlrcxhud.exe File opened (read-only) \??\l: vlrcxhud.exe File opened (read-only) \??\k: vlrcxhud.exe File opened (read-only) \??\v: vlrcxhud.exe File opened (read-only) \??\h: vlrcxhud.exe File opened (read-only) \??\t: kkzvzpvypz.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
kkzvzpvypz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" kkzvzpvypz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" kkzvzpvypz.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4944-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\eiimyumrfuwzziz.exe autoit_exe C:\Windows\SysWOW64\kkzvzpvypz.exe autoit_exe C:\Windows\SysWOW64\vlrcxhud.exe autoit_exe C:\Windows\SysWOW64\kqycnkylakphq.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
a80146d37720556f31322741b751257a_JaffaCakes118.exekkzvzpvypz.exevlrcxhud.exevlrcxhud.exedescription ioc process File created C:\Windows\SysWOW64\eiimyumrfuwzziz.exe a80146d37720556f31322741b751257a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\eiimyumrfuwzziz.exe a80146d37720556f31322741b751257a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll kkzvzpvypz.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vlrcxhud.exe File created C:\Windows\SysWOW64\vlrcxhud.exe a80146d37720556f31322741b751257a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vlrcxhud.exe a80146d37720556f31322741b751257a_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vlrcxhud.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vlrcxhud.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vlrcxhud.exe File created C:\Windows\SysWOW64\kkzvzpvypz.exe a80146d37720556f31322741b751257a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kkzvzpvypz.exe a80146d37720556f31322741b751257a_JaffaCakes118.exe File created C:\Windows\SysWOW64\kqycnkylakphq.exe a80146d37720556f31322741b751257a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kqycnkylakphq.exe a80146d37720556f31322741b751257a_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
vlrcxhud.exevlrcxhud.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vlrcxhud.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vlrcxhud.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vlrcxhud.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vlrcxhud.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vlrcxhud.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vlrcxhud.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vlrcxhud.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vlrcxhud.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vlrcxhud.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vlrcxhud.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vlrcxhud.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vlrcxhud.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vlrcxhud.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vlrcxhud.exe -
Drops file in Windows directory 19 IoCs
Processes:
vlrcxhud.exevlrcxhud.exeWINWORD.EXEa80146d37720556f31322741b751257a_JaffaCakes118.exedescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vlrcxhud.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vlrcxhud.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vlrcxhud.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vlrcxhud.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vlrcxhud.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vlrcxhud.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vlrcxhud.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vlrcxhud.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vlrcxhud.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vlrcxhud.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vlrcxhud.exe File opened for modification C:\Windows\mydoc.rtf a80146d37720556f31322741b751257a_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vlrcxhud.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vlrcxhud.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vlrcxhud.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vlrcxhud.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vlrcxhud.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
a80146d37720556f31322741b751257a_JaffaCakes118.exekkzvzpvypz.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a80146d37720556f31322741b751257a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C0A9D2382596D3677D077202DD77C8E65AA" a80146d37720556f31322741b751257a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat kkzvzpvypz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf kkzvzpvypz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" kkzvzpvypz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" kkzvzpvypz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs kkzvzpvypz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg kkzvzpvypz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F36BB0FE1C22D1D173D0D68A7A9167" a80146d37720556f31322741b751257a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C70814E2DAC4B9BB7FE4EDE034B9" a80146d37720556f31322741b751257a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings a80146d37720556f31322741b751257a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" kkzvzpvypz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc kkzvzpvypz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFFABDF964F19484793A4486963E93B08903F142160233E2C442E909A0" a80146d37720556f31322741b751257a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B15F4497399A52BDBAA133E9D7BB" a80146d37720556f31322741b751257a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFCF94F2985129136D72C7E9CBDE1E133593566476336D6EC" a80146d37720556f31322741b751257a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh kkzvzpvypz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" kkzvzpvypz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" kkzvzpvypz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" kkzvzpvypz.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 116 WINWORD.EXE 116 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a80146d37720556f31322741b751257a_JaffaCakes118.exekqycnkylakphq.exevlrcxhud.exeeiimyumrfuwzziz.exekkzvzpvypz.exevlrcxhud.exepid process 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 2828 kqycnkylakphq.exe 2828 kqycnkylakphq.exe 2828 kqycnkylakphq.exe 2828 kqycnkylakphq.exe 2828 kqycnkylakphq.exe 2828 kqycnkylakphq.exe 2828 kqycnkylakphq.exe 2828 kqycnkylakphq.exe 2828 kqycnkylakphq.exe 2828 kqycnkylakphq.exe 2828 kqycnkylakphq.exe 2828 kqycnkylakphq.exe 1596 vlrcxhud.exe 1596 vlrcxhud.exe 1596 vlrcxhud.exe 1596 vlrcxhud.exe 1596 vlrcxhud.exe 1596 vlrcxhud.exe 1596 vlrcxhud.exe 1596 vlrcxhud.exe 2368 eiimyumrfuwzziz.exe 2368 eiimyumrfuwzziz.exe 2368 eiimyumrfuwzziz.exe 2368 eiimyumrfuwzziz.exe 2368 eiimyumrfuwzziz.exe 2368 eiimyumrfuwzziz.exe 2368 eiimyumrfuwzziz.exe 2368 eiimyumrfuwzziz.exe 2880 kkzvzpvypz.exe 2880 kkzvzpvypz.exe 2368 eiimyumrfuwzziz.exe 2368 eiimyumrfuwzziz.exe 2880 kkzvzpvypz.exe 2880 kkzvzpvypz.exe 2880 kkzvzpvypz.exe 2880 kkzvzpvypz.exe 2880 kkzvzpvypz.exe 2880 kkzvzpvypz.exe 2880 kkzvzpvypz.exe 2880 kkzvzpvypz.exe 976 vlrcxhud.exe 976 vlrcxhud.exe 976 vlrcxhud.exe 976 vlrcxhud.exe 976 vlrcxhud.exe 976 vlrcxhud.exe 976 vlrcxhud.exe 976 vlrcxhud.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
a80146d37720556f31322741b751257a_JaffaCakes118.exekqycnkylakphq.exevlrcxhud.exeeiimyumrfuwzziz.exekkzvzpvypz.exevlrcxhud.exepid process 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 2828 kqycnkylakphq.exe 2828 kqycnkylakphq.exe 2828 kqycnkylakphq.exe 1596 vlrcxhud.exe 1596 vlrcxhud.exe 1596 vlrcxhud.exe 2368 eiimyumrfuwzziz.exe 2880 kkzvzpvypz.exe 2368 eiimyumrfuwzziz.exe 2880 kkzvzpvypz.exe 2368 eiimyumrfuwzziz.exe 2880 kkzvzpvypz.exe 976 vlrcxhud.exe 976 vlrcxhud.exe 976 vlrcxhud.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
a80146d37720556f31322741b751257a_JaffaCakes118.exekqycnkylakphq.exevlrcxhud.exeeiimyumrfuwzziz.exekkzvzpvypz.exevlrcxhud.exepid process 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe 2828 kqycnkylakphq.exe 2828 kqycnkylakphq.exe 2828 kqycnkylakphq.exe 1596 vlrcxhud.exe 1596 vlrcxhud.exe 1596 vlrcxhud.exe 2368 eiimyumrfuwzziz.exe 2880 kkzvzpvypz.exe 2368 eiimyumrfuwzziz.exe 2880 kkzvzpvypz.exe 2368 eiimyumrfuwzziz.exe 2880 kkzvzpvypz.exe 976 vlrcxhud.exe 976 vlrcxhud.exe 976 vlrcxhud.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 116 WINWORD.EXE 116 WINWORD.EXE 116 WINWORD.EXE 116 WINWORD.EXE 116 WINWORD.EXE 116 WINWORD.EXE 116 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a80146d37720556f31322741b751257a_JaffaCakes118.exekkzvzpvypz.exedescription pid process target process PID 4944 wrote to memory of 2880 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe kkzvzpvypz.exe PID 4944 wrote to memory of 2880 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe kkzvzpvypz.exe PID 4944 wrote to memory of 2880 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe kkzvzpvypz.exe PID 4944 wrote to memory of 2368 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe eiimyumrfuwzziz.exe PID 4944 wrote to memory of 2368 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe eiimyumrfuwzziz.exe PID 4944 wrote to memory of 2368 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe eiimyumrfuwzziz.exe PID 4944 wrote to memory of 1596 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe vlrcxhud.exe PID 4944 wrote to memory of 1596 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe vlrcxhud.exe PID 4944 wrote to memory of 1596 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe vlrcxhud.exe PID 4944 wrote to memory of 2828 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe kqycnkylakphq.exe PID 4944 wrote to memory of 2828 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe kqycnkylakphq.exe PID 4944 wrote to memory of 2828 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe kqycnkylakphq.exe PID 4944 wrote to memory of 116 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe WINWORD.EXE PID 4944 wrote to memory of 116 4944 a80146d37720556f31322741b751257a_JaffaCakes118.exe WINWORD.EXE PID 2880 wrote to memory of 976 2880 kkzvzpvypz.exe vlrcxhud.exe PID 2880 wrote to memory of 976 2880 kkzvzpvypz.exe vlrcxhud.exe PID 2880 wrote to memory of 976 2880 kkzvzpvypz.exe vlrcxhud.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\kkzvzpvypz.exekkzvzpvypz.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\vlrcxhud.exeC:\Windows\system32\vlrcxhud.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:976
-
-
-
C:\Windows\SysWOW64\eiimyumrfuwzziz.exeeiimyumrfuwzziz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2368
-
-
C:\Windows\SysWOW64\vlrcxhud.exevlrcxhud.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1596
-
-
C:\Windows\SysWOW64\kqycnkylakphq.exekqycnkylakphq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2828
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:116
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5cfd6230f88f2f44543605b8a6a7652f6
SHA1dc91354b537ad999b095b9510c20e4fffc56bd98
SHA256c22821fa4cabe3a9c4b7cee357f42c23f88eab6905bfa3385bab0cb58253ab66
SHA512ae1f55076f18e2610294e7b0c52c8182f3678b39422f2a79c4240f9a3f37bc41600c6e3c9f9e349350fb7bdb0f78df0da4d9a6aa048dcffbc8d84b6f9b6fd936
-
Filesize
512KB
MD52ec3eae643e0211c845255c0ec06bd41
SHA1712535bee177afe54dbb54f852f772cceb92649c
SHA256c74bf335ccbfdfc1e368193852b27e8f4d6c179f2c539d8e35ae6c09ce5cf89a
SHA5128ef5de4e59e14dc435947203d6432553b4053da2d84c3e36e39788a389954afc2323a11a170573e37cbe9076fee4dad3294027a78bfdcfb4a591936b26ec184e
-
Filesize
239B
MD52fae0fe44fb67ed515b21a2b6fba40e3
SHA1d39c4cb134c596851c157406149129a69844613b
SHA256bd528b67c4e7b5924426cb6edc6bd85896db3a43e596bc76d32632d33eccc2b1
SHA5129902e514810847d11b83ceb64209c7a363f3b482f5444474673988fa0729295d8612ae6aa0d81a09d9adeb958f7e0251b414ef808f82f279df504bc04a347087
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD57f9c03bfc42c9f5938a54a1a5353f207
SHA125ffe0d8b4779489cd60ce09d613a8650ef89272
SHA2565bda12c80537a3975da478856118c421c6b626397eb8a5f5c3c7aca89d5ab6ab
SHA512f84a898931d2c8aaad7c5ba95280df046d30d185a541147173b14618631c21302bb8f4bbbcb51f53d5e6cdd5e94bec607256320d69164da153649813efac6681
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5ea50d1cbad35b9671f32685deb6a73dd
SHA116a3bfc4f4963b99dd7d416e01aa2f9ebedc6fcc
SHA256c9564961661a31014837a9ce74d9aeb4726dff575edb9a3f6257f22eb4b4c448
SHA512202f3ffc021ff9a8cd16afb9b05dc55adbbf489ae3f2a615b098322cd6955d57a18da215063c0010db83ae127ddf228ae723ceb2269a0082c62d9fb14182cef5
-
Filesize
512KB
MD571fba7b1f7612ce86eea08193fc869b1
SHA14e22b1bf793b5543b38f4f714cd87d0b0b3efef3
SHA2564dc1f336e1485bb917bc3d286c65b77d2c9bd7100303b934e3544e3b5f4cca4f
SHA512ff87274716f7d866924eca64039774751c0e67c9acb3aa6858f6462088c716c13d98a1a8eee4328143fc427ba036e3b734b3e844bae0cfd3262872564e2d1ff2
-
Filesize
512KB
MD538933ec4fffbde6e6a547cb0b7a45d70
SHA1a1ce56c75af303bf17b4b1d91bb870d3d0354166
SHA2560fc2ca4691dfe22b1dcc5735b8a29909997ef3229f1af7b180e11036fd39d122
SHA51223173988f2b12e12d5ee914f393379e539aa17deaa785508cb70d74cecc4067909f56562a2569196db48417a88c0906f7542fe34edbf59982203372d2104d6b1
-
Filesize
512KB
MD545dfcee772e69309e612717f3d102af6
SHA1c2008dd6e7e6c5c41fa86728b68bca39ebaa58f8
SHA256e65df76ec5dd585732d5da294d2026571f9d62877bcd7843d02248cadc926cae
SHA51282dba300f6198a4a7188903b5959f0aa1fb314a714f55fccdc762fad48e4a34bd729ed186387121d8dc8973bfd72f4b2963f9ac8b47bb09e4aa49ead474da9a1
-
Filesize
512KB
MD510c670b1b105d0aa723911d98547547d
SHA1c5beac3fe522be1865b0bbd9340531f93f70b176
SHA256d0bf0a261776a72aa6e5e1358664330449bbef9048c90318bd02e0bcbaf3c15d
SHA51223a57427d50360dcfec2e81d1991a66dbe690d09e412a84d8a629e412b3ee6356e778fafa6c0744ca13d7b1de8987ad9969dc3fc18ec57e3e425b1463fa949ed
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD59b0dabe092af07a81b47d9050d2adf2a
SHA1f4d411065bf67b5c1b3a964ae876ad6cb8a0b4e4
SHA2562429a93f4506ea66ab8d81a30d6d203629e8c1c4f73db37a9d8f605414494fb3
SHA5120bd0cecbd9ead3afc3c36f4cd6e92f7f56da5a92ca903178a832f956b3d5307f87a9a52dd5306dc068154a8e89449ea6c7556a7bb4392175294f63254e2cfaf0
-
Filesize
512KB
MD5bb40f35315b85f40d67777158c2cc7f3
SHA1436209bffac45603f993548a957a00566f602ae7
SHA256d23d4afd41f19ae79f96ff8c5f01bc9dda0e0f1b7c8b2c72debcd42835d2fed1
SHA512cf83369b12b541eee015aa88fb67766d8334907a6365bf84690fd2eb047d8b3b12b06b5067a288e4c24049d6673763e52e3fffd6f6d735751f1719b0e9381e85