Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 00:03
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
25 signatures
150 seconds
General
-
Target
bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe
-
Size
512KB
-
MD5
bd9dec1c46f04c6ad37da8de79902921
-
SHA1
4b9a9630ce3e46b7e257e8215d352fefda30555d
-
SHA256
6015b900eaa526a96eb1f394edd9e3ba9e76c1145331db3338fc5f6058af3215
-
SHA512
eed60ddd907278861752b3ddf986428ffeb01771ab813ca663ec50dc7cbc062950e24bdd2184a1b40d9bd352f611f6d72b1cc1624dbe4d9652687d2464eba05c
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5+
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" isvngjykvq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" isvngjykvq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" isvngjykvq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" isvngjykvq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" isvngjykvq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" isvngjykvq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" isvngjykvq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" isvngjykvq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 5024 isvngjykvq.exe 1932 ozynbmcuflkjjjd.exe 3548 htwbcyqc.exe 408 dzxmmkahckhuj.exe 2316 htwbcyqc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" isvngjykvq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" isvngjykvq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" isvngjykvq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" isvngjykvq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" isvngjykvq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" isvngjykvq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gtiojgki = "isvngjykvq.exe" ozynbmcuflkjjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yfzyyxtc = "ozynbmcuflkjjjd.exe" ozynbmcuflkjjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dzxmmkahckhuj.exe" ozynbmcuflkjjjd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: isvngjykvq.exe File opened (read-only) \??\z: isvngjykvq.exe File opened (read-only) \??\b: htwbcyqc.exe File opened (read-only) \??\i: htwbcyqc.exe File opened (read-only) \??\x: htwbcyqc.exe File opened (read-only) \??\h: htwbcyqc.exe File opened (read-only) \??\n: htwbcyqc.exe File opened (read-only) \??\o: isvngjykvq.exe File opened (read-only) \??\q: htwbcyqc.exe File opened (read-only) \??\t: isvngjykvq.exe File opened (read-only) \??\j: htwbcyqc.exe File opened (read-only) \??\l: htwbcyqc.exe File opened (read-only) \??\o: htwbcyqc.exe File opened (read-only) \??\t: htwbcyqc.exe File opened (read-only) \??\k: isvngjykvq.exe File opened (read-only) \??\l: isvngjykvq.exe File opened (read-only) \??\n: isvngjykvq.exe File opened (read-only) \??\q: isvngjykvq.exe File opened (read-only) \??\e: htwbcyqc.exe File opened (read-only) \??\g: htwbcyqc.exe File opened (read-only) \??\j: htwbcyqc.exe File opened (read-only) \??\g: htwbcyqc.exe File opened (read-only) \??\i: isvngjykvq.exe File opened (read-only) \??\v: htwbcyqc.exe File opened (read-only) \??\e: htwbcyqc.exe File opened (read-only) \??\x: htwbcyqc.exe File opened (read-only) \??\a: isvngjykvq.exe File opened (read-only) \??\j: isvngjykvq.exe File opened (read-only) \??\k: htwbcyqc.exe File opened (read-only) \??\w: htwbcyqc.exe File opened (read-only) \??\h: isvngjykvq.exe File opened (read-only) \??\r: isvngjykvq.exe File opened (read-only) \??\w: htwbcyqc.exe File opened (read-only) \??\b: isvngjykvq.exe File opened (read-only) \??\q: htwbcyqc.exe File opened (read-only) \??\s: htwbcyqc.exe File opened (read-only) \??\y: htwbcyqc.exe File opened (read-only) \??\p: htwbcyqc.exe File opened (read-only) \??\r: htwbcyqc.exe File opened (read-only) \??\i: htwbcyqc.exe File opened (read-only) \??\k: htwbcyqc.exe File opened (read-only) \??\p: htwbcyqc.exe File opened (read-only) \??\u: htwbcyqc.exe File opened (read-only) \??\p: isvngjykvq.exe File opened (read-only) \??\w: isvngjykvq.exe File opened (read-only) \??\v: isvngjykvq.exe File opened (read-only) \??\b: htwbcyqc.exe File opened (read-only) \??\a: htwbcyqc.exe File opened (read-only) \??\h: htwbcyqc.exe File opened (read-only) \??\m: htwbcyqc.exe File opened (read-only) \??\n: htwbcyqc.exe File opened (read-only) \??\z: htwbcyqc.exe File opened (read-only) \??\u: isvngjykvq.exe File opened (read-only) \??\u: htwbcyqc.exe File opened (read-only) \??\y: htwbcyqc.exe File opened (read-only) \??\v: htwbcyqc.exe File opened (read-only) \??\t: htwbcyqc.exe File opened (read-only) \??\x: isvngjykvq.exe File opened (read-only) \??\r: htwbcyqc.exe File opened (read-only) \??\s: htwbcyqc.exe File opened (read-only) \??\z: htwbcyqc.exe File opened (read-only) \??\m: isvngjykvq.exe File opened (read-only) \??\y: isvngjykvq.exe File opened (read-only) \??\l: htwbcyqc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" isvngjykvq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" isvngjykvq.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2808-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023429-5.dat autoit_exe behavioral2/files/0x00090000000233cc-19.dat autoit_exe behavioral2/files/0x000700000002342d-28.dat autoit_exe behavioral2/files/0x000700000002342e-30.dat autoit_exe behavioral2/files/0x0008000000023412-68.dat autoit_exe behavioral2/files/0x000700000002343a-71.dat autoit_exe behavioral2/files/0x0007000000023447-93.dat autoit_exe behavioral2/files/0x0007000000023447-96.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\htwbcyqc.exe bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe htwbcyqc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe htwbcyqc.exe File created C:\Windows\SysWOW64\ozynbmcuflkjjjd.exe bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ozynbmcuflkjjjd.exe bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dzxmmkahckhuj.exe bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll isvngjykvq.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe htwbcyqc.exe File opened for modification C:\Windows\SysWOW64\isvngjykvq.exe bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe File created C:\Windows\SysWOW64\htwbcyqc.exe bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe File created C:\Windows\SysWOW64\dzxmmkahckhuj.exe bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe File created C:\Windows\SysWOW64\isvngjykvq.exe bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe htwbcyqc.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe htwbcyqc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe htwbcyqc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal htwbcyqc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe htwbcyqc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe htwbcyqc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe htwbcyqc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe htwbcyqc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal htwbcyqc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe htwbcyqc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal htwbcyqc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe htwbcyqc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe htwbcyqc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe htwbcyqc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal htwbcyqc.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe htwbcyqc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe htwbcyqc.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe htwbcyqc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe htwbcyqc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe htwbcyqc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe htwbcyqc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe htwbcyqc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe htwbcyqc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe htwbcyqc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe htwbcyqc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe htwbcyqc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe htwbcyqc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe htwbcyqc.exe File opened for modification C:\Windows\mydoc.rtf bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe htwbcyqc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe htwbcyqc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe htwbcyqc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htwbcyqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language isvngjykvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ozynbmcuflkjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dzxmmkahckhuj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htwbcyqc.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" isvngjykvq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" isvngjykvq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C60C1491DBB2B9CD7F95ECE534CA" bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" isvngjykvq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" isvngjykvq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs isvngjykvq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352D7B9D5683516A4476A1772F2CAE7CF165D8" bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F668B1FE6D21AED27AD0A98A0B9163" bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat isvngjykvq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf isvngjykvq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B02E4490399953CDB9A233EDD7C5" bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FC8D4F28851C9135D72C7D94BDE5E1315935674F6244D79E" bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg isvngjykvq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" isvngjykvq.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAF9BEFE64F197830B3B3586983E94B08902F843630333E1C442EA08D5" bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh isvngjykvq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" isvngjykvq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc isvngjykvq.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2848 WINWORD.EXE 2848 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 5024 isvngjykvq.exe 5024 isvngjykvq.exe 5024 isvngjykvq.exe 5024 isvngjykvq.exe 5024 isvngjykvq.exe 5024 isvngjykvq.exe 5024 isvngjykvq.exe 5024 isvngjykvq.exe 5024 isvngjykvq.exe 5024 isvngjykvq.exe 1932 ozynbmcuflkjjjd.exe 1932 ozynbmcuflkjjjd.exe 1932 ozynbmcuflkjjjd.exe 1932 ozynbmcuflkjjjd.exe 1932 ozynbmcuflkjjjd.exe 1932 ozynbmcuflkjjjd.exe 1932 ozynbmcuflkjjjd.exe 1932 ozynbmcuflkjjjd.exe 1932 ozynbmcuflkjjjd.exe 1932 ozynbmcuflkjjjd.exe 408 dzxmmkahckhuj.exe 408 dzxmmkahckhuj.exe 408 dzxmmkahckhuj.exe 408 dzxmmkahckhuj.exe 408 dzxmmkahckhuj.exe 408 dzxmmkahckhuj.exe 408 dzxmmkahckhuj.exe 408 dzxmmkahckhuj.exe 408 dzxmmkahckhuj.exe 408 dzxmmkahckhuj.exe 408 dzxmmkahckhuj.exe 408 dzxmmkahckhuj.exe 3548 htwbcyqc.exe 3548 htwbcyqc.exe 3548 htwbcyqc.exe 3548 htwbcyqc.exe 3548 htwbcyqc.exe 3548 htwbcyqc.exe 3548 htwbcyqc.exe 3548 htwbcyqc.exe 2316 htwbcyqc.exe 2316 htwbcyqc.exe 2316 htwbcyqc.exe 2316 htwbcyqc.exe 2316 htwbcyqc.exe 2316 htwbcyqc.exe 2316 htwbcyqc.exe 2316 htwbcyqc.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 1932 ozynbmcuflkjjjd.exe 1932 ozynbmcuflkjjjd.exe 1932 ozynbmcuflkjjjd.exe 5024 isvngjykvq.exe 5024 isvngjykvq.exe 5024 isvngjykvq.exe 408 dzxmmkahckhuj.exe 3548 htwbcyqc.exe 408 dzxmmkahckhuj.exe 3548 htwbcyqc.exe 408 dzxmmkahckhuj.exe 3548 htwbcyqc.exe 2316 htwbcyqc.exe 2316 htwbcyqc.exe 2316 htwbcyqc.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 1932 ozynbmcuflkjjjd.exe 1932 ozynbmcuflkjjjd.exe 1932 ozynbmcuflkjjjd.exe 5024 isvngjykvq.exe 5024 isvngjykvq.exe 5024 isvngjykvq.exe 408 dzxmmkahckhuj.exe 3548 htwbcyqc.exe 408 dzxmmkahckhuj.exe 3548 htwbcyqc.exe 408 dzxmmkahckhuj.exe 3548 htwbcyqc.exe 2316 htwbcyqc.exe 2316 htwbcyqc.exe 2316 htwbcyqc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2848 WINWORD.EXE 2848 WINWORD.EXE 2848 WINWORD.EXE 2848 WINWORD.EXE 2848 WINWORD.EXE 2848 WINWORD.EXE 2848 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2808 wrote to memory of 5024 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 84 PID 2808 wrote to memory of 5024 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 84 PID 2808 wrote to memory of 5024 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 84 PID 2808 wrote to memory of 1932 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 85 PID 2808 wrote to memory of 1932 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 85 PID 2808 wrote to memory of 1932 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 85 PID 2808 wrote to memory of 3548 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 86 PID 2808 wrote to memory of 3548 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 86 PID 2808 wrote to memory of 3548 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 86 PID 2808 wrote to memory of 408 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 87 PID 2808 wrote to memory of 408 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 87 PID 2808 wrote to memory of 408 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 87 PID 2808 wrote to memory of 2848 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 88 PID 2808 wrote to memory of 2848 2808 bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe 88 PID 5024 wrote to memory of 2316 5024 isvngjykvq.exe 90 PID 5024 wrote to memory of 2316 5024 isvngjykvq.exe 90 PID 5024 wrote to memory of 2316 5024 isvngjykvq.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bd9dec1c46f04c6ad37da8de79902921_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\isvngjykvq.exeisvngjykvq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\htwbcyqc.exeC:\Windows\system32\htwbcyqc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2316
-
-
-
C:\Windows\SysWOW64\ozynbmcuflkjjjd.exeozynbmcuflkjjjd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1932
-
-
C:\Windows\SysWOW64\htwbcyqc.exehtwbcyqc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3548
-
-
C:\Windows\SysWOW64\dzxmmkahckhuj.exedzxmmkahckhuj.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:408
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2848
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD569d318934b710d7b929cff5ff646cd62
SHA177ba164270da1d775c02d0580b4910ed84bef87e
SHA25667040040b50802b78dbddee5956b804ca02761cf319e75b45ffc5bc79733ea9e
SHA512fd40448350a1df12e0af1975f009cb2f4f7d8c354c3f19fda685e2df837459a98d11ad8c89930e9cfd131b47e46e29a3a850f0d4bdd542274645daa22cbe166d
-
Filesize
512KB
MD5c5346424b7cdcd430e7956b474eaf8cb
SHA1c2f527e7e5df5013f6ee65b09240a368cecf15ce
SHA25636c2a7487c884489bada85870086de3c80a72718e7097cbfe98c240bf523d341
SHA512348b6e5d34ac4cffb85e8976fccbd053f086319a2220717407467204e591707bdbeabad136c146e66765595109e1568c50c7563283e8725d0d616c7bf3e9f472
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
327B
MD5f6e9124567924c6efcb0042d87971722
SHA1299f7f9820c613a5422d687686efefb0f329a444
SHA256ba1ad5c1496d6178c12fff875b208b0b2c0ea68d3d3635304c29c4903e2d6c9d
SHA512c2a375a5cab7c81c87607d1629c5ecea2b3e504d47ae6a22247b9f227f8bfc4760b615d2ce8b91a4fcc93b619106c9062c22407377b19faa8fc7a61872c6dd9f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD57bb846660e4384f20514db61762cdecb
SHA17deac12d6eb473f0a32c429f8c5a3d1819e21f34
SHA256ede5dd25a3ce9264df07bb42c10eb9ffeb2e54279a401acf04c6a12bb3689ff0
SHA512d91b69b3f3b5301af2dc5a5b2670fe2c87a66629294be926bf12922af022ccad37feccd46914e8f45b9ad18153567381a96c5f6072dfe405a8c961b2a0e071d2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD559862b97b6836124736b481978104df1
SHA1918d5165a170b9de378cd07b8376bf86017c5867
SHA2562ccf0f7f924bc92cd03775b6c691f3b1f1470046079fcd3f055f68aad43dc28e
SHA51283464a52a114a2c09312db68514bffe712012aa4de8e853c370865225b7862ff25477cdffbc59237bc13a4c65dd27ca4f41e156b65a00d0a3b4d8ba7d7ad6d3e
-
Filesize
512KB
MD5a4849b002c723f19593fe63db2b32d9c
SHA10295c90ee4970380c8dc38ca527558c0ce3aea2b
SHA2568c9907389d07c1f34e467e4114663c0e321ef364f57871439534f7e9cf289f7e
SHA5127b4314d5eda42eea08153c182714754f2d1de378105c030d611571ba8d1d111c507a76f2baa0004b729c107918115f42ebd24b51f37b3dfff13471a7b4ec3136
-
Filesize
512KB
MD530d6d4ea4eec5407806b4d36a6e690c2
SHA104ff5f5a1a1f2fc23628bf80e63cd4dbf0c1b356
SHA2564aa3735f7d64f7b9c3490d85ea7db82ed07df71de46f06ef3663e6709d6f8f25
SHA512bed2c9602b58c69ab7a6702dc33c5e39fa748456642dbcc34d73d143cd63cf01335561899043087fa402fc4bbac5c4a71671d16d56004f919b1b9568106f5e06
-
Filesize
512KB
MD5127bc9e54d107c86b238f959a03b40f4
SHA123ec27c663dcc6d7e8e5e0815a3b3c4ab5c5e9f6
SHA256032a068becd0564cef55558ec49604d90c6fa52861bfb28db3f1cd9a0ddb105b
SHA5121d9ab443fd310ff46b2461bc835e07ac3db383f332ff68e0cf32a3f4593761cf56ae951809b30fb27afcbaf979942120b52957226da37f0d74badceeb43e9d84
-
Filesize
512KB
MD51dc7b5be26a201e46999d1905e163348
SHA19926ed78c73b9eb530d87bb432f95188f64117f6
SHA25698b05228c9c4d5e1b2232bc6dd3778bdf0bd95ec1ca73d63c042833f7f81ea8e
SHA512d011901bb245e922a2dd10377326d08846a6de5b2b9a206c7d31e9940c54bb6b28613e949c72f9f669ec89f8b9e858b8a6ede098945631522aee67fb4dddb5c7
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5d9bd928cb02e665b914871dac02a9fae
SHA11689a024382c2b1e0c13479cfd5ab8aa0ccb5d4c
SHA256200c493f299c0a2704b805745319c376842673397f308bb1a45ae207bd3dc709
SHA5127981db3808ddc3130a6773b7fccf5b5e244d25e8dd468430b6097a7443f75eaaa4168b51e083abb2d304950acc77306f450f4eed6b27a432329d44e6b71c06cd
-
Filesize
512KB
MD54de214a7c4ca98e4dfb35b8bb3c20785
SHA1a91b1105ddde3ea9382c7176afaabc86459a9a7f
SHA256007a56ffc829b229b3711dfa1c661c29533f96133d8d90b61971e3e49d9165a0
SHA512889675bad0615d50003ea8f8660fbc11ec6934d37982c1966924206df7137e62382f00956d1aad939981316f09a1d348d06d3b52fe19781338569fc46e9af9bd