Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/06/2024, 07:48
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe
-
Size
512KB
-
MD5
b26cca84d9629242aba661364a2ffb16
-
SHA1
4ed0ad4594e0cd4219c9454f1c7f7a894415928c
-
SHA256
56e07ee34411a08bc0f9e63fe3f8ac8bdd863594ac2f7a54f188c580f072fd7d
-
SHA512
4a39400f42b43137e1d8e2b8ac8b12799ea778ab6513d2793b2a19b8aa432b77f29a3011939c132ae4fdeee1306ff594c76f700ced29183f8acf422c69981a80
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj68:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cvouzxcmlf.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cvouzxcmlf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cvouzxcmlf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cvouzxcmlf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cvouzxcmlf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cvouzxcmlf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cvouzxcmlf.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cvouzxcmlf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 532 cvouzxcmlf.exe 5552 besfxwdyofxawfz.exe 3536 rpdlynlg.exe 700 ivajszsflmfqk.exe 5572 rpdlynlg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" cvouzxcmlf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cvouzxcmlf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cvouzxcmlf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cvouzxcmlf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cvouzxcmlf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cvouzxcmlf.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vumkwlbm = "cvouzxcmlf.exe" besfxwdyofxawfz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oqasapfk = "besfxwdyofxawfz.exe" besfxwdyofxawfz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ivajszsflmfqk.exe" besfxwdyofxawfz.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: rpdlynlg.exe File opened (read-only) \??\z: cvouzxcmlf.exe File opened (read-only) \??\l: rpdlynlg.exe File opened (read-only) \??\t: rpdlynlg.exe File opened (read-only) \??\u: rpdlynlg.exe File opened (read-only) \??\g: rpdlynlg.exe File opened (read-only) \??\h: rpdlynlg.exe File opened (read-only) \??\k: cvouzxcmlf.exe File opened (read-only) \??\n: rpdlynlg.exe File opened (read-only) \??\o: rpdlynlg.exe File opened (read-only) \??\b: cvouzxcmlf.exe File opened (read-only) \??\n: cvouzxcmlf.exe File opened (read-only) \??\o: cvouzxcmlf.exe File opened (read-only) \??\v: rpdlynlg.exe File opened (read-only) \??\e: rpdlynlg.exe File opened (read-only) \??\q: rpdlynlg.exe File opened (read-only) \??\x: rpdlynlg.exe File opened (read-only) \??\z: rpdlynlg.exe File opened (read-only) \??\g: cvouzxcmlf.exe File opened (read-only) \??\m: rpdlynlg.exe File opened (read-only) \??\s: rpdlynlg.exe File opened (read-only) \??\e: cvouzxcmlf.exe File opened (read-only) \??\e: rpdlynlg.exe File opened (read-only) \??\x: rpdlynlg.exe File opened (read-only) \??\k: rpdlynlg.exe File opened (read-only) \??\l: rpdlynlg.exe File opened (read-only) \??\q: cvouzxcmlf.exe File opened (read-only) \??\y: cvouzxcmlf.exe File opened (read-only) \??\i: rpdlynlg.exe File opened (read-only) \??\w: rpdlynlg.exe File opened (read-only) \??\w: cvouzxcmlf.exe File opened (read-only) \??\q: rpdlynlg.exe File opened (read-only) \??\j: rpdlynlg.exe File opened (read-only) \??\m: rpdlynlg.exe File opened (read-only) \??\r: rpdlynlg.exe File opened (read-only) \??\w: rpdlynlg.exe File opened (read-only) \??\p: rpdlynlg.exe File opened (read-only) \??\h: cvouzxcmlf.exe File opened (read-only) \??\l: cvouzxcmlf.exe File opened (read-only) \??\t: cvouzxcmlf.exe File opened (read-only) \??\n: rpdlynlg.exe File opened (read-only) \??\u: rpdlynlg.exe File opened (read-only) \??\p: cvouzxcmlf.exe File opened (read-only) \??\u: cvouzxcmlf.exe File opened (read-only) \??\x: cvouzxcmlf.exe File opened (read-only) \??\h: rpdlynlg.exe File opened (read-only) \??\k: rpdlynlg.exe File opened (read-only) \??\z: rpdlynlg.exe File opened (read-only) \??\v: rpdlynlg.exe File opened (read-only) \??\a: cvouzxcmlf.exe File opened (read-only) \??\m: cvouzxcmlf.exe File opened (read-only) \??\a: rpdlynlg.exe File opened (read-only) \??\a: rpdlynlg.exe File opened (read-only) \??\j: cvouzxcmlf.exe File opened (read-only) \??\i: rpdlynlg.exe File opened (read-only) \??\r: rpdlynlg.exe File opened (read-only) \??\y: rpdlynlg.exe File opened (read-only) \??\y: rpdlynlg.exe File opened (read-only) \??\s: cvouzxcmlf.exe File opened (read-only) \??\v: cvouzxcmlf.exe File opened (read-only) \??\g: rpdlynlg.exe File opened (read-only) \??\o: rpdlynlg.exe File opened (read-only) \??\r: cvouzxcmlf.exe File opened (read-only) \??\p: rpdlynlg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" cvouzxcmlf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" cvouzxcmlf.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3544-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023267-5.dat autoit_exe behavioral2/files/0x0008000000023262-18.dat autoit_exe behavioral2/files/0x0008000000023269-26.dat autoit_exe behavioral2/files/0x000800000002326a-32.dat autoit_exe behavioral2/files/0x000800000002300a-52.dat autoit_exe behavioral2/files/0x000f00000002301a-55.dat autoit_exe behavioral2/files/0x00050000000168fa-84.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\cvouzxcmlf.exe b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe File created C:\Windows\SysWOW64\besfxwdyofxawfz.exe b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\besfxwdyofxawfz.exe b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rpdlynlg.exe b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll cvouzxcmlf.exe File created C:\Windows\SysWOW64\cvouzxcmlf.exe b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe File created C:\Windows\SysWOW64\rpdlynlg.exe b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe File created C:\Windows\SysWOW64\ivajszsflmfqk.exe b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ivajszsflmfqk.exe b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rpdlynlg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rpdlynlg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rpdlynlg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rpdlynlg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rpdlynlg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rpdlynlg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rpdlynlg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rpdlynlg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rpdlynlg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rpdlynlg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rpdlynlg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rpdlynlg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rpdlynlg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rpdlynlg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rpdlynlg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FCF84858851B9042D62D7E96BD92E147594A6741623FD79F" b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat cvouzxcmlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" cvouzxcmlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf cvouzxcmlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" cvouzxcmlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402D7E9C2682236D3677A770252CAC7D8264DF" b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFAB1FE11F1E484783A46869F3E98B080028B42600338E2C942E609A0" b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B02A479539EE52BEBADC3299D7BE" b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" cvouzxcmlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" cvouzxcmlf.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc cvouzxcmlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" cvouzxcmlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs cvouzxcmlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768B0FE6921AAD10ED0A28A7B9167" b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC70915E3DBC3B8BC7FE4EDE334BB" b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh cvouzxcmlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" cvouzxcmlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg cvouzxcmlf.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5768 WINWORD.EXE 5768 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 532 cvouzxcmlf.exe 532 cvouzxcmlf.exe 532 cvouzxcmlf.exe 532 cvouzxcmlf.exe 532 cvouzxcmlf.exe 532 cvouzxcmlf.exe 532 cvouzxcmlf.exe 532 cvouzxcmlf.exe 532 cvouzxcmlf.exe 532 cvouzxcmlf.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 5552 besfxwdyofxawfz.exe 5552 besfxwdyofxawfz.exe 5552 besfxwdyofxawfz.exe 5552 besfxwdyofxawfz.exe 5552 besfxwdyofxawfz.exe 5552 besfxwdyofxawfz.exe 5552 besfxwdyofxawfz.exe 5552 besfxwdyofxawfz.exe 5552 besfxwdyofxawfz.exe 5552 besfxwdyofxawfz.exe 3536 rpdlynlg.exe 3536 rpdlynlg.exe 3536 rpdlynlg.exe 3536 rpdlynlg.exe 3536 rpdlynlg.exe 3536 rpdlynlg.exe 3536 rpdlynlg.exe 3536 rpdlynlg.exe 700 ivajszsflmfqk.exe 700 ivajszsflmfqk.exe 700 ivajszsflmfqk.exe 700 ivajszsflmfqk.exe 700 ivajszsflmfqk.exe 700 ivajszsflmfqk.exe 700 ivajszsflmfqk.exe 700 ivajszsflmfqk.exe 700 ivajszsflmfqk.exe 700 ivajszsflmfqk.exe 700 ivajszsflmfqk.exe 700 ivajszsflmfqk.exe 5552 besfxwdyofxawfz.exe 5552 besfxwdyofxawfz.exe 700 ivajszsflmfqk.exe 700 ivajszsflmfqk.exe 700 ivajszsflmfqk.exe 700 ivajszsflmfqk.exe 5552 besfxwdyofxawfz.exe 5552 besfxwdyofxawfz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 532 cvouzxcmlf.exe 532 cvouzxcmlf.exe 532 cvouzxcmlf.exe 5552 besfxwdyofxawfz.exe 5552 besfxwdyofxawfz.exe 5552 besfxwdyofxawfz.exe 3536 rpdlynlg.exe 700 ivajszsflmfqk.exe 3536 rpdlynlg.exe 700 ivajszsflmfqk.exe 3536 rpdlynlg.exe 700 ivajszsflmfqk.exe 5572 rpdlynlg.exe 5572 rpdlynlg.exe 5572 rpdlynlg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 532 cvouzxcmlf.exe 532 cvouzxcmlf.exe 532 cvouzxcmlf.exe 5552 besfxwdyofxawfz.exe 5552 besfxwdyofxawfz.exe 5552 besfxwdyofxawfz.exe 3536 rpdlynlg.exe 700 ivajszsflmfqk.exe 3536 rpdlynlg.exe 700 ivajszsflmfqk.exe 3536 rpdlynlg.exe 700 ivajszsflmfqk.exe 5572 rpdlynlg.exe 5572 rpdlynlg.exe 5572 rpdlynlg.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5768 WINWORD.EXE 5768 WINWORD.EXE 5768 WINWORD.EXE 5768 WINWORD.EXE 5768 WINWORD.EXE 5768 WINWORD.EXE 5768 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3544 wrote to memory of 532 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 91 PID 3544 wrote to memory of 532 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 91 PID 3544 wrote to memory of 532 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 91 PID 3544 wrote to memory of 5552 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 92 PID 3544 wrote to memory of 5552 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 92 PID 3544 wrote to memory of 5552 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 92 PID 3544 wrote to memory of 3536 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 93 PID 3544 wrote to memory of 3536 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 93 PID 3544 wrote to memory of 3536 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 93 PID 3544 wrote to memory of 700 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 94 PID 3544 wrote to memory of 700 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 94 PID 3544 wrote to memory of 700 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 94 PID 532 wrote to memory of 5572 532 cvouzxcmlf.exe 95 PID 532 wrote to memory of 5572 532 cvouzxcmlf.exe 95 PID 532 wrote to memory of 5572 532 cvouzxcmlf.exe 95 PID 3544 wrote to memory of 5768 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 96 PID 3544 wrote to memory of 5768 3544 b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b26cca84d9629242aba661364a2ffb16_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\cvouzxcmlf.execvouzxcmlf.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\rpdlynlg.exeC:\Windows\system32\rpdlynlg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5572
-
-
-
C:\Windows\SysWOW64\besfxwdyofxawfz.exebesfxwdyofxawfz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5552
-
-
C:\Windows\SysWOW64\rpdlynlg.exerpdlynlg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3536
-
-
C:\Windows\SysWOW64\ivajszsflmfqk.exeivajszsflmfqk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:700
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4468 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:4448
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5ed61d733f76f8eae55d0a42b2a85a6f5
SHA10151fe8cf987c07633be631192225fa069853d28
SHA2560cdf6a01934e2c5f6d51fff5256596355cf064f5a62bf927d9c7ae58115a0e04
SHA512578c477d54948c835355bb30ea6f1f8cab3ae254b2f6fe5933e698f8126b8c12c97adc98da1ebcff1520d1695132dff1d6c38efd8ace73dd82e0d0e0b4780061
-
Filesize
512KB
MD5ce9663be1d6cbc3b26a1edcb322157db
SHA1d47bc658fe5d3ac17068470b256f5f84e4631f7b
SHA256d6cdf1b31db1d80a6b58aae2aeafc0884c8549c3df423a46aea4dd9cbec53c5f
SHA512e555182265b48a32951dc5d79fb03d07e58ee66bb138251f4cfefe87383ed9b47151e98c0c469c581cb427dbec0636ce592bfa003f5f5e7eacc81f39f9a4ec56
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5751743bcabc631d08e1b3f6ea8219734
SHA18e7ef10dd7f0b452a19c3b101e79932474336817
SHA2561bca3a6751e4332e1c2e0f67f9b6def17364e36c724610e37f6e11089ead3a69
SHA51283a5b1b7dae6a078c27072e4ad2621110d4a9739b45d421e8cdfc615240b99bff5d05bab187a126b562147e8bdd92e7011d8eed5fb990fb7cc8d0e310316bd49
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a261b8dc4cbd15ea3769bfa7452af426
SHA16802a5c686bf99ad08e24d862b83e2e56e1eef4c
SHA256fe093afc4e33046b4ec72da1c6b7cebe2fd85b90e0b0d6708968032b72487173
SHA51219fa760d72a400efeff66b06e7f7181b57801ba0a5f22345302c31dddd02f09c7ba46b6c2f56071d2e2eafe58b1ca50c0b88b0aa34a24f0f1cc87abb69431faf
-
Filesize
512KB
MD5314c3bc8ffd7c4b179ff6c1a6801e5e3
SHA10e328cc781d2106df23625da6bba047ca63c4042
SHA25697353cccf5e416413390725a36ef504942200a34aa6e3bf3add708d726137baf
SHA51274748faa668bc9f5e81be9d84f764973a068926d4e0f49e1307714c72fbe23121558679a15e21f1c8526e8a4f1f99071c511826070f148092c4c2a2574e757c7
-
Filesize
512KB
MD5a72969a5aede5ad19ebfd1939e2d0b39
SHA1a3ebae6033d19b745c7d8091668bfd1a37e706b7
SHA2567260f19251ce1cebaf2db5075f4eb06684877c4d1e7f9c09279d932adb30606e
SHA5125ae6d9974d2c14f42d10a7fb4c4087fde03689ea175c250e993561e95c8ff045ae6591bbee79c7b6c3c1f947e83a20acada4bae0af2b31cb0b81e294d25164ba
-
Filesize
512KB
MD5ce6d96f59ddaa0b3fafe3bed40a7aa75
SHA14d276ec5b28429e71f8b85019a4ad3b1d1adaab8
SHA2566596590eb1c783361add864a3cd5d2f0687f626414ab346c41152570262e1796
SHA5125e24fc1cf87d65562c23ab465bfd67a8c04e83ad0ffb31b7faa4e7edeb893e98d09e5f3aa37602ebbc8471c0bd7beef3d6b90bcdc0d3c64510edbc88d87ff1b9
-
Filesize
512KB
MD5673e5953754d6f2366023ad4e358894d
SHA19df98232d1f5f406c2a5de0a65e74f4cc0077488
SHA256bdda5b612dd426d1274bd7d09c0fe46bd9b93a9562664b67189b22b05d9ca23d
SHA5121d4f1356abff736b19a1f493537476c3262a7af0c95e3bdd50803d1dd826a5716dc2dcb17de1c3e5fe6fcd15487274246b2df511ab1961c59df4a878f49a54eb
-
Filesize
512KB
MD522b48f338e8d6d1aa6b5b9cb7bbf59b2
SHA1ef833fe9c145e40eecacf0cd534f9c281c8758fb
SHA256d43534b80cc5741237674bce1e673917c66e2469660e8493ab227322fd0f59ed
SHA5124833a3def34cc539e352649aa4d65200ec468dfc2f44c09b0f92783974eb2399c6c986c7fcb277b14175243f42901a9f26465b14f6054555577a6c2c11d0e7b6
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7