Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/06/2024, 06:13
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe
-
Size
512KB
-
MD5
a8477d3ca529aea43cd06a3e9e70360f
-
SHA1
1785efcb6447185043b5c0501b232f2229df9d4a
-
SHA256
88c224d410f03525341083253ab2a38f460f613cbeff633aee88c7af00e7e7ee
-
SHA512
2b630a32f5c1a972dc356f6b7b249c131fd240d8ba416cf6b1e2264548de897482b4dcc4f36021b668d0d3443ef4d6d6815c43d95fcac13ad72ac276a2f18e78
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6t:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" drqhikzqub.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" drqhikzqub.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" drqhikzqub.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" drqhikzqub.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" drqhikzqub.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" drqhikzqub.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" drqhikzqub.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" drqhikzqub.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4136 drqhikzqub.exe 3316 buzkibstegxxtix.exe 4892 chsolqgd.exe 116 bzsfnrzoodzet.exe 332 chsolqgd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" drqhikzqub.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" drqhikzqub.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" drqhikzqub.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" drqhikzqub.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" drqhikzqub.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" drqhikzqub.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owqzmhoj = "drqhikzqub.exe" buzkibstegxxtix.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xjrcnvmo = "buzkibstegxxtix.exe" buzkibstegxxtix.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bzsfnrzoodzet.exe" buzkibstegxxtix.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: chsolqgd.exe File opened (read-only) \??\o: drqhikzqub.exe File opened (read-only) \??\w: drqhikzqub.exe File opened (read-only) \??\h: chsolqgd.exe File opened (read-only) \??\p: drqhikzqub.exe File opened (read-only) \??\t: drqhikzqub.exe File opened (read-only) \??\r: chsolqgd.exe File opened (read-only) \??\z: chsolqgd.exe File opened (read-only) \??\a: chsolqgd.exe File opened (read-only) \??\q: chsolqgd.exe File opened (read-only) \??\x: chsolqgd.exe File opened (read-only) \??\i: drqhikzqub.exe File opened (read-only) \??\e: chsolqgd.exe File opened (read-only) \??\s: chsolqgd.exe File opened (read-only) \??\u: chsolqgd.exe File opened (read-only) \??\v: chsolqgd.exe File opened (read-only) \??\k: chsolqgd.exe File opened (read-only) \??\m: drqhikzqub.exe File opened (read-only) \??\s: drqhikzqub.exe File opened (read-only) \??\i: chsolqgd.exe File opened (read-only) \??\p: chsolqgd.exe File opened (read-only) \??\j: chsolqgd.exe File opened (read-only) \??\o: chsolqgd.exe File opened (read-only) \??\r: chsolqgd.exe File opened (read-only) \??\a: drqhikzqub.exe File opened (read-only) \??\v: drqhikzqub.exe File opened (read-only) \??\i: chsolqgd.exe File opened (read-only) \??\r: drqhikzqub.exe File opened (read-only) \??\k: chsolqgd.exe File opened (read-only) \??\y: chsolqgd.exe File opened (read-only) \??\b: chsolqgd.exe File opened (read-only) \??\n: chsolqgd.exe File opened (read-only) \??\n: chsolqgd.exe File opened (read-only) \??\p: chsolqgd.exe File opened (read-only) \??\z: chsolqgd.exe File opened (read-only) \??\k: drqhikzqub.exe File opened (read-only) \??\q: drqhikzqub.exe File opened (read-only) \??\e: drqhikzqub.exe File opened (read-only) \??\g: chsolqgd.exe File opened (read-only) \??\t: chsolqgd.exe File opened (read-only) \??\b: chsolqgd.exe File opened (read-only) \??\g: drqhikzqub.exe File opened (read-only) \??\h: drqhikzqub.exe File opened (read-only) \??\l: chsolqgd.exe File opened (read-only) \??\l: drqhikzqub.exe File opened (read-only) \??\a: chsolqgd.exe File opened (read-only) \??\q: chsolqgd.exe File opened (read-only) \??\h: chsolqgd.exe File opened (read-only) \??\j: drqhikzqub.exe File opened (read-only) \??\z: drqhikzqub.exe File opened (read-only) \??\o: chsolqgd.exe File opened (read-only) \??\w: chsolqgd.exe File opened (read-only) \??\e: chsolqgd.exe File opened (read-only) \??\g: chsolqgd.exe File opened (read-only) \??\s: chsolqgd.exe File opened (read-only) \??\x: drqhikzqub.exe File opened (read-only) \??\y: drqhikzqub.exe File opened (read-only) \??\l: chsolqgd.exe File opened (read-only) \??\u: chsolqgd.exe File opened (read-only) \??\y: chsolqgd.exe File opened (read-only) \??\m: chsolqgd.exe File opened (read-only) \??\m: chsolqgd.exe File opened (read-only) \??\v: chsolqgd.exe File opened (read-only) \??\b: drqhikzqub.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" drqhikzqub.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" drqhikzqub.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/628-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000002326c-5.dat autoit_exe behavioral2/files/0x000800000002326b-19.dat autoit_exe behavioral2/files/0x0008000000023270-30.dat autoit_exe behavioral2/files/0x000800000002326e-29.dat autoit_exe behavioral2/files/0x000300000001684a-72.dat autoit_exe behavioral2/files/0x0004000000000717-66.dat autoit_exe behavioral2/files/0x000900000001e59f-91.dat autoit_exe behavioral2/files/0x000800000001e6f7-97.dat autoit_exe behavioral2/files/0x000300000001eb0e-105.dat autoit_exe behavioral2/files/0x000300000001eb0e-109.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\drqhikzqub.exe a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drqhikzqub.exe a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File created C:\Windows\SysWOW64\chsolqgd.exe a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll drqhikzqub.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe chsolqgd.exe File created C:\Windows\SysWOW64\buzkibstegxxtix.exe a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\buzkibstegxxtix.exe a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\chsolqgd.exe a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bzsfnrzoodzet.exe a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe chsolqgd.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe chsolqgd.exe File created C:\Windows\SysWOW64\bzsfnrzoodzet.exe a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe chsolqgd.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe chsolqgd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe chsolqgd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe chsolqgd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe chsolqgd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal chsolqgd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe chsolqgd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal chsolqgd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe chsolqgd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe chsolqgd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal chsolqgd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe chsolqgd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe chsolqgd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal chsolqgd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe chsolqgd.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FC8D4F5A85689136D65A7EE6BDE2E13D594366366344D690" a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat drqhikzqub.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" drqhikzqub.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh drqhikzqub.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" drqhikzqub.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs drqhikzqub.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B15B449439ED53B9B9D33292D7BB" a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" drqhikzqub.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" drqhikzqub.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEF9B1FE67F19283793B4381983E95B08A028842600248E2CA42E909A2" a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768B2FF1C22A9D27DD0A68A0F9160" a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C67B14E0DAC3B8CA7FE2ED9334C6" a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc drqhikzqub.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf drqhikzqub.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" drqhikzqub.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg drqhikzqub.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472D7A9D5783576A3576A277552DDF7CF464DB" a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" drqhikzqub.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1112 WINWORD.EXE 1112 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 4136 drqhikzqub.exe 4136 drqhikzqub.exe 4136 drqhikzqub.exe 4136 drqhikzqub.exe 4136 drqhikzqub.exe 4136 drqhikzqub.exe 4136 drqhikzqub.exe 4136 drqhikzqub.exe 4136 drqhikzqub.exe 4136 drqhikzqub.exe 3316 buzkibstegxxtix.exe 3316 buzkibstegxxtix.exe 4892 chsolqgd.exe 4892 chsolqgd.exe 3316 buzkibstegxxtix.exe 3316 buzkibstegxxtix.exe 4892 chsolqgd.exe 4892 chsolqgd.exe 3316 buzkibstegxxtix.exe 3316 buzkibstegxxtix.exe 4892 chsolqgd.exe 4892 chsolqgd.exe 3316 buzkibstegxxtix.exe 3316 buzkibstegxxtix.exe 4892 chsolqgd.exe 4892 chsolqgd.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 3316 buzkibstegxxtix.exe 3316 buzkibstegxxtix.exe 3316 buzkibstegxxtix.exe 3316 buzkibstegxxtix.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 332 chsolqgd.exe 332 chsolqgd.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 4136 drqhikzqub.exe 4136 drqhikzqub.exe 4136 drqhikzqub.exe 3316 buzkibstegxxtix.exe 3316 buzkibstegxxtix.exe 3316 buzkibstegxxtix.exe 4892 chsolqgd.exe 4892 chsolqgd.exe 4892 chsolqgd.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 332 chsolqgd.exe 332 chsolqgd.exe 332 chsolqgd.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 4136 drqhikzqub.exe 4136 drqhikzqub.exe 4136 drqhikzqub.exe 3316 buzkibstegxxtix.exe 3316 buzkibstegxxtix.exe 3316 buzkibstegxxtix.exe 4892 chsolqgd.exe 4892 chsolqgd.exe 4892 chsolqgd.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 116 bzsfnrzoodzet.exe 332 chsolqgd.exe 332 chsolqgd.exe 332 chsolqgd.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1112 WINWORD.EXE 1112 WINWORD.EXE 1112 WINWORD.EXE 1112 WINWORD.EXE 1112 WINWORD.EXE 1112 WINWORD.EXE 1112 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 628 wrote to memory of 4136 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 91 PID 628 wrote to memory of 4136 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 91 PID 628 wrote to memory of 4136 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 91 PID 628 wrote to memory of 3316 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 92 PID 628 wrote to memory of 3316 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 92 PID 628 wrote to memory of 3316 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 92 PID 628 wrote to memory of 4892 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 93 PID 628 wrote to memory of 4892 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 93 PID 628 wrote to memory of 4892 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 93 PID 628 wrote to memory of 116 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 94 PID 628 wrote to memory of 116 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 94 PID 628 wrote to memory of 116 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 94 PID 4136 wrote to memory of 332 4136 drqhikzqub.exe 95 PID 4136 wrote to memory of 332 4136 drqhikzqub.exe 95 PID 4136 wrote to memory of 332 4136 drqhikzqub.exe 95 PID 628 wrote to memory of 1112 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 96 PID 628 wrote to memory of 1112 628 a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8477d3ca529aea43cd06a3e9e70360f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\drqhikzqub.exedrqhikzqub.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\chsolqgd.exeC:\Windows\system32\chsolqgd.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:332
-
-
-
C:\Windows\SysWOW64\buzkibstegxxtix.exebuzkibstegxxtix.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3316
-
-
C:\Windows\SysWOW64\chsolqgd.exechsolqgd.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4892
-
-
C:\Windows\SysWOW64\bzsfnrzoodzet.exebzsfnrzoodzet.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:116
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:2428
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD53b4bd301a971e1f05b681f8e7146163b
SHA1e2f39242c838329c0cb9d667aa1afabf444c80ed
SHA256bf07804d5199dd087a971ae5d85c0eb1fbbe163674607df08aa9a418db95955f
SHA5127e55186796b98f85835534e45ca23eec4b71dfb7bbca1e25347c9fc36f46e1b43cefe0da678abf24665806be103cfe2263058b62611f058420e8b0a6a6b8c63c
-
Filesize
512KB
MD5bc2d262188f2e458c2a42c54c3aa14bc
SHA1661fa932586148b42d3713789500982345c186e3
SHA2560fda2812491b498cc47c438fb1c4ebbd3498135137be9654cbb9c64d74206d19
SHA51251569c02f5d7b256d26e0c7bd2ebe1fc2337b98a99f3ec7efc6e582f2e6092cbc20037d6fecb5fd46560da36be2614292c159cff510731b798065d8ded33b683
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5dc1cfac16361b80f97ee0ab5c91f03d9
SHA17a2801177f93e72e04a94dccb8f45f004a3cb072
SHA25651217337de93fb69e11df24da841f135dcaecb0eba1289a870c1a67f5816ebc8
SHA512a854a9e9bc595128b9b7fafe9086ae159caf58b471e543ebb26a302107bbcc701b8e3b4665268a5b9599317520717cf4cea8f8d70a56f7413cfc26f8c0f3e132
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5720b07a0467fc72a940ae0aee77749be
SHA1795726922f5a12ad19bee1d7c8ed0e088b03eb65
SHA256ebe36bcb704db0adc895ce55df1150b9facfe9581b7df165b845c64c6099708a
SHA512ba395692661d023f74b9e6063f2b4ccf47309eddd36b357f5f6e490fa3179a12efdd91f9285d282f19bde8117b2527a1295a8478c243a2cb67ca414381cefc33
-
Filesize
512KB
MD5d84877c968362205d9eb56798b87d48c
SHA1a9d2b84e6dd14d9aeb0b65a1b01dcb0b2833c27f
SHA256947b13574c6cefb0430364dbddfba56ab5c5a32e1fb906b710f62f3e1b6e7528
SHA512c8c26ffd6b7edec1269446d6a216cd3a9b70ee1992167f5f8e3498b1170db86a4918c1cf4c5da566f8b748f5dbb9fa13dfd0ba4cec1b752041da0ec8925e5789
-
Filesize
512KB
MD5309d7d4a54e9ce5165246e8ac6246837
SHA164f69d943fb051f78aebd7d7d891714a586202e9
SHA2566200ad575c19d6e5d85df73fbb158f532ff7fce9003df2c23fcc3f95dd54f90a
SHA5128c7073ee8a5751840c8868b2c6ef92c93c15cb0f01a96ae1bed62a844f4165c1e0bef221b68f1c1dd428a7249e0551453c4c873a916899bd8900c7f14f3be647
-
Filesize
512KB
MD5c9163de88f10b0e290b441d078975bf5
SHA1d3a010a6399b7c7fb07f0ee455c40017b723927b
SHA2566705b3fedb6db49c5277c2598087dcb390f91a7beec1fa71f51409ba1e030c79
SHA512903010df449e73d4257745e9af30c95ce3517fd04c8b01dd8059829399546d08bafb2c9f698a477e75fa01fb49ec09803878aaecddff930161fd56bb0872144e
-
Filesize
512KB
MD570908c5cd61803d6c37474bf92ce11d5
SHA19e51b04d70f186def5068b761a6c5ba5082d8e4a
SHA256f4d0a74be2c60820f716d5523066db49f8a3856a13048ec30f8d00c4700c55b5
SHA512d731dcacc4b3729dc46527b1ed1c2869fde2af7529597b4db0aa3aed9b2a3523045b59bb85abf067f58219ee5414305e5fc0ea7ed67f11f4bd42d122ec9a9085
-
Filesize
512KB
MD58fb3451bf2090444b97fa506e1177e26
SHA1172466a3daa63554d0c4e56801720cdbac8789bc
SHA256b3159dbd0149cf399b7e5f3fd26ca58ae747bc6e16731f24e7d0e1b33447f22a
SHA512c4179253360623338c917a317e657ad5b82d2fcacfa02b3eb0eee80029a8bd18608e2cb1f45a5f64acf95a5975f7550d064ca9d02bf7f51ea9f367ba3ebadf60
-
Filesize
512KB
MD5ed7f410ed38f097e42c999bacf8f6099
SHA18126ad683cbe59b2f1ae62dc6a6873de87b7dfb7
SHA256f9b41bf0f4e3afccb434a538b7c0b9593746b5a2170a2b9ec7a9a87b621dd033
SHA51210a92ddfe3b0bb050b1f6adf54ca0d93d6c175a493ef2c4940b43e31197e78ba9772d08ab5cc0790dceb0c4d76a49ee83df5fb844ed4107577c4c7a28746b81a
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5e848ae8c5b7b5290257ae059d627a2da
SHA163202abfb66481ce0f47d9eb9087131b1fb4d82d
SHA256da444207b9081344b45cf25e505a66c66c96947d7b480e65b827885c1921d556
SHA512065a61f401d5bc160c03e8b0e4898f1efc8059c235139a3c08a3e5efbb50169a4cc1342cc6cfd2b3ed28694b8903f9efb4c824cf000e6979893b3de0d52033bc
-
Filesize
512KB
MD590b322a0b7be01b1d1b2648e09645fbe
SHA1e5365e2891b75d114551db550b2c2d44004cb528
SHA256c178b205d4f8792cd4f930d76d70660a8a2ef6826bdeb173cc069d200825feb3
SHA5128839e16fc5e178604e32512d3116918750608c060d875721f755e0fd5c058cc22fc5c88227b0b5810b933a2e79c046036216e8a57544540e072c396735a8659f