Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 05:10
Static task
static1
Behavioral task
behavioral1
Sample
a81b54183962d320b915383292f0f750_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a81b54183962d320b915383292f0f750_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a81b54183962d320b915383292f0f750_JaffaCakes118.exe
-
Size
512KB
-
MD5
a81b54183962d320b915383292f0f750
-
SHA1
cc2c84c9f066dde2366ab449105447a8cae78344
-
SHA256
f73a49608e21884caf0716fdfe24f2df54c105e30906971a5ecee65da5c9e869
-
SHA512
e2431728209cd5974f9e6353870400e7ed84b4b5450734b8416a9162e052b2d6957c3599516161e08a07d47da2e1ac9a4d42cf6ca87f6f32d343eb4da4e4a5fb
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6g:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5x
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
rcbjccjowo.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rcbjccjowo.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
rcbjccjowo.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rcbjccjowo.exe -
Processes:
rcbjccjowo.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rcbjccjowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rcbjccjowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rcbjccjowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rcbjccjowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rcbjccjowo.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
rcbjccjowo.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rcbjccjowo.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a81b54183962d320b915383292f0f750_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation a81b54183962d320b915383292f0f750_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
rcbjccjowo.exengopygqdgwwunad.exeedixjzfk.exeiyliqdhuvnsov.exeedixjzfk.exepid process 4084 rcbjccjowo.exe 3776 ngopygqdgwwunad.exe 3692 edixjzfk.exe 1100 iyliqdhuvnsov.exe 3368 edixjzfk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
rcbjccjowo.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rcbjccjowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rcbjccjowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rcbjccjowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rcbjccjowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rcbjccjowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rcbjccjowo.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ngopygqdgwwunad.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\adlrafrv = "rcbjccjowo.exe" ngopygqdgwwunad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkupqucg = "ngopygqdgwwunad.exe" ngopygqdgwwunad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "iyliqdhuvnsov.exe" ngopygqdgwwunad.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
edixjzfk.exercbjccjowo.exeedixjzfk.exedescription ioc process File opened (read-only) \??\w: edixjzfk.exe File opened (read-only) \??\z: edixjzfk.exe File opened (read-only) \??\h: rcbjccjowo.exe File opened (read-only) \??\l: rcbjccjowo.exe File opened (read-only) \??\i: edixjzfk.exe File opened (read-only) \??\l: edixjzfk.exe File opened (read-only) \??\a: rcbjccjowo.exe File opened (read-only) \??\v: rcbjccjowo.exe File opened (read-only) \??\x: edixjzfk.exe File opened (read-only) \??\p: edixjzfk.exe File opened (read-only) \??\t: edixjzfk.exe File opened (read-only) \??\i: edixjzfk.exe File opened (read-only) \??\k: edixjzfk.exe File opened (read-only) \??\z: edixjzfk.exe File opened (read-only) \??\j: edixjzfk.exe File opened (read-only) \??\r: rcbjccjowo.exe File opened (read-only) \??\t: rcbjccjowo.exe File opened (read-only) \??\a: edixjzfk.exe File opened (read-only) \??\b: edixjzfk.exe File opened (read-only) \??\g: rcbjccjowo.exe File opened (read-only) \??\n: edixjzfk.exe File opened (read-only) \??\m: edixjzfk.exe File opened (read-only) \??\s: edixjzfk.exe File opened (read-only) \??\x: edixjzfk.exe File opened (read-only) \??\k: rcbjccjowo.exe File opened (read-only) \??\p: rcbjccjowo.exe File opened (read-only) \??\w: rcbjccjowo.exe File opened (read-only) \??\x: rcbjccjowo.exe File opened (read-only) \??\r: edixjzfk.exe File opened (read-only) \??\w: edixjzfk.exe File opened (read-only) \??\b: rcbjccjowo.exe File opened (read-only) \??\m: rcbjccjowo.exe File opened (read-only) \??\n: rcbjccjowo.exe File opened (read-only) \??\z: rcbjccjowo.exe File opened (read-only) \??\t: edixjzfk.exe File opened (read-only) \??\v: edixjzfk.exe File opened (read-only) \??\y: rcbjccjowo.exe File opened (read-only) \??\v: edixjzfk.exe File opened (read-only) \??\y: edixjzfk.exe File opened (read-only) \??\q: edixjzfk.exe File opened (read-only) \??\g: edixjzfk.exe File opened (read-only) \??\o: edixjzfk.exe File opened (read-only) \??\b: edixjzfk.exe File opened (read-only) \??\u: edixjzfk.exe File opened (read-only) \??\r: edixjzfk.exe File opened (read-only) \??\e: rcbjccjowo.exe File opened (read-only) \??\e: edixjzfk.exe File opened (read-only) \??\a: edixjzfk.exe File opened (read-only) \??\o: edixjzfk.exe File opened (read-only) \??\n: edixjzfk.exe File opened (read-only) \??\p: edixjzfk.exe File opened (read-only) \??\q: edixjzfk.exe File opened (read-only) \??\k: edixjzfk.exe File opened (read-only) \??\i: rcbjccjowo.exe File opened (read-only) \??\o: rcbjccjowo.exe File opened (read-only) \??\s: rcbjccjowo.exe File opened (read-only) \??\u: rcbjccjowo.exe File opened (read-only) \??\q: rcbjccjowo.exe File opened (read-only) \??\s: edixjzfk.exe File opened (read-only) \??\j: rcbjccjowo.exe File opened (read-only) \??\l: edixjzfk.exe File opened (read-only) \??\h: edixjzfk.exe File opened (read-only) \??\m: edixjzfk.exe File opened (read-only) \??\h: edixjzfk.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
rcbjccjowo.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rcbjccjowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rcbjccjowo.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1152-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\ngopygqdgwwunad.exe autoit_exe C:\Windows\SysWOW64\rcbjccjowo.exe autoit_exe C:\Windows\SysWOW64\edixjzfk.exe autoit_exe C:\Windows\SysWOW64\iyliqdhuvnsov.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
a81b54183962d320b915383292f0f750_JaffaCakes118.exercbjccjowo.exeedixjzfk.exeedixjzfk.exedescription ioc process File opened for modification C:\Windows\SysWOW64\rcbjccjowo.exe a81b54183962d320b915383292f0f750_JaffaCakes118.exe File created C:\Windows\SysWOW64\ngopygqdgwwunad.exe a81b54183962d320b915383292f0f750_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ngopygqdgwwunad.exe a81b54183962d320b915383292f0f750_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\edixjzfk.exe a81b54183962d320b915383292f0f750_JaffaCakes118.exe File created C:\Windows\SysWOW64\iyliqdhuvnsov.exe a81b54183962d320b915383292f0f750_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rcbjccjowo.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe edixjzfk.exe File created C:\Windows\SysWOW64\rcbjccjowo.exe a81b54183962d320b915383292f0f750_JaffaCakes118.exe File created C:\Windows\SysWOW64\edixjzfk.exe a81b54183962d320b915383292f0f750_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\iyliqdhuvnsov.exe a81b54183962d320b915383292f0f750_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe edixjzfk.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe edixjzfk.exe -
Drops file in Program Files directory 15 IoCs
Processes:
edixjzfk.exeedixjzfk.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe edixjzfk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe edixjzfk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe edixjzfk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe edixjzfk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal edixjzfk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal edixjzfk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe edixjzfk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe edixjzfk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe edixjzfk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal edixjzfk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe edixjzfk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe edixjzfk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal edixjzfk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe edixjzfk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe edixjzfk.exe -
Drops file in Windows directory 19 IoCs
Processes:
edixjzfk.exea81b54183962d320b915383292f0f750_JaffaCakes118.exeedixjzfk.exeWINWORD.EXEdescription ioc process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe edixjzfk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe edixjzfk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe edixjzfk.exe File opened for modification C:\Windows\mydoc.rtf a81b54183962d320b915383292f0f750_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe edixjzfk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe edixjzfk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe edixjzfk.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe edixjzfk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe edixjzfk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe edixjzfk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe edixjzfk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe edixjzfk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe edixjzfk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe edixjzfk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe edixjzfk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe edixjzfk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe edixjzfk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
a81b54183962d320b915383292f0f750_JaffaCakes118.exercbjccjowo.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FC8E482C85189040D7587D9DBC93E634593266446331D6E9" a81b54183962d320b915383292f0f750_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rcbjccjowo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rcbjccjowo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412C7B9C5283556A3F76D370552CAA7CF264D6" a81b54183962d320b915383292f0f750_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B12E47E738EA53C4B9A73293D7CD" a81b54183962d320b915383292f0f750_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rcbjccjowo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rcbjccjowo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rcbjccjowo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rcbjccjowo.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a81b54183962d320b915383292f0f750_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rcbjccjowo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBFACAF962F29984793B46819A3995B08803884216023CE1BF429A08D5" a81b54183962d320b915383292f0f750_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F06BB1FE6822DAD208D0A88B7B9017" a81b54183962d320b915383292f0f750_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC67A14E7DBC2B9BC7FE1EDE434CE" a81b54183962d320b915383292f0f750_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rcbjccjowo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rcbjccjowo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rcbjccjowo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rcbjccjowo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rcbjccjowo.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings a81b54183962d320b915383292f0f750_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3668 WINWORD.EXE 3668 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a81b54183962d320b915383292f0f750_JaffaCakes118.exercbjccjowo.exengopygqdgwwunad.exeiyliqdhuvnsov.exeedixjzfk.exeedixjzfk.exepid process 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 4084 rcbjccjowo.exe 4084 rcbjccjowo.exe 4084 rcbjccjowo.exe 4084 rcbjccjowo.exe 4084 rcbjccjowo.exe 4084 rcbjccjowo.exe 4084 rcbjccjowo.exe 4084 rcbjccjowo.exe 4084 rcbjccjowo.exe 4084 rcbjccjowo.exe 3776 ngopygqdgwwunad.exe 3776 ngopygqdgwwunad.exe 3776 ngopygqdgwwunad.exe 3776 ngopygqdgwwunad.exe 3776 ngopygqdgwwunad.exe 3776 ngopygqdgwwunad.exe 3776 ngopygqdgwwunad.exe 3776 ngopygqdgwwunad.exe 1100 iyliqdhuvnsov.exe 1100 iyliqdhuvnsov.exe 1100 iyliqdhuvnsov.exe 1100 iyliqdhuvnsov.exe 1100 iyliqdhuvnsov.exe 1100 iyliqdhuvnsov.exe 1100 iyliqdhuvnsov.exe 1100 iyliqdhuvnsov.exe 1100 iyliqdhuvnsov.exe 1100 iyliqdhuvnsov.exe 1100 iyliqdhuvnsov.exe 1100 iyliqdhuvnsov.exe 3692 edixjzfk.exe 3692 edixjzfk.exe 3692 edixjzfk.exe 3692 edixjzfk.exe 3692 edixjzfk.exe 3692 edixjzfk.exe 3692 edixjzfk.exe 3692 edixjzfk.exe 3776 ngopygqdgwwunad.exe 3776 ngopygqdgwwunad.exe 3368 edixjzfk.exe 3368 edixjzfk.exe 3368 edixjzfk.exe 3368 edixjzfk.exe 3368 edixjzfk.exe 3368 edixjzfk.exe 3368 edixjzfk.exe 3368 edixjzfk.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
a81b54183962d320b915383292f0f750_JaffaCakes118.exercbjccjowo.exengopygqdgwwunad.exeedixjzfk.exeiyliqdhuvnsov.exeedixjzfk.exepid process 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 4084 rcbjccjowo.exe 4084 rcbjccjowo.exe 4084 rcbjccjowo.exe 3776 ngopygqdgwwunad.exe 3776 ngopygqdgwwunad.exe 3692 edixjzfk.exe 3776 ngopygqdgwwunad.exe 3692 edixjzfk.exe 3692 edixjzfk.exe 1100 iyliqdhuvnsov.exe 1100 iyliqdhuvnsov.exe 1100 iyliqdhuvnsov.exe 3368 edixjzfk.exe 3368 edixjzfk.exe 3368 edixjzfk.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
a81b54183962d320b915383292f0f750_JaffaCakes118.exercbjccjowo.exengopygqdgwwunad.exeedixjzfk.exeiyliqdhuvnsov.exeedixjzfk.exepid process 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 4084 rcbjccjowo.exe 4084 rcbjccjowo.exe 4084 rcbjccjowo.exe 3776 ngopygqdgwwunad.exe 3776 ngopygqdgwwunad.exe 3776 ngopygqdgwwunad.exe 3692 edixjzfk.exe 3692 edixjzfk.exe 3692 edixjzfk.exe 1100 iyliqdhuvnsov.exe 1100 iyliqdhuvnsov.exe 1100 iyliqdhuvnsov.exe 3368 edixjzfk.exe 3368 edixjzfk.exe 3368 edixjzfk.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3668 WINWORD.EXE 3668 WINWORD.EXE 3668 WINWORD.EXE 3668 WINWORD.EXE 3668 WINWORD.EXE 3668 WINWORD.EXE 3668 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a81b54183962d320b915383292f0f750_JaffaCakes118.exercbjccjowo.exedescription pid process target process PID 1152 wrote to memory of 4084 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe rcbjccjowo.exe PID 1152 wrote to memory of 4084 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe rcbjccjowo.exe PID 1152 wrote to memory of 4084 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe rcbjccjowo.exe PID 1152 wrote to memory of 3776 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe ngopygqdgwwunad.exe PID 1152 wrote to memory of 3776 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe ngopygqdgwwunad.exe PID 1152 wrote to memory of 3776 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe ngopygqdgwwunad.exe PID 1152 wrote to memory of 3692 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe edixjzfk.exe PID 1152 wrote to memory of 3692 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe edixjzfk.exe PID 1152 wrote to memory of 3692 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe edixjzfk.exe PID 1152 wrote to memory of 1100 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe iyliqdhuvnsov.exe PID 1152 wrote to memory of 1100 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe iyliqdhuvnsov.exe PID 1152 wrote to memory of 1100 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe iyliqdhuvnsov.exe PID 4084 wrote to memory of 3368 4084 rcbjccjowo.exe edixjzfk.exe PID 4084 wrote to memory of 3368 4084 rcbjccjowo.exe edixjzfk.exe PID 4084 wrote to memory of 3368 4084 rcbjccjowo.exe edixjzfk.exe PID 1152 wrote to memory of 3668 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe WINWORD.EXE PID 1152 wrote to memory of 3668 1152 a81b54183962d320b915383292f0f750_JaffaCakes118.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\rcbjccjowo.exercbjccjowo.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\edixjzfk.exeC:\Windows\system32\edixjzfk.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3368
-
-
-
C:\Windows\SysWOW64\ngopygqdgwwunad.exengopygqdgwwunad.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3776
-
-
C:\Windows\SysWOW64\edixjzfk.exeedixjzfk.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3692
-
-
C:\Windows\SysWOW64\iyliqdhuvnsov.exeiyliqdhuvnsov.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1100
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3668
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5869d04908f5534d31eb5871fa0df5f5f
SHA16ee65eb1db8b3ab997189db2050e6c331e72071a
SHA2560cfa3044411d726d08e9efcabe016fc4495077476916726786982733c0f8c134
SHA5123bfd77ad8ca7885415b43fc36d43c78614073f8e0a582648c0e580abcee1ca40f22b2ae3528f29c0d8b23f8628fe1bb0767818a132daa455bbedf0ef9658070c
-
Filesize
512KB
MD5263fb6267154a40bc067c78749f78a44
SHA163fba2b8850137780f7a90be74e9a63b6ee40f88
SHA2562e2f66ef0a8f3894bdf8846fc5ad0d98307698fba5fbdbf9eba151e983a58a56
SHA51285006c4a5620245828bcf339f4f2e24bc8d8061d14ce3e65b540d24aec161e0b4097abf9b616665362d908d2599765503eae2c7ae09b75f996c83ec93072bcba
-
Filesize
239B
MD542033c511bcc7e1970e3c45cb786f794
SHA185fd47e439588b9c25090a0b4e80708c70652403
SHA25662d541335dd2c855f8cf2c10b799aa5b4462fb9d799282a6a6acf5a747bdbfc6
SHA512c121ce2191dd3d934458ca89f7c2a9b533081e0675d1deaa703539b61424a3c47b8c2138bda3b31ecfcd05c520a5a23010e4c6d6b0e2d4c629ac76b22b163b26
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e05de15160188acef7ccd511140668bc
SHA1c6ff773ec37e4e3157604ea4c46b335d67dacce4
SHA256d507bcff08f00b14f8e2353bc13b5c961d7bfcd2965a0498c4cae5c6145a8ed9
SHA512cc57c9c94705fd6b2eba4a1f7041a2dc59b9d40f9c491c20af8ad063e06d0b1d032f9ae680da271fedd4e732a9cbcac41418dc75725d5ff7240e4c99600a537a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD53fa8393a19e5bb7bb2ca21f609cb8f48
SHA1d21c8bb86fe108f21bed5647656c2af6aa6dd0e5
SHA2562db368e1aa4316efb897e4cd4a55ef2669ecccac6bb2becccb0cc3fe946e386c
SHA512b11615dad1648757d755a73da90268e2cf8051262fb3b13537d7b236e9905668093e7e117bb922e7004dd711e21dafb4ceb9de2a797fab8c95a9b7d8b82c3c41
-
Filesize
512KB
MD5e0fd02d6537ce46e72bddf928c784233
SHA1763bc8495c1e13c1542b9e43d281b08612cb6afb
SHA256350c020fcc96ac3153ff97551a61d7303a9b19109c1610d456a55e8678d7bcf4
SHA512dea7492c1df090d44453bf9cde7314a376bd8195a50b55fdc5f79314e4b811e4debe191dd34a00240f092aa2bc08f97b49b1fe9ef65de72fbadcef46c2ea4352
-
Filesize
512KB
MD57695ffe8c73a0fa20616095fc195a075
SHA1df8c99fc4a726aae9c680703b9d42bf9732d908a
SHA256531067e90506abbe561fcc0644bb46c03c555d62243dcaf75835013b6f1a22d1
SHA51243d4e0f93d8adb09c93cf62a8f9ed43f703081f489bb4ca237916e4cf58f99c1cd490da783351bcab5aef71a321e96452a39f65262acac0ea5227082a99f18ee
-
Filesize
512KB
MD56837e77de8e8a2bf86432ee6e28511c8
SHA161e683d9049ec0e8c0850b5d01947d53ef2e5c71
SHA256008548db3685e1bdd320954feca031526ced02cdf88b00ac1b8775369a96ea8f
SHA5129f5b6ea14afb2e0532b32312d70fa1e499c454c55f3c027164d9330f62477d60748dbd0d95e465a749c32c2b919c3f5c0f6c68795fb9609345ddf5c2d3e4f568
-
Filesize
512KB
MD5abfc6f7d5767ebbffb413ff52b08418a
SHA133128ca0160cf2666d8f75440eb2544cf816c09d
SHA256421f9bcd574a9df3862b0f44f39962d1207c9dce0f174fa5b3d72803a17e5af1
SHA512e3cc05dd425d2e4987a88765c71b3b9580d37912caf69910f9ed1f168cd6ad00bcbac830fe74f26882c8bbd449d7c2725481833255d7d375ac49c1660b787a43
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD560488a002d34c5dac332c54471729600
SHA147626fb35dd4d0f0c1ec0b1cd72a7459a36d3e03
SHA25684ce0379359ae08745acd34c6e6042284ab5ce5c53db748ff941a8caa074e8c7
SHA512526fa79016f906766bccd5cd59e7280f20978f44b8851050503490f7301fe9452da00e9459789b502ac8ef07079fb4ee47288cb57015b038450a7db265771102