Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 12:02
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
25 signatures
150 seconds
General
-
Target
be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe
-
Size
512KB
-
MD5
be8cc6cd32e6a241ea36bb7edf55a80c
-
SHA1
114657fadf4897e5937d58bea4e682ed21044472
-
SHA256
ab7fb752791fd3b916cddc2f2c63688874d7ba552974858fc3a4e185bd971355
-
SHA512
eb3322f5b06c4abf277b3af48b2e5b4594d10cf30c7b349d8fe5a3ba205c23bbfd0cc0014d9009ddfde7638d73d7a1eaeaecbeb6a949dfff6e939435b58ed8f3
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Y
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wwhzonumrk.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wwhzonumrk.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wwhzonumrk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wwhzonumrk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wwhzonumrk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wwhzonumrk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wwhzonumrk.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wwhzonumrk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3096 wwhzonumrk.exe 640 rinwgzplajilori.exe 2568 tsbjvote.exe 2684 qssttprjyxlzf.exe 2992 tsbjvote.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wwhzonumrk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wwhzonumrk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wwhzonumrk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wwhzonumrk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wwhzonumrk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wwhzonumrk.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qssttprjyxlzf.exe" rinwgzplajilori.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vspirhbw = "wwhzonumrk.exe" rinwgzplajilori.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wasybxkb = "rinwgzplajilori.exe" rinwgzplajilori.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: wwhzonumrk.exe File opened (read-only) \??\m: wwhzonumrk.exe File opened (read-only) \??\v: tsbjvote.exe File opened (read-only) \??\e: wwhzonumrk.exe File opened (read-only) \??\e: tsbjvote.exe File opened (read-only) \??\h: tsbjvote.exe File opened (read-only) \??\o: tsbjvote.exe File opened (read-only) \??\q: tsbjvote.exe File opened (read-only) \??\t: tsbjvote.exe File opened (read-only) \??\w: tsbjvote.exe File opened (read-only) \??\z: tsbjvote.exe File opened (read-only) \??\s: tsbjvote.exe File opened (read-only) \??\m: tsbjvote.exe File opened (read-only) \??\a: wwhzonumrk.exe File opened (read-only) \??\i: wwhzonumrk.exe File opened (read-only) \??\j: wwhzonumrk.exe File opened (read-only) \??\p: wwhzonumrk.exe File opened (read-only) \??\w: tsbjvote.exe File opened (read-only) \??\z: tsbjvote.exe File opened (read-only) \??\w: wwhzonumrk.exe File opened (read-only) \??\x: wwhzonumrk.exe File opened (read-only) \??\x: tsbjvote.exe File opened (read-only) \??\a: tsbjvote.exe File opened (read-only) \??\z: wwhzonumrk.exe File opened (read-only) \??\o: tsbjvote.exe File opened (read-only) \??\r: tsbjvote.exe File opened (read-only) \??\s: tsbjvote.exe File opened (read-only) \??\t: wwhzonumrk.exe File opened (read-only) \??\h: tsbjvote.exe File opened (read-only) \??\k: tsbjvote.exe File opened (read-only) \??\b: wwhzonumrk.exe File opened (read-only) \??\q: tsbjvote.exe File opened (read-only) \??\b: tsbjvote.exe File opened (read-only) \??\v: tsbjvote.exe File opened (read-only) \??\g: tsbjvote.exe File opened (read-only) \??\l: tsbjvote.exe File opened (read-only) \??\r: tsbjvote.exe File opened (read-only) \??\h: wwhzonumrk.exe File opened (read-only) \??\u: tsbjvote.exe File opened (read-only) \??\y: tsbjvote.exe File opened (read-only) \??\j: tsbjvote.exe File opened (read-only) \??\x: tsbjvote.exe File opened (read-only) \??\r: wwhzonumrk.exe File opened (read-only) \??\p: tsbjvote.exe File opened (read-only) \??\t: tsbjvote.exe File opened (read-only) \??\y: wwhzonumrk.exe File opened (read-only) \??\g: tsbjvote.exe File opened (read-only) \??\y: tsbjvote.exe File opened (read-only) \??\n: wwhzonumrk.exe File opened (read-only) \??\s: wwhzonumrk.exe File opened (read-only) \??\u: tsbjvote.exe File opened (read-only) \??\k: wwhzonumrk.exe File opened (read-only) \??\l: wwhzonumrk.exe File opened (read-only) \??\u: wwhzonumrk.exe File opened (read-only) \??\v: wwhzonumrk.exe File opened (read-only) \??\k: tsbjvote.exe File opened (read-only) \??\i: tsbjvote.exe File opened (read-only) \??\n: tsbjvote.exe File opened (read-only) \??\b: tsbjvote.exe File opened (read-only) \??\i: tsbjvote.exe File opened (read-only) \??\n: tsbjvote.exe File opened (read-only) \??\m: tsbjvote.exe File opened (read-only) \??\l: tsbjvote.exe File opened (read-only) \??\p: tsbjvote.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wwhzonumrk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wwhzonumrk.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3160-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000235d5-7.dat autoit_exe behavioral2/files/0x00080000000235d1-20.dat autoit_exe behavioral2/files/0x00070000000235d7-29.dat autoit_exe behavioral2/files/0x00070000000235d6-32.dat autoit_exe behavioral2/files/0x00070000000235e5-62.dat autoit_exe behavioral2/files/0x000d0000000234e8-86.dat autoit_exe behavioral2/files/0x001b0000000235fc-334.dat autoit_exe behavioral2/files/0x001b0000000235fc-457.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\wwhzonumrk.exe be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe File created C:\Windows\SysWOW64\tsbjvote.exe be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe File created C:\Windows\SysWOW64\qssttprjyxlzf.exe be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qssttprjyxlzf.exe be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tsbjvote.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tsbjvote.exe File opened for modification C:\Windows\SysWOW64\wwhzonumrk.exe be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe File created C:\Windows\SysWOW64\rinwgzplajilori.exe be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rinwgzplajilori.exe be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tsbjvote.exe be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wwhzonumrk.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tsbjvote.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tsbjvote.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal tsbjvote.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tsbjvote.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tsbjvote.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tsbjvote.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tsbjvote.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tsbjvote.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tsbjvote.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tsbjvote.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal tsbjvote.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tsbjvote.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal tsbjvote.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tsbjvote.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal tsbjvote.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tsbjvote.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tsbjvote.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tsbjvote.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tsbjvote.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tsbjvote.exe File opened for modification C:\Windows\mydoc.rtf be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tsbjvote.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tsbjvote.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tsbjvote.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tsbjvote.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tsbjvote.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tsbjvote.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tsbjvote.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tsbjvote.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tsbjvote.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tsbjvote.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tsbjvote.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wwhzonumrk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rinwgzplajilori.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qssttprjyxlzf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsbjvote.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsbjvote.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wwhzonumrk.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768B6FF1F21D1D172D0A68A7B9014" be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" wwhzonumrk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wwhzonumrk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442D7F9C2182556A3376A577232CAC7CF564AD" be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh wwhzonumrk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" wwhzonumrk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" wwhzonumrk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEFABDF963F2E7830C3A4B819B39E4B08E02FE4361034CE1B8459B08A3" be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC60914E1DBB2B8BD7F95ED9534CB" be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wwhzonumrk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf wwhzonumrk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wwhzonumrk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B029479739E852C8BADD33EAD7B8" be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FCFF4F5A826E903CD65C7E97BDE7E640583067346234D7E9" be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wwhzonumrk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" wwhzonumrk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wwhzonumrk.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1708 WINWORD.EXE 1708 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 640 rinwgzplajilori.exe 640 rinwgzplajilori.exe 640 rinwgzplajilori.exe 640 rinwgzplajilori.exe 640 rinwgzplajilori.exe 640 rinwgzplajilori.exe 640 rinwgzplajilori.exe 640 rinwgzplajilori.exe 640 rinwgzplajilori.exe 640 rinwgzplajilori.exe 3096 wwhzonumrk.exe 3096 wwhzonumrk.exe 3096 wwhzonumrk.exe 3096 wwhzonumrk.exe 3096 wwhzonumrk.exe 3096 wwhzonumrk.exe 3096 wwhzonumrk.exe 3096 wwhzonumrk.exe 3096 wwhzonumrk.exe 3096 wwhzonumrk.exe 2568 tsbjvote.exe 2568 tsbjvote.exe 2568 tsbjvote.exe 2568 tsbjvote.exe 2568 tsbjvote.exe 2568 tsbjvote.exe 2568 tsbjvote.exe 2568 tsbjvote.exe 2684 qssttprjyxlzf.exe 2684 qssttprjyxlzf.exe 2684 qssttprjyxlzf.exe 2684 qssttprjyxlzf.exe 2684 qssttprjyxlzf.exe 2684 qssttprjyxlzf.exe 2684 qssttprjyxlzf.exe 2684 qssttprjyxlzf.exe 2684 qssttprjyxlzf.exe 2684 qssttprjyxlzf.exe 2684 qssttprjyxlzf.exe 2684 qssttprjyxlzf.exe 640 rinwgzplajilori.exe 640 rinwgzplajilori.exe 2992 tsbjvote.exe 2992 tsbjvote.exe 2992 tsbjvote.exe 2992 tsbjvote.exe 2992 tsbjvote.exe 2992 tsbjvote.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 640 rinwgzplajilori.exe 640 rinwgzplajilori.exe 640 rinwgzplajilori.exe 3096 wwhzonumrk.exe 3096 wwhzonumrk.exe 3096 wwhzonumrk.exe 2568 tsbjvote.exe 2684 qssttprjyxlzf.exe 2568 tsbjvote.exe 2684 qssttprjyxlzf.exe 2568 tsbjvote.exe 2684 qssttprjyxlzf.exe 2992 tsbjvote.exe 2992 tsbjvote.exe 2992 tsbjvote.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 640 rinwgzplajilori.exe 640 rinwgzplajilori.exe 640 rinwgzplajilori.exe 3096 wwhzonumrk.exe 3096 wwhzonumrk.exe 3096 wwhzonumrk.exe 2568 tsbjvote.exe 2684 qssttprjyxlzf.exe 2568 tsbjvote.exe 2684 qssttprjyxlzf.exe 2568 tsbjvote.exe 2684 qssttprjyxlzf.exe 2992 tsbjvote.exe 2992 tsbjvote.exe 2992 tsbjvote.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1708 WINWORD.EXE 1708 WINWORD.EXE 1708 WINWORD.EXE 1708 WINWORD.EXE 1708 WINWORD.EXE 1708 WINWORD.EXE 1708 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3160 wrote to memory of 3096 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 92 PID 3160 wrote to memory of 3096 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 92 PID 3160 wrote to memory of 3096 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 92 PID 3160 wrote to memory of 640 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 93 PID 3160 wrote to memory of 640 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 93 PID 3160 wrote to memory of 640 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 93 PID 3160 wrote to memory of 2568 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 94 PID 3160 wrote to memory of 2568 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 94 PID 3160 wrote to memory of 2568 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 94 PID 3160 wrote to memory of 2684 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 95 PID 3160 wrote to memory of 2684 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 95 PID 3160 wrote to memory of 2684 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 95 PID 3160 wrote to memory of 1708 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 97 PID 3160 wrote to memory of 1708 3160 be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe 97 PID 3096 wrote to memory of 2992 3096 wwhzonumrk.exe 99 PID 3096 wrote to memory of 2992 3096 wwhzonumrk.exe 99 PID 3096 wrote to memory of 2992 3096 wwhzonumrk.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\be8cc6cd32e6a241ea36bb7edf55a80c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\wwhzonumrk.exewwhzonumrk.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\tsbjvote.exeC:\Windows\system32\tsbjvote.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2992
-
-
-
C:\Windows\SysWOW64\rinwgzplajilori.exerinwgzplajilori.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:640
-
-
C:\Windows\SysWOW64\tsbjvote.exetsbjvote.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2568
-
-
C:\Windows\SysWOW64\qssttprjyxlzf.exeqssttprjyxlzf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2684
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4116,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:81⤵PID:2564
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5627d5b9e7c18ae5940d50597443b46b2
SHA11f1a144f8672320efc4fbc33e9eb2e1f569589eb
SHA256df7bd3332458ca1ffc2b0d08568e83669737aebfe2e4b42e3cdcd40c161f8df4
SHA5123cba5dac2d233c222d0a4b6ed1641f85045a15b6a0725a19c374c68bb50bed443fa662f3c8f365536aeda24a18f96a3ae67a51bacb6a12570d24f230f38643ce
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
409B
MD5d006fb67dc35e513bf73577d85b0fcb1
SHA1ab9b72b6bb991caadee8953a41d1b00b56b8c838
SHA2561327c0c35834eb0665e1336f178ceb48018fd154a4def70f5c79d83ea704bac7
SHA512de36f6089e6b3ab10e7fbe08e36f8ba5292f72414268c376ad714f34bc27a37884b972377b732e12ca8dd6030ee9b7980a2e3bd53beb8a74e571d0062d7e2dd0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RUN56ZGOCVOG0PLY0Z0V.temp
Filesize3KB
MD548ee85b2951296390eb517d1e280cbfe
SHA1ede43c2c349f3f1885c5da70fa36d3b7eae02473
SHA2566ef425842422257672fea299e6d1c59f9831552483f870556bf60879fedbe3d6
SHA5125881c7cf723d70336964f20142072a56791d53157cad1feae94ccb440601f6551a272841c4ec82b76235f6222eb14c24c8081ae3d8b7db9b258505c67ee239b2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD58d5aa9cdf0d182ca6e85f366b8b2d249
SHA1e0d18ab694e5be415b750690a7de02988a525999
SHA2562366394046db1ed6002cea5da333b519c05616ae0f9085591fae4b0893386ef6
SHA512dda8f66dae9100520529777f4bf750390a44a7abe93b6e3c4f88fbeee1e8ad6d6123f07acaaa0652933473bb6560169061fade6866bf91b02265bbfbabc74fe3
-
Filesize
512KB
MD5fe80d03c2b5cac74d5a0b3b7f4b52271
SHA183673f828b08b4ccb357bd0e051afd0c0d6f4652
SHA256ae09b0d2050c4df0faca8c7259867a669e34df88a3da55eb24e3abad97cbf996
SHA5122a58ec20fc5a457440427a56026d6259296ca1df8f878a5a38da20fd438f00a5316105eee6dc3cf2978d72cae409cc16b0431f2ff53e40be96e92aa10a6105c5
-
Filesize
512KB
MD5ad4a32c470379c15af534bceb4988d0d
SHA1ebaefc0ad954dbf08c83cd40675bd4d0e441bfdc
SHA25617a1dbb7ecc68a7874adf4dd11da3b070d5b9ca7728307673b3aefc79c6fa89c
SHA512646efedec5da3a39e8bd01cf0adef9b0af5c83fcfd10b486c7261c42c85af199096b93f4463597e7e9e0b453ef22615acef36dcb4c60e056a8cf0f66b5c83fd6
-
Filesize
512KB
MD52bc4d1c2a4b9fdf53ea7114b590f247d
SHA18541eb9c902bdd39777788cd16001359636aa449
SHA256cf7f6704f250fadef5627027a9b25b66f41847bd4bfbab1eb5028bf0ad0d4b9d
SHA512a0605af76dfaa3b0a346d504615ce5274044e749b56fd5e3c97f47a4b1013355a26ed700bd16c3e4c238b672863fef2e9af7882cc6d6124a32670bfb880b3dfa
-
Filesize
512KB
MD508b2ea7e53971bbf49acc346527e225f
SHA16f381d76e831a0819662530dc87cdcbd52e38408
SHA25649fbf7086832c527257bf4bbc398d807ea72d7077299bae455de4ebfc9b66cbb
SHA51206ef243a4e74829672a30d0c7caee2242fa5e11a8d231f496d7836fad858d9215ef8a79ac0a5f18d4f1e58109860eeee94d51341982a19160b4c1ef65777d447
-
Filesize
512KB
MD5970b1d40b70134f00d88d8dbc6fd7061
SHA15466c86fe8ca864e76be238ce041d4a8df967a51
SHA256e8236a13bf9509a13e894736647ee2d7237a9862dea77f05158be6242306bf25
SHA512c40a832a86e2c34d83785fd7e94cb559b8df031cafbce5ca348715c332fb6b881c02e060a8d5c16db560b5c180b74bc922037bb885fb38a8bc7a70d423889ded
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5b6e0e839506682ef0a2af7e94dc01c81
SHA195adb94421f10e9ce21aed804be329d9dabfca18
SHA256bc44d15f7a8b9b2e54cf14c3cf43804bbb47362210115c160caf56c5fd4c025c
SHA5127f01656e9cfce44cf87c2e90e835d19d02268a90ae5f6760172ef10b9d363beeea0b75b57c10f98ee2775bd9860d7cbc9a1bca62721dfc614b4b29aa8d512b4c
-
Filesize
512KB
MD58874e2ec2c5c998fdd1636cef2d7e05b
SHA19a5e54a1dd0189710ca22710c8c697eae6c47c6b
SHA25695819657bdd0baf68a8f89f5f99ca7999eefbd6f475bbfd0d3138c01eec14e83
SHA512dc3a6a743f74530659f090e6a5282a063daf18affb70cba94a1ddc06ffa5726763e1272da9e5a16f71cfa622a7eb22bb60998da35faf0840ba2d5ab2ba7dc531