Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14/06/2024, 20:47
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe
-
Size
512KB
-
MD5
ab62eae5f5ab1247553f9e43c703b05a
-
SHA1
bf3c54fe6ee69d0a854e27ab1a9fb195edebfdfe
-
SHA256
762ba6421a898f1929e1a2ebfdcb3bd6872e0e6ce1f2ecd698b176542e6677c9
-
SHA512
6a32b7057e2e2e82506680d249bae0a675006598671cfef8e613e18d621c24810b07d5e6bf64bc9d4d0af32f33632be9dec887d1f61effe3edbed456b4ab3664
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6T:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5g
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wzjmqjtcjf.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wzjmqjtcjf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wzjmqjtcjf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wzjmqjtcjf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wzjmqjtcjf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wzjmqjtcjf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wzjmqjtcjf.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wzjmqjtcjf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3324 wzjmqjtcjf.exe 2580 rpfwjjkzjcurbkz.exe 1412 uzuthjak.exe 4984 puyogdlufpzyg.exe 5100 uzuthjak.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wzjmqjtcjf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wzjmqjtcjf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wzjmqjtcjf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wzjmqjtcjf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wzjmqjtcjf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wzjmqjtcjf.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iwwfwrrw = "rpfwjjkzjcurbkz.exe" rpfwjjkzjcurbkz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "puyogdlufpzyg.exe" rpfwjjkzjcurbkz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rybwflzv = "wzjmqjtcjf.exe" rpfwjjkzjcurbkz.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: uzuthjak.exe File opened (read-only) \??\u: uzuthjak.exe File opened (read-only) \??\w: uzuthjak.exe File opened (read-only) \??\r: uzuthjak.exe File opened (read-only) \??\m: wzjmqjtcjf.exe File opened (read-only) \??\e: uzuthjak.exe File opened (read-only) \??\g: uzuthjak.exe File opened (read-only) \??\p: uzuthjak.exe File opened (read-only) \??\t: uzuthjak.exe File opened (read-only) \??\l: wzjmqjtcjf.exe File opened (read-only) \??\v: wzjmqjtcjf.exe File opened (read-only) \??\w: uzuthjak.exe File opened (read-only) \??\r: wzjmqjtcjf.exe File opened (read-only) \??\b: uzuthjak.exe File opened (read-only) \??\r: uzuthjak.exe File opened (read-only) \??\h: uzuthjak.exe File opened (read-only) \??\o: uzuthjak.exe File opened (read-only) \??\g: wzjmqjtcjf.exe File opened (read-only) \??\u: wzjmqjtcjf.exe File opened (read-only) \??\h: uzuthjak.exe File opened (read-only) \??\s: uzuthjak.exe File opened (read-only) \??\e: wzjmqjtcjf.exe File opened (read-only) \??\q: wzjmqjtcjf.exe File opened (read-only) \??\k: uzuthjak.exe File opened (read-only) \??\n: uzuthjak.exe File opened (read-only) \??\z: uzuthjak.exe File opened (read-only) \??\j: uzuthjak.exe File opened (read-only) \??\s: uzuthjak.exe File opened (read-only) \??\n: wzjmqjtcjf.exe File opened (read-only) \??\s: wzjmqjtcjf.exe File opened (read-only) \??\z: wzjmqjtcjf.exe File opened (read-only) \??\p: uzuthjak.exe File opened (read-only) \??\v: uzuthjak.exe File opened (read-only) \??\y: uzuthjak.exe File opened (read-only) \??\v: uzuthjak.exe File opened (read-only) \??\a: uzuthjak.exe File opened (read-only) \??\g: uzuthjak.exe File opened (read-only) \??\m: uzuthjak.exe File opened (read-only) \??\l: uzuthjak.exe File opened (read-only) \??\t: uzuthjak.exe File opened (read-only) \??\j: uzuthjak.exe File opened (read-only) \??\q: uzuthjak.exe File opened (read-only) \??\a: wzjmqjtcjf.exe File opened (read-only) \??\b: wzjmqjtcjf.exe File opened (read-only) \??\h: wzjmqjtcjf.exe File opened (read-only) \??\j: wzjmqjtcjf.exe File opened (read-only) \??\p: wzjmqjtcjf.exe File opened (read-only) \??\a: uzuthjak.exe File opened (read-only) \??\i: uzuthjak.exe File opened (read-only) \??\b: uzuthjak.exe File opened (read-only) \??\l: uzuthjak.exe File opened (read-only) \??\u: uzuthjak.exe File opened (read-only) \??\k: wzjmqjtcjf.exe File opened (read-only) \??\t: wzjmqjtcjf.exe File opened (read-only) \??\y: wzjmqjtcjf.exe File opened (read-only) \??\x: uzuthjak.exe File opened (read-only) \??\m: uzuthjak.exe File opened (read-only) \??\i: uzuthjak.exe File opened (read-only) \??\x: uzuthjak.exe File opened (read-only) \??\y: uzuthjak.exe File opened (read-only) \??\k: uzuthjak.exe File opened (read-only) \??\o: uzuthjak.exe File opened (read-only) \??\e: uzuthjak.exe File opened (read-only) \??\z: uzuthjak.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wzjmqjtcjf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wzjmqjtcjf.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2176-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023431-5.dat autoit_exe behavioral2/files/0x000800000002342d-18.dat autoit_exe behavioral2/files/0x0007000000023432-27.dat autoit_exe behavioral2/files/0x0007000000023433-31.dat autoit_exe behavioral2/files/0x0013000000000755-63.dat autoit_exe behavioral2/files/0x000900000001e07c-72.dat autoit_exe behavioral2/files/0x000900000001e07d-78.dat autoit_exe behavioral2/files/0x000400000001e412-106.dat autoit_exe behavioral2/files/0x000400000001e412-111.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\rpfwjjkzjcurbkz.exe ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe File created C:\Windows\SysWOW64\uzuthjak.exe ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe File created C:\Windows\SysWOW64\puyogdlufpzyg.exe ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uzuthjak.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uzuthjak.exe File created C:\Windows\SysWOW64\rpfwjjkzjcurbkz.exe ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wzjmqjtcjf.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uzuthjak.exe File opened for modification C:\Windows\SysWOW64\uzuthjak.exe ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wzjmqjtcjf.exe ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\puyogdlufpzyg.exe ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uzuthjak.exe File created C:\Windows\SysWOW64\wzjmqjtcjf.exe ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uzuthjak.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uzuthjak.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uzuthjak.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uzuthjak.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uzuthjak.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal uzuthjak.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uzuthjak.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uzuthjak.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uzuthjak.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal uzuthjak.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uzuthjak.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal uzuthjak.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal uzuthjak.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uzuthjak.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe uzuthjak.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe uzuthjak.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe uzuthjak.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe uzuthjak.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe uzuthjak.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe uzuthjak.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe uzuthjak.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe uzuthjak.exe File opened for modification C:\Windows\mydoc.rtf ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe uzuthjak.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe uzuthjak.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe uzuthjak.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe uzuthjak.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe uzuthjak.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe uzuthjak.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe uzuthjak.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe uzuthjak.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEF9CBF96BF2E7837A3B4B86E93EE2B0FC028C4214023BE1CC42EB09A0" ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C70F14E5DAC4B9BA7FE6ECE737CE" ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wzjmqjtcjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wzjmqjtcjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wzjmqjtcjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" wzjmqjtcjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442D0D9C2383526D4676A177222CDD7D8464DF" ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B0204492389F53BDBAA732EDD7CD" ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F368C3FE6622DFD209D0A28B089017" ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wzjmqjtcjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wzjmqjtcjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wzjmqjtcjf.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" wzjmqjtcjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" wzjmqjtcjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFC824F29851E9146D7587DE0BC93E134584766366237D7EA" ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh wzjmqjtcjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" wzjmqjtcjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf wzjmqjtcjf.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4176 WINWORD.EXE 4176 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2580 rpfwjjkzjcurbkz.exe 2580 rpfwjjkzjcurbkz.exe 2580 rpfwjjkzjcurbkz.exe 2580 rpfwjjkzjcurbkz.exe 2580 rpfwjjkzjcurbkz.exe 2580 rpfwjjkzjcurbkz.exe 2580 rpfwjjkzjcurbkz.exe 2580 rpfwjjkzjcurbkz.exe 2580 rpfwjjkzjcurbkz.exe 2580 rpfwjjkzjcurbkz.exe 3324 wzjmqjtcjf.exe 3324 wzjmqjtcjf.exe 3324 wzjmqjtcjf.exe 3324 wzjmqjtcjf.exe 3324 wzjmqjtcjf.exe 3324 wzjmqjtcjf.exe 3324 wzjmqjtcjf.exe 3324 wzjmqjtcjf.exe 3324 wzjmqjtcjf.exe 3324 wzjmqjtcjf.exe 1412 uzuthjak.exe 1412 uzuthjak.exe 1412 uzuthjak.exe 1412 uzuthjak.exe 1412 uzuthjak.exe 1412 uzuthjak.exe 1412 uzuthjak.exe 1412 uzuthjak.exe 4984 puyogdlufpzyg.exe 4984 puyogdlufpzyg.exe 4984 puyogdlufpzyg.exe 4984 puyogdlufpzyg.exe 4984 puyogdlufpzyg.exe 4984 puyogdlufpzyg.exe 4984 puyogdlufpzyg.exe 4984 puyogdlufpzyg.exe 4984 puyogdlufpzyg.exe 4984 puyogdlufpzyg.exe 4984 puyogdlufpzyg.exe 4984 puyogdlufpzyg.exe 2580 rpfwjjkzjcurbkz.exe 2580 rpfwjjkzjcurbkz.exe 5100 uzuthjak.exe 5100 uzuthjak.exe 5100 uzuthjak.exe 5100 uzuthjak.exe 5100 uzuthjak.exe 5100 uzuthjak.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2580 rpfwjjkzjcurbkz.exe 2580 rpfwjjkzjcurbkz.exe 2580 rpfwjjkzjcurbkz.exe 3324 wzjmqjtcjf.exe 1412 uzuthjak.exe 4984 puyogdlufpzyg.exe 3324 wzjmqjtcjf.exe 1412 uzuthjak.exe 4984 puyogdlufpzyg.exe 3324 wzjmqjtcjf.exe 1412 uzuthjak.exe 4984 puyogdlufpzyg.exe 5100 uzuthjak.exe 5100 uzuthjak.exe 5100 uzuthjak.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 2580 rpfwjjkzjcurbkz.exe 2580 rpfwjjkzjcurbkz.exe 2580 rpfwjjkzjcurbkz.exe 3324 wzjmqjtcjf.exe 1412 uzuthjak.exe 4984 puyogdlufpzyg.exe 3324 wzjmqjtcjf.exe 1412 uzuthjak.exe 4984 puyogdlufpzyg.exe 3324 wzjmqjtcjf.exe 1412 uzuthjak.exe 4984 puyogdlufpzyg.exe 5100 uzuthjak.exe 5100 uzuthjak.exe 5100 uzuthjak.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4176 WINWORD.EXE 4176 WINWORD.EXE 4176 WINWORD.EXE 4176 WINWORD.EXE 4176 WINWORD.EXE 4176 WINWORD.EXE 4176 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2176 wrote to memory of 3324 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 82 PID 2176 wrote to memory of 3324 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 82 PID 2176 wrote to memory of 3324 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 82 PID 2176 wrote to memory of 2580 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 83 PID 2176 wrote to memory of 2580 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 83 PID 2176 wrote to memory of 2580 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 83 PID 2176 wrote to memory of 1412 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 84 PID 2176 wrote to memory of 1412 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 84 PID 2176 wrote to memory of 1412 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 84 PID 2176 wrote to memory of 4984 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 85 PID 2176 wrote to memory of 4984 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 85 PID 2176 wrote to memory of 4984 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 85 PID 2176 wrote to memory of 4176 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 86 PID 2176 wrote to memory of 4176 2176 ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe 86 PID 3324 wrote to memory of 5100 3324 wzjmqjtcjf.exe 88 PID 3324 wrote to memory of 5100 3324 wzjmqjtcjf.exe 88 PID 3324 wrote to memory of 5100 3324 wzjmqjtcjf.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ab62eae5f5ab1247553f9e43c703b05a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\wzjmqjtcjf.exewzjmqjtcjf.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\uzuthjak.exeC:\Windows\system32\uzuthjak.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5100
-
-
-
C:\Windows\SysWOW64\rpfwjjkzjcurbkz.exerpfwjjkzjcurbkz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2580
-
-
C:\Windows\SysWOW64\uzuthjak.exeuzuthjak.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1412
-
-
C:\Windows\SysWOW64\puyogdlufpzyg.exepuyogdlufpzyg.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4984
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4176
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD52e05cd556e12f798ead7c650fd84ae71
SHA1b79086bba6cf69ec066b6e4f974424f7932287d4
SHA2569867e506a907504ccfb074b145700acbc1ff6cf674af1249c848c81045580898
SHA512966b2970beece025ebda147f27499343dd738c63a93d425641856094a15656f408578c58e7d31b2fb61d6ef2ed696c05e851e92b62646090b7e818e8ce019324
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD520f8cfe0d4f8087df6d14759b3d4aabb
SHA18935c7e9b470ca89716572c612fea9f57a575234
SHA256a4ff5b4a5b2b403e74c45b63df9580ceb7eb89a81f26e1867f18090033208273
SHA5125660c605857e21ee5554ce2a63e8a1284532c4b03cddc500a577c47e0245b8a21a8f74c133094ebe28f9141b6db0af84086d089eef5f4079f0160b063f3e079a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD548dee6ec39a8a9001d88eae8d7d2caa1
SHA1ae9e096efee1b6e771905a536149336a2cc5282b
SHA256ccacdde264e3c267829ebd9990633e93849ad3eb586354b31a29fb46dfa24f91
SHA51253b18b4244dc861d0ee8127b34f6c25758d4cdeb7201ac213d8d2e03473734d60733c642a96ff053c648f2a5608e69f8a3cf30a56e5e277ee94017ceef03734e
-
Filesize
512KB
MD50d238e49c0479e89b7c2504da47f6255
SHA144fa58c45eb2a9699f61bdcb531ae28ed11a40a7
SHA2568c2f4aa2c9dd577cc44559fc3a91c57fd601a18a29a751f33d3278384b246c8b
SHA512176e7f27000e916648cb8d80e33329c204964b00c937368c41a8dea52581a15cba01c0b250a1256bb49d412cc712a50b5dfbb9ce9b5270c09f39abc0c48c8907
-
Filesize
512KB
MD5fbe37bc531c16899181a4089ded39121
SHA143a9539111bead97a092b4172b2e41882b533ed1
SHA25646a7077768bb49d60decb10679e1145a649b6c9b77688b965fb4ab72ac4ed029
SHA512cfe4e2b4c3934ce32b13963b0bc0b73194ec1461e7f7f7c1bc148f9a3b34c6bdebc69fe3d7d3edbc237dbb34d244c624c1a4b6138a741089668300c83fc37cf1
-
Filesize
512KB
MD511174e4f87257956385e43c2d7d5af0f
SHA1dd4ab1ddab72dc8b4635f02e1d2efa9a154a3cae
SHA256e29314e494e3ade204edb7ce5ac6f80a4c8a926734eabc5ce944fe4c365df487
SHA512a401db32b4847f3fc815c837608d7d50cdf8fe9aa2f4fbeedd504bbd233e33c8b3a2152c4ea40ce0b2e9ad781ad6de0dd657c23769b4c7688ba81cbbf6295ca8
-
Filesize
512KB
MD52866557f0c79c44c8a885c599d9d908a
SHA1eba73c28f0a7e058b21a1bc64820aaa3c973fe35
SHA256dc8e885e70a464ec8a568eb5d38c7e2e512eebae1d15017c83129994ca4108c5
SHA512d90e4acf1978255c822ca2befe79904c0c201cbfa0f1ed44d8abd36267b115baed1c7ab4100be86ee781769a33b5065967bad7bdafa303293098d596a8628e5f
-
Filesize
512KB
MD5e7188b2db840a62ff2bb86a870b3d594
SHA11e59e2ac09c030cd042b3a1576df9cd39622e039
SHA25663ded59495e85f596895286b98b5ca6a415ce2e8469f2108a35fc49db063dfb2
SHA512a15b78770a8ec2c7bbbcbd4aca66865da163c7c134af619705bc91104032a57a4107ae289419e9ebad3f8e800d5d96e114b82f65bf51593c7e09df47b82d6a35
-
Filesize
512KB
MD596c82bfd578eddc6246eac4570055e8c
SHA17bae3a376bfc64143ff53f25e85adf628c23e8fa
SHA256a0c42c63f90b5537beb0ada8e982e722f5ef6c72d63403fd109b6395fa8519fe
SHA5125b1ca605789ba7d65a745d02da450a8f3880de3874f6ee411847ffd11a1608a0d3e15325b7d9c54d6c983857c0d1a15aeb6eab1bb92faf54291ba88c1d0baa16
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5f2a158162ad262cc234761531140ed77
SHA1355fc0bb501e346920751154e977ed6044c1e270
SHA2562eef6d0ad9b74a733df0aa2e65789e6e6a393146e667c34ad38877e1fabb8ad4
SHA512a87c91207da47cfa9c8f36ece267842b974a348e1931c0481bcc031ea941fc1d8c6dfeba6ba505e957a94489589771e04867d15ec3cabdf85f5c8c96ee576336
-
Filesize
512KB
MD5ab088db2445383c2612d4419a5cfcd9a
SHA15e0bb930f4ac23cca69f27ea1781b3675f5bc211
SHA2562d2c549b3ae3c3137c46155045bf49334af521ec87ec9056bd754062ee91d8f1
SHA5125fc17af9ce2b6bb30206642d338eafb29399878f8cda23874c46b5a9c74fc50c6b2fb6b0a90fdee05af0b2eb56e9d672f592f6e4c6e777f6875379e75420dd31