d018bb082d0d768a09a8259bac61bea1f356476ecc3242107ab8241e7cb5fea0

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
Size

397KB
MD5

3a07dd3c3102cae3b66a616691b39ca0
SHA1

f5352fe5a8ab47f0dff31bd89c295b63ee5bfd51
SHA256

d018bb082d0d768a09a8259bac61bea1f356476ecc3242107ab8241e7cb5fea0
SHA512

194770ebe7633a53ad0cfbd7f8e76f6a5e2d3519891e877a407d7902e8a5f4581fea3869642efb5646bb90665116ea216d04aefb3a90a81eea6ecb96fb772b0b
SSDEEP

12288:yk1Z/NVy6ixxrno8nDzu8MOH8qLsAQsnY:3NVixtDzIOHLTnY

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	mlencXAGoFP.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1924	mlencXAGoFP.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mlencXAGoFP.exe = "C:\\ProgramData\\mlencXAGoFP.exe"	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	attrib.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	attrib.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	mlencXAGoFP.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	mlencXAGoFP.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-20_altform-unplated.png	attrib.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui	attrib.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\ui-strings.js	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml	attrib.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\wmpnscfg.exe.mui	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleMedTile.scale-125.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxMetadata	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\MedTile.scale-100.png	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\WideTile.scale-200.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js	attrib.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-white_scale-125.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\images\Square310x310Logo.scale-125.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunch.js	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-100_contrast-white.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_psd.svg	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcanvas_plugin.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker29.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil.png	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W1.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.Resources.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\Mixer_logo_half-White_RGB.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\identity_helper.Sparse.Internal.msix	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\googleImportError.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-60_altform-unplated.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch.scale-100.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_contrast-black.png	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SmallTile.scale-125_contrast-white.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-400.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100_contrast-high.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl	attrib.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-32.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24_altform-lightunplated.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_sl.json	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-100.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_field_grabber.png	attrib.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Common.dll	attrib.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_contrast-white.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-150.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-125.png	attrib.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\FaceReco_Illustration_LRG.png	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms	attrib.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_it_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.Resources.dll	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\0ab6364a0211b746d41492b243bdfdfb	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Feature-Containers-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Worker-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat	attrib.exe
File opened for modification	C:\Windows\INF\microsoft_bluetooth_a2dp.inf	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\addUser.aspx.es.resx	attrib.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Basic~mk-mk~1.0.mum	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-KernelInt-VSP-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Multimedia-RestrictedCodecsExt-WCOSHeadless-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Containers-Server-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\INF\mdmminij.inf	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\TaskScheduler\v4.0_10.0.0.0__31bf3856ad364e35\TaskScheduler.dll	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\LeakDiagnostic.adml	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\Shell-CommandPrompt-RegEditTools.adml	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Media-Streaming-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.dll	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-Http-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\wide.Devices.png	attrib.exe
File opened for modification	C:\Windows\INF\.NET CLR Networking\040C\_Networkingperfcounters_v2_d.ini	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Compute-Storage-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.mum	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Package_13_for_KB5005699~31bf3856ad364e35~amd64~~19041.1220.1.0.cat	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.Resources\v4.0_1.0.0.0_fr_31bf3856ad364e35	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Help-ClientOOBE-Feature-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.423.cat	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\SettingSync.adml	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-DirectPlay-OC-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\Help\mui\0409	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Embedded-EmbeddedLogon-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Application.aspx.ja.resx	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\System.Speech.dll	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Composable-PlatformExtension-DragDropCommon-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Composition.Registration\v4.0_4.0.0.0__b77a5c561934e089	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\System.Windows.Forms.DataVisualization.resources.dll	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.CompilerServices.VisualC	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardProviderInfo.ascx	attrib.exe
File opened for modification	C:\Windows\PLA\Rules\es-ES\Rules.System.NetDiagFramework.xml	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Lxss-Optional-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	attrib.exe
File opened for modification	C:\Windows\diagnostics\system\Apps\RS_ConnectedAccount.ps1	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.DSC.CoreConfProviders\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.Windows.DSC.CoreConfProviders.dll	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\MOF\ja\ServiceModel35.mfl.uninstall	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\es\System.Windows.Controls.Ribbon.resources.dll	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\Winsrv.adml	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-VMMS-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.mum	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-Multimedia-CastingTransmitter-Media-Package~31bf3856ad364e35~amd64~~10.0.19041.153.mum	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\adonetdiag.mof	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\Browsers\gateway.browser	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Tpm.Commands.Resources	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Runtime.WindowsRuntime.resources.dll	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a	attrib.exe
File opened for modification	C:\Windows\diagnostics\system\IESecurity\uk-UA	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.WriteDiagTelemetry.Resources\v4.0_1.0.0.0_ja_31bf3856ad364e35	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\PerfCounter.dll	attrib.exe
File opened for modification	C:\Windows\diagnostics\system\BITS\ja-JP\DiagPackage.dll.mui	attrib.exe
File opened for modification	C:\Windows\INF\LSM\0000	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\UIAutomationTypes.resources.dll	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\PreviousVersions.admx	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.264.cat	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\sysglobl.Resources\2.0.0.0_it_b03f5f7f11d50a3a	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.de.resx	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\7f6b3266-31c5-43a8-9547-e7911ad6fb33	mlencXAGoFP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\nsreg = "1720717947"	mlencXAGoFP.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Download	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe
1924	mlencXAGoFP.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1924	mlencXAGoFP.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1924	mlencXAGoFP.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 1924	4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe	84
PID 4020 wrote to memory of 1924	4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe	84
PID 4020 wrote to memory of 1924	4020	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe	84
PID 1924 wrote to memory of 4312	1924	mlencXAGoFP.exe	91
PID 1924 wrote to memory of 4312	1924	mlencXAGoFP.exe	91
PID 1924 wrote to memory of 4312	1924	mlencXAGoFP.exe	91
PID 1924 wrote to memory of 3980	1924	mlencXAGoFP.exe	93
PID 1924 wrote to memory of 3980	1924	mlencXAGoFP.exe	93
PID 1924 wrote to memory of 3980	1924	mlencXAGoFP.exe	93
PID 1924 wrote to memory of 4676	1924	mlencXAGoFP.exe	95
PID 1924 wrote to memory of 4676	1924	mlencXAGoFP.exe	95
PID 1924 wrote to memory of 4676	1924	mlencXAGoFP.exe	95

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4312	attrib.exe
3980	attrib.exe
4676	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a07dd3c3102cae3b66a616691b39ca0_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4020
- C:\ProgramData\mlencXAGoFP.exe
  C:\ProgramData\mlencXAGoFP.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Admin\*.*" /s /d
    3⤵
    - Drops desktop.ini file(s)
    - Views/modifies file attributes
    PID:4312
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\ProgramData\Microsoft\Windows\Start Menu\*.*" /s /d
    3⤵
    - Views/modifies file attributes
    PID:3980
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\*.*" /s /d
    3⤵
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mlencXAGoFP.exe

Filesize
397KB

MD5
3a07dd3c3102cae3b66a616691b39ca0

SHA1
f5352fe5a8ab47f0dff31bd89c295b63ee5bfd51

SHA256
d018bb082d0d768a09a8259bac61bea1f356476ecc3242107ab8241e7cb5fea0

SHA512
194770ebe7633a53ad0cfbd7f8e76f6a5e2d3519891e877a407d7902e8a5f4581fea3869642efb5646bb90665116ea216d04aefb3a90a81eea6ecb96fb772b0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Filesize
5KB

MD5
859f0b6d1d2dd4d8c2989a8f4f667186

SHA1
bdd75a83d189dcaf4f52c278e46e820e9c14eafa

SHA256
a8bbdaa01336a6015a799e5e1616b877eadc3a14afac2eeee575df23ad302b72

SHA512
14ad175f1b3e5c6fce2ad94128ca3aa337b2867178f6c6d0a5d5f152c8148e4358372241e8020d1bc822598af04d80d67717da74d86efd7d447a21a080247ad2

Download Submit
memory/1924-6-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1924-7-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1924-10-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1924-27-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1924-28-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4020-0-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4020-1-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4020-9-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4020-8-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download