Analysis
-
max time kernel
150s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 13:35
Behavioral task
behavioral1
Sample
c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe
-
Size
255KB
-
MD5
c0db96aabaac2dff796ebcab5e29c9e9
-
SHA1
89e8a3a36cd167dfbf1ba66c3d613c85eb967f5b
-
SHA256
8e707874e515833aa45dac24aaf1ddb66c5901384b2396f73217f711340b3859
-
SHA512
2bdbf024b6a1305a3070f2b92711f936c4827a5f9dd560c4620e2c8d5fccf573b5e76ed0c3c08cb719a5aef59074ad1ad837f60ff6c8ceb4808d8a05c1bad516
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJD:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIg
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fjvgtzwhcu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fjvgtzwhcu.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fjvgtzwhcu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fjvgtzwhcu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fjvgtzwhcu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fjvgtzwhcu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fjvgtzwhcu.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fjvgtzwhcu.exe -
Executes dropped EXE 5 IoCs
pid Process 2684 fjvgtzwhcu.exe 2936 toiyzqktqpenpeb.exe 2828 ymucboza.exe 2780 rfvysipiymotw.exe 2584 ymucboza.exe -
Loads dropped DLL 5 IoCs
pid Process 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 2684 fjvgtzwhcu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/3036-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x00070000000195f9-9.dat upx behavioral1/files/0x00070000000120fe-20.dat upx behavioral1/memory/3036-24-0x0000000003300000-0x00000000033A0000-memory.dmp upx behavioral1/files/0x00070000000195f7-21.dat upx behavioral1/files/0x00070000000195fb-29.dat upx behavioral1/memory/2684-33-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-39-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2828-38-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2936-37-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2584-47-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3036-49-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0007000000015c81-72.dat upx behavioral1/files/0x002d000000019565-74.dat upx behavioral1/memory/2684-80-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2936-81-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2828-82-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2584-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2584-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2828-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2936-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2684-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2584-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2828-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2936-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2684-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2584-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2828-97-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2684-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-101-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2936-100-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2684-102-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2936-103-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-104-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2684-105-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-107-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2936-106-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2684-108-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2936-109-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-110-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2936-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2684-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2684-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2936-116-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-117-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2684-118-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2936-119-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2684-121-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2936-122-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-123-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2936-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2684-142-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2684-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2936-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2684-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2936-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2780-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fjvgtzwhcu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fjvgtzwhcu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fjvgtzwhcu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" fjvgtzwhcu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fjvgtzwhcu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fjvgtzwhcu.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vaceviav = "fjvgtzwhcu.exe" toiyzqktqpenpeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nemaidir = "toiyzqktqpenpeb.exe" toiyzqktqpenpeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rfvysipiymotw.exe" toiyzqktqpenpeb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: ymucboza.exe File opened (read-only) \??\p: ymucboza.exe File opened (read-only) \??\r: fjvgtzwhcu.exe File opened (read-only) \??\r: ymucboza.exe File opened (read-only) \??\t: ymucboza.exe File opened (read-only) \??\s: ymucboza.exe File opened (read-only) \??\n: fjvgtzwhcu.exe File opened (read-only) \??\u: fjvgtzwhcu.exe File opened (read-only) \??\q: ymucboza.exe File opened (read-only) \??\k: fjvgtzwhcu.exe File opened (read-only) \??\y: fjvgtzwhcu.exe File opened (read-only) \??\k: ymucboza.exe File opened (read-only) \??\q: ymucboza.exe File opened (read-only) \??\n: ymucboza.exe File opened (read-only) \??\p: ymucboza.exe File opened (read-only) \??\v: ymucboza.exe File opened (read-only) \??\h: ymucboza.exe File opened (read-only) \??\h: fjvgtzwhcu.exe File opened (read-only) \??\l: ymucboza.exe File opened (read-only) \??\m: ymucboza.exe File opened (read-only) \??\u: ymucboza.exe File opened (read-only) \??\y: ymucboza.exe File opened (read-only) \??\o: ymucboza.exe File opened (read-only) \??\z: ymucboza.exe File opened (read-only) \??\n: ymucboza.exe File opened (read-only) \??\b: fjvgtzwhcu.exe File opened (read-only) \??\o: fjvgtzwhcu.exe File opened (read-only) \??\t: fjvgtzwhcu.exe File opened (read-only) \??\a: ymucboza.exe File opened (read-only) \??\j: ymucboza.exe File opened (read-only) \??\e: fjvgtzwhcu.exe File opened (read-only) \??\g: fjvgtzwhcu.exe File opened (read-only) \??\j: fjvgtzwhcu.exe File opened (read-only) \??\i: ymucboza.exe File opened (read-only) \??\e: ymucboza.exe File opened (read-only) \??\g: ymucboza.exe File opened (read-only) \??\y: ymucboza.exe File opened (read-only) \??\w: fjvgtzwhcu.exe File opened (read-only) \??\m: ymucboza.exe File opened (read-only) \??\u: ymucboza.exe File opened (read-only) \??\w: ymucboza.exe File opened (read-only) \??\q: fjvgtzwhcu.exe File opened (read-only) \??\k: ymucboza.exe File opened (read-only) \??\j: ymucboza.exe File opened (read-only) \??\l: ymucboza.exe File opened (read-only) \??\z: ymucboza.exe File opened (read-only) \??\s: ymucboza.exe File opened (read-only) \??\h: ymucboza.exe File opened (read-only) \??\i: ymucboza.exe File opened (read-only) \??\v: ymucboza.exe File opened (read-only) \??\i: fjvgtzwhcu.exe File opened (read-only) \??\m: fjvgtzwhcu.exe File opened (read-only) \??\p: fjvgtzwhcu.exe File opened (read-only) \??\s: fjvgtzwhcu.exe File opened (read-only) \??\g: ymucboza.exe File opened (read-only) \??\w: ymucboza.exe File opened (read-only) \??\a: ymucboza.exe File opened (read-only) \??\b: ymucboza.exe File opened (read-only) \??\t: ymucboza.exe File opened (read-only) \??\x: ymucboza.exe File opened (read-only) \??\l: fjvgtzwhcu.exe File opened (read-only) \??\v: fjvgtzwhcu.exe File opened (read-only) \??\b: ymucboza.exe File opened (read-only) \??\r: ymucboza.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" fjvgtzwhcu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" fjvgtzwhcu.exe -
AutoIT Executable 58 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2684-33-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-39-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2828-38-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2936-37-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3036-49-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2684-80-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2936-81-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2828-82-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2584-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2584-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2828-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2936-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2684-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2584-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2828-92-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2936-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2684-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2584-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2828-97-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2684-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-101-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2936-100-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2684-102-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2936-103-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-104-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2684-105-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-107-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2936-106-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2684-108-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2936-109-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-110-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2936-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2684-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2684-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2936-116-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-117-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2684-118-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2936-119-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2684-121-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2936-122-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-123-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2936-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2684-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2684-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2936-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2684-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2936-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2936-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2780-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2684-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\fjvgtzwhcu.exe c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fjvgtzwhcu.exe c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\toiyzqktqpenpeb.exe c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe File created C:\Windows\SysWOW64\ymucboza.exe c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ymucboza.exe c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rfvysipiymotw.exe c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll fjvgtzwhcu.exe File created C:\Windows\SysWOW64\toiyzqktqpenpeb.exe c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe File created C:\Windows\SysWOW64\rfvysipiymotw.exe c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ymucboza.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ymucboza.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ymucboza.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ymucboza.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ymucboza.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ymucboza.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ymucboza.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ymucboza.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ymucboza.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ymucboza.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ymucboza.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ymucboza.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ymucboza.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ymucboza.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fjvgtzwhcu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language toiyzqktqpenpeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ymucboza.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfvysipiymotw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ymucboza.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8FABBF964F290847A3A4086E93E95B38E038D4314034EE2CE429E08A8" c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC6741594DAC5B8CD7CE0ED9737CB" c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat fjvgtzwhcu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" fjvgtzwhcu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" fjvgtzwhcu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452C0D9D5683586D4177A177212CD67DF665DC" c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh fjvgtzwhcu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf fjvgtzwhcu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" fjvgtzwhcu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" fjvgtzwhcu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc fjvgtzwhcu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs fjvgtzwhcu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" fjvgtzwhcu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg fjvgtzwhcu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B15C4492399A53CCBADD339FD7BC" c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FFF84F2682189042D72E7E95BDE4E640594A67316243D6EA" c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F76BB4FE6721DDD109D0A78A789017" c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" fjvgtzwhcu.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3064 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 2936 toiyzqktqpenpeb.exe 2936 toiyzqktqpenpeb.exe 2936 toiyzqktqpenpeb.exe 2936 toiyzqktqpenpeb.exe 2936 toiyzqktqpenpeb.exe 2684 fjvgtzwhcu.exe 2684 fjvgtzwhcu.exe 2684 fjvgtzwhcu.exe 2684 fjvgtzwhcu.exe 2684 fjvgtzwhcu.exe 2828 ymucboza.exe 2828 ymucboza.exe 2828 ymucboza.exe 2828 ymucboza.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2584 ymucboza.exe 2584 ymucboza.exe 2584 ymucboza.exe 2584 ymucboza.exe 2936 toiyzqktqpenpeb.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2936 toiyzqktqpenpeb.exe 2936 toiyzqktqpenpeb.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2936 toiyzqktqpenpeb.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2936 toiyzqktqpenpeb.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2936 toiyzqktqpenpeb.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2936 toiyzqktqpenpeb.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2936 toiyzqktqpenpeb.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2936 toiyzqktqpenpeb.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2936 toiyzqktqpenpeb.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2936 toiyzqktqpenpeb.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2936 toiyzqktqpenpeb.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 2936 toiyzqktqpenpeb.exe 2936 toiyzqktqpenpeb.exe 2936 toiyzqktqpenpeb.exe 2684 fjvgtzwhcu.exe 2684 fjvgtzwhcu.exe 2684 fjvgtzwhcu.exe 2828 ymucboza.exe 2828 ymucboza.exe 2828 ymucboza.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2584 ymucboza.exe 2584 ymucboza.exe 2584 ymucboza.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 2936 toiyzqktqpenpeb.exe 2936 toiyzqktqpenpeb.exe 2936 toiyzqktqpenpeb.exe 2684 fjvgtzwhcu.exe 2684 fjvgtzwhcu.exe 2684 fjvgtzwhcu.exe 2828 ymucboza.exe 2828 ymucboza.exe 2828 ymucboza.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2780 rfvysipiymotw.exe 2584 ymucboza.exe 2584 ymucboza.exe 2584 ymucboza.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3064 WINWORD.EXE 3064 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2684 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 30 PID 3036 wrote to memory of 2684 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 30 PID 3036 wrote to memory of 2684 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 30 PID 3036 wrote to memory of 2684 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 30 PID 3036 wrote to memory of 2936 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 31 PID 3036 wrote to memory of 2936 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 31 PID 3036 wrote to memory of 2936 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 31 PID 3036 wrote to memory of 2936 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 31 PID 3036 wrote to memory of 2828 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 32 PID 3036 wrote to memory of 2828 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 32 PID 3036 wrote to memory of 2828 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 32 PID 3036 wrote to memory of 2828 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 32 PID 3036 wrote to memory of 2780 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 33 PID 3036 wrote to memory of 2780 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 33 PID 3036 wrote to memory of 2780 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 33 PID 3036 wrote to memory of 2780 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 33 PID 2684 wrote to memory of 2584 2684 fjvgtzwhcu.exe 34 PID 2684 wrote to memory of 2584 2684 fjvgtzwhcu.exe 34 PID 2684 wrote to memory of 2584 2684 fjvgtzwhcu.exe 34 PID 2684 wrote to memory of 2584 2684 fjvgtzwhcu.exe 34 PID 3036 wrote to memory of 3064 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 35 PID 3036 wrote to memory of 3064 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 35 PID 3036 wrote to memory of 3064 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 35 PID 3036 wrote to memory of 3064 3036 c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe 35 PID 3064 wrote to memory of 2580 3064 WINWORD.EXE 37 PID 3064 wrote to memory of 2580 3064 WINWORD.EXE 37 PID 3064 wrote to memory of 2580 3064 WINWORD.EXE 37 PID 3064 wrote to memory of 2580 3064 WINWORD.EXE 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c0db96aabaac2dff796ebcab5e29c9e9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\fjvgtzwhcu.exefjvgtzwhcu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\ymucboza.exeC:\Windows\system32\ymucboza.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2584
-
-
-
C:\Windows\SysWOW64\toiyzqktqpenpeb.exetoiyzqktqpenpeb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2936
-
-
C:\Windows\SysWOW64\ymucboza.exeymucboza.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2828
-
-
C:\Windows\SysWOW64\rfvysipiymotw.exerfvysipiymotw.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2780
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2580
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD53f92da4e69eff8f97eca289103921987
SHA1dbde462289756c16a88161c4ff877995025d3562
SHA256a750bd2e08b785c31df2d1c18dda3fcc4b1a4a972b1f71646b51f91488863aef
SHA51212868946febefda9b555fbf0f068da85a6fc5e43d3fd5699495758e708243f0a39b6456d01e79690dc1bfce8fd81f6614e43a556677b962e30a1cab23386f73e
-
Filesize
255KB
MD5df8860a25e3fffee4e1fb48caa3270d1
SHA14335419825f84bcd0f2ece70f60301aa58fe8cda
SHA2566969bcf7eb88ecf2ed680899d33055246213812fb9f021c6d424953f0d6696d7
SHA51270d1bef83d03f57a414846914b4f69b3332ad83e55cbe8e874c6ab2ba1e21fcd678b2059664a01f8c411c40582b37641b9a806df197949472385cc72379bbc18
-
Filesize
19KB
MD526ea380be907d9bf6e594a2a00e73b0a
SHA15f03c1edb7a1c53478a2fa6c8ff49a604e833617
SHA256fd0a100e912b13db689b7eef6275e0799da317988e492036e7f3cbe91c680f27
SHA51296b10540abe34ae3d317c7fb2cc4a444f5c87d1b3ed50a3d7680fcb41c1bc96933661770a18d06e0e92dfedbe86cfccf628a30f0fb39b75e2d2ff7808332e7a8
-
Filesize
255KB
MD5efa794a7a5a7a393d0b73aaa2255b031
SHA1533cf1052d5d6df7bcd37566c996924990b63fc2
SHA25619be6e0876fbf6af0572b76bb9f30e99dac017ae4e52ac031d4cf249415262c1
SHA512740106d01797e9e2497578757da5fe45243a2a3a36b5cbea0a951245ed7c12cf6fde65eddb3218a86e186930e3551eb56606a567825818cb94aff8250523049f
-
Filesize
255KB
MD5a3f15d5d0ee92d37afc81637ee5a534e
SHA12b9b889807effa48b7d9753d0de704da980897cd
SHA256ec9aafe4b05c1ccebd7f46fbac2c0d67b8e7b574f84a7f2a53e796dd48e9bf7a
SHA512ae782f34fa39c7e25ee9cf438cb5c04c26daf9acd31a53d0c096f98593525019088a984f471d080d0b2947b1d2156e27f7d09ffed048f26fc326b8d268e5f504
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD51c2a4450f66a2c748b2139eb3696493f
SHA17810d275a21412e6fc2aa749c82b7dce64b5c929
SHA256fac1b4c5c265fba076a92f8df1fd8496eafcd83711b2e3aedc49d1b406601db3
SHA5126c8443c535a79707c07c4c71344bda55475995f99ae466dda421581c5cdadee674ee9897a2dfd192d83e8ad3190bb28ce6c34d631a6af11e71c57a98983835da
-
Filesize
255KB
MD5bae8d6dd75cf31c7748575d9dc8e13f0
SHA114550bd12443b61550b5934035b8a81cc340bcdf
SHA256c0c216ee4a2ee97c9464a327bb3463a3fe56521c79e0890669a8b8e25f2fc31a
SHA5127b0ab6c8dce3a84ea3643c018bd54572b5e419cd3a15335e8e182f1179527975e38c9b0aec7fc127fc840bcad951d08de499dba67d6edb66953083665bf145be