Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/08/2024, 19:15
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
25 signatures
150 seconds
General
-
Target
c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe
-
Size
512KB
-
MD5
c77b62ee98ec26daf78fbf665aa91b15
-
SHA1
9796f131b693171bdb2b7b872d252fcd93ea9b1a
-
SHA256
ddb113a5d9524d2181e902163301eb99f5dc5a362959f4a61284683983c884c1
-
SHA512
ad36d7ba262b04194fa5cd68fab29ac3ba16a5c4fa172573de5c31cc3f2b6f7d54f5b79255ce8948d10e6cf658836ef9301b0f4070c65013f291f72233288eed
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6i:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5R
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qhpwvokhic.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qhpwvokhic.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qhpwvokhic.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qhpwvokhic.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qhpwvokhic.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qhpwvokhic.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qhpwvokhic.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qhpwvokhic.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2180 qhpwvokhic.exe 4492 yolsrfwaagqfqwx.exe 824 tqsqqagl.exe 448 qurpqysbukxpp.exe 2304 tqsqqagl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qhpwvokhic.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qhpwvokhic.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qhpwvokhic.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qhpwvokhic.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qhpwvokhic.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qhpwvokhic.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahtxczzz = "qhpwvokhic.exe" yolsrfwaagqfqwx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgivygwo = "yolsrfwaagqfqwx.exe" yolsrfwaagqfqwx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qurpqysbukxpp.exe" yolsrfwaagqfqwx.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: qhpwvokhic.exe File opened (read-only) \??\y: tqsqqagl.exe File opened (read-only) \??\b: tqsqqagl.exe File opened (read-only) \??\e: qhpwvokhic.exe File opened (read-only) \??\i: qhpwvokhic.exe File opened (read-only) \??\r: tqsqqagl.exe File opened (read-only) \??\a: qhpwvokhic.exe File opened (read-only) \??\b: qhpwvokhic.exe File opened (read-only) \??\u: tqsqqagl.exe File opened (read-only) \??\n: qhpwvokhic.exe File opened (read-only) \??\o: qhpwvokhic.exe File opened (read-only) \??\m: tqsqqagl.exe File opened (read-only) \??\t: qhpwvokhic.exe File opened (read-only) \??\h: tqsqqagl.exe File opened (read-only) \??\m: tqsqqagl.exe File opened (read-only) \??\l: tqsqqagl.exe File opened (read-only) \??\o: tqsqqagl.exe File opened (read-only) \??\v: tqsqqagl.exe File opened (read-only) \??\k: qhpwvokhic.exe File opened (read-only) \??\b: tqsqqagl.exe File opened (read-only) \??\w: tqsqqagl.exe File opened (read-only) \??\a: tqsqqagl.exe File opened (read-only) \??\j: tqsqqagl.exe File opened (read-only) \??\w: qhpwvokhic.exe File opened (read-only) \??\s: tqsqqagl.exe File opened (read-only) \??\a: tqsqqagl.exe File opened (read-only) \??\p: tqsqqagl.exe File opened (read-only) \??\w: tqsqqagl.exe File opened (read-only) \??\x: qhpwvokhic.exe File opened (read-only) \??\z: qhpwvokhic.exe File opened (read-only) \??\u: tqsqqagl.exe File opened (read-only) \??\v: tqsqqagl.exe File opened (read-only) \??\m: qhpwvokhic.exe File opened (read-only) \??\p: qhpwvokhic.exe File opened (read-only) \??\l: tqsqqagl.exe File opened (read-only) \??\x: tqsqqagl.exe File opened (read-only) \??\n: tqsqqagl.exe File opened (read-only) \??\t: tqsqqagl.exe File opened (read-only) \??\g: tqsqqagl.exe File opened (read-only) \??\k: tqsqqagl.exe File opened (read-only) \??\s: tqsqqagl.exe File opened (read-only) \??\t: tqsqqagl.exe File opened (read-only) \??\g: tqsqqagl.exe File opened (read-only) \??\j: tqsqqagl.exe File opened (read-only) \??\e: tqsqqagl.exe File opened (read-only) \??\i: tqsqqagl.exe File opened (read-only) \??\z: tqsqqagl.exe File opened (read-only) \??\h: qhpwvokhic.exe File opened (read-only) \??\u: qhpwvokhic.exe File opened (read-only) \??\h: tqsqqagl.exe File opened (read-only) \??\r: tqsqqagl.exe File opened (read-only) \??\n: tqsqqagl.exe File opened (read-only) \??\s: qhpwvokhic.exe File opened (read-only) \??\v: qhpwvokhic.exe File opened (read-only) \??\o: tqsqqagl.exe File opened (read-only) \??\x: tqsqqagl.exe File opened (read-only) \??\z: tqsqqagl.exe File opened (read-only) \??\p: tqsqqagl.exe File opened (read-only) \??\g: qhpwvokhic.exe File opened (read-only) \??\k: tqsqqagl.exe File opened (read-only) \??\i: tqsqqagl.exe File opened (read-only) \??\q: tqsqqagl.exe File opened (read-only) \??\l: qhpwvokhic.exe File opened (read-only) \??\q: tqsqqagl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qhpwvokhic.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qhpwvokhic.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4908-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023470-9.dat autoit_exe behavioral2/files/0x000700000002346f-22.dat autoit_exe behavioral2/files/0x0009000000023408-19.dat autoit_exe behavioral2/files/0x0007000000023471-31.dat autoit_exe behavioral2/files/0x000800000002344e-68.dat autoit_exe behavioral2/files/0x000700000002347d-74.dat autoit_exe behavioral2/files/0x000700000002347f-79.dat autoit_exe behavioral2/files/0x0007000000023485-104.dat autoit_exe behavioral2/files/0x0007000000023485-109.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tqsqqagl.exe File created C:\Windows\SysWOW64\yolsrfwaagqfqwx.exe c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe File created C:\Windows\SysWOW64\tqsqqagl.exe c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qhpwvokhic.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tqsqqagl.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tqsqqagl.exe File opened for modification C:\Windows\SysWOW64\qurpqysbukxpp.exe c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe File created C:\Windows\SysWOW64\qhpwvokhic.exe c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qhpwvokhic.exe c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yolsrfwaagqfqwx.exe c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tqsqqagl.exe c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe File created C:\Windows\SysWOW64\qurpqysbukxpp.exe c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File created \??\c:\Program Files\MoveCompress.doc.exe tqsqqagl.exe File opened for modification C:\Program Files\MoveCompress.doc.exe tqsqqagl.exe File opened for modification \??\c:\Program Files\MoveCompress.doc.exe tqsqqagl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tqsqqagl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tqsqqagl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tqsqqagl.exe File opened for modification C:\Program Files\MoveCompress.nal tqsqqagl.exe File opened for modification C:\Program Files\MoveCompress.nal tqsqqagl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tqsqqagl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tqsqqagl.exe File opened for modification C:\Program Files\MoveCompress.doc.exe tqsqqagl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal tqsqqagl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal tqsqqagl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tqsqqagl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tqsqqagl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tqsqqagl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal tqsqqagl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tqsqqagl.exe File opened for modification \??\c:\Program Files\MoveCompress.doc.exe tqsqqagl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tqsqqagl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tqsqqagl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal tqsqqagl.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tqsqqagl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tqsqqagl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tqsqqagl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tqsqqagl.exe File opened for modification C:\Windows\mydoc.rtf c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tqsqqagl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tqsqqagl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tqsqqagl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tqsqqagl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tqsqqagl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tqsqqagl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tqsqqagl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tqsqqagl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tqsqqagl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tqsqqagl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tqsqqagl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tqsqqagl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qhpwvokhic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yolsrfwaagqfqwx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqsqqagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qurpqysbukxpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqsqqagl.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qhpwvokhic.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qhpwvokhic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qhpwvokhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qhpwvokhic.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422C0B9D5082586D4376A670562CD67D8764DA" c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B02B449438E352CFBAD33292D7CA" c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FC824F5D826A9040D62E7E96BDEFE6375935664F623ED6EB" c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qhpwvokhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qhpwvokhic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qhpwvokhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qhpwvokhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCFABBF961F2E3840B3B47819C3990B08E02884269033FE2CF45E709A2" c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F06BC4FF1B22D0D273D1A48B089060" c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qhpwvokhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qhpwvokhic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qhpwvokhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC60F1590DBC4B9CD7CE3ECE034C6" c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qhpwvokhic.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2600 WINWORD.EXE 2600 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 2180 qhpwvokhic.exe 2180 qhpwvokhic.exe 2180 qhpwvokhic.exe 2180 qhpwvokhic.exe 2180 qhpwvokhic.exe 2180 qhpwvokhic.exe 2180 qhpwvokhic.exe 2180 qhpwvokhic.exe 2180 qhpwvokhic.exe 2180 qhpwvokhic.exe 448 qurpqysbukxpp.exe 448 qurpqysbukxpp.exe 448 qurpqysbukxpp.exe 448 qurpqysbukxpp.exe 448 qurpqysbukxpp.exe 448 qurpqysbukxpp.exe 448 qurpqysbukxpp.exe 448 qurpqysbukxpp.exe 448 qurpqysbukxpp.exe 448 qurpqysbukxpp.exe 448 qurpqysbukxpp.exe 448 qurpqysbukxpp.exe 824 tqsqqagl.exe 824 tqsqqagl.exe 824 tqsqqagl.exe 824 tqsqqagl.exe 824 tqsqqagl.exe 824 tqsqqagl.exe 824 tqsqqagl.exe 824 tqsqqagl.exe 4492 yolsrfwaagqfqwx.exe 4492 yolsrfwaagqfqwx.exe 4492 yolsrfwaagqfqwx.exe 4492 yolsrfwaagqfqwx.exe 4492 yolsrfwaagqfqwx.exe 4492 yolsrfwaagqfqwx.exe 4492 yolsrfwaagqfqwx.exe 4492 yolsrfwaagqfqwx.exe 4492 yolsrfwaagqfqwx.exe 4492 yolsrfwaagqfqwx.exe 2304 tqsqqagl.exe 2304 tqsqqagl.exe 2304 tqsqqagl.exe 2304 tqsqqagl.exe 2304 tqsqqagl.exe 2304 tqsqqagl.exe 2304 tqsqqagl.exe 2304 tqsqqagl.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 2180 qhpwvokhic.exe 2180 qhpwvokhic.exe 2180 qhpwvokhic.exe 448 qurpqysbukxpp.exe 4492 yolsrfwaagqfqwx.exe 824 tqsqqagl.exe 448 qurpqysbukxpp.exe 4492 yolsrfwaagqfqwx.exe 824 tqsqqagl.exe 448 qurpqysbukxpp.exe 4492 yolsrfwaagqfqwx.exe 824 tqsqqagl.exe 2304 tqsqqagl.exe 2304 tqsqqagl.exe 2304 tqsqqagl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 2180 qhpwvokhic.exe 2180 qhpwvokhic.exe 2180 qhpwvokhic.exe 448 qurpqysbukxpp.exe 4492 yolsrfwaagqfqwx.exe 824 tqsqqagl.exe 448 qurpqysbukxpp.exe 4492 yolsrfwaagqfqwx.exe 824 tqsqqagl.exe 448 qurpqysbukxpp.exe 4492 yolsrfwaagqfqwx.exe 824 tqsqqagl.exe 2304 tqsqqagl.exe 2304 tqsqqagl.exe 2304 tqsqqagl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2600 WINWORD.EXE 2600 WINWORD.EXE 2600 WINWORD.EXE 2600 WINWORD.EXE 2600 WINWORD.EXE 2600 WINWORD.EXE 2600 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4908 wrote to memory of 2180 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 84 PID 4908 wrote to memory of 2180 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 84 PID 4908 wrote to memory of 2180 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 84 PID 4908 wrote to memory of 4492 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 85 PID 4908 wrote to memory of 4492 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 85 PID 4908 wrote to memory of 4492 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 85 PID 4908 wrote to memory of 824 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 86 PID 4908 wrote to memory of 824 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 86 PID 4908 wrote to memory of 824 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 86 PID 4908 wrote to memory of 448 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 87 PID 4908 wrote to memory of 448 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 87 PID 4908 wrote to memory of 448 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 87 PID 2180 wrote to memory of 2304 2180 qhpwvokhic.exe 88 PID 2180 wrote to memory of 2304 2180 qhpwvokhic.exe 88 PID 2180 wrote to memory of 2304 2180 qhpwvokhic.exe 88 PID 4908 wrote to memory of 2600 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 89 PID 4908 wrote to memory of 2600 4908 c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c77b62ee98ec26daf78fbf665aa91b15_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\qhpwvokhic.exeqhpwvokhic.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\tqsqqagl.exeC:\Windows\system32\tqsqqagl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2304
-
-
-
C:\Windows\SysWOW64\yolsrfwaagqfqwx.exeyolsrfwaagqfqwx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4492
-
-
C:\Windows\SysWOW64\tqsqqagl.exetqsqqagl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:824
-
-
C:\Windows\SysWOW64\qurpqysbukxpp.exequrpqysbukxpp.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:448
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2600
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5ea47f540e5569fa758441dcad8cf1370
SHA1fa3aa64dcc5641fb229493d490b29344e24998b9
SHA25697ca67c791235acf804b7db8c4391830a165409774a6408a3c86e7d7b394dbc9
SHA5129bbbfe5c8fff83c249a0d7934bd18e8c641a197b4bf1192dc2a969e202d70e10f331f5412d101e78eb09986d3aff163f8e2155f12a58dbfae6315dd2b68093da
-
Filesize
512KB
MD556bf74776ec2fa89db8cd8a756ad9c67
SHA1a9ea85ac4acf77ad915bee3d271543c4f8779318
SHA256aa9d54ab7019a1ff43f670d8763335b79a74e21453264d0d0c1e49797b8c907f
SHA512fae4aa4a406e91c21bd8ea8cb18e54a6f903d1d864ddef2fba2243861b6eb6be507b11660023c7134236da8cc4ea1b22c7922d873b0cafeb42298ed28e9b3fcf
-
Filesize
512KB
MD58b17d5b1f27ff6b1684ed22c6473faee
SHA145cdff27ca67093743744c229b48dba3b762a40c
SHA2562169b0af0d6b6baa506c04f5402ae0e293643fe0de7798f2669565ec1a46acc9
SHA51257393c83cde2bd271d69aa569b9d8f5eae413f4c8b1081a0d5b543f7214b1aee00b87884adb63554a0ed721c535553b6a8d8ae901326c8a9ed6b10b440e875d1
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
299B
MD57bb151a568216da11d03e3a741cd37e3
SHA1c570cdc70c982f1b11a3bbebcffb3e1c148a0061
SHA2565cb978310880f33609b2096e1c79d14d66711939a7da7cde07c5e8729efa2faa
SHA51280c74bb193fc48d43a120019684987fbedebb1b39018cb530d457a13a6ca9dab8b0ea508b34f7b891ef0d0f4ed79787b4e384876c89b20441660012d8299c8f6
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize674B
MD505c072bd149e9e0a8cfffd627e2cde49
SHA161157dd7a8ddc04338badbb3df48402aeda8fa90
SHA256f4b34e7e69160dc818daba7c3da9480e235dc3d7b1018782061f25bbc601de5c
SHA512d140c99ca7f589d5448bb9495e08ab966159473210e99a20c0c1bef9cccc513e9a00c55ebe914df3ab15828869fffe57826f76f55845f3f43cdd3a5bb0019cc6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD537135a0c813edca1dbcee16344f56a67
SHA1446a4710858f7dd7904a0b60e4b3df34b1e248b8
SHA25675366247c6828ea9ea5a2f6ede3254d0b0e61344949a40cfda3a55b44d5b1165
SHA512d87cfa20bdfbab8e48f5733199e56ea997915d43ed6ce6ceb30e05a11e9284d6782b4031ead05ed8fe593dc362c77bd01097ab29ed60f927cfde718a2a7098a9
-
Filesize
512KB
MD5da306f484196b4f48f30b48d0beda927
SHA1da55006ceb587b40732926f9bd3ca1ddf184023b
SHA2563f7d3053b04363e972b8139579014c172072b93313a6cfe7aa852cb31f9f297c
SHA512ff77ecae5251f2da622c6ade23967a8ec4296d3caa34fa9ed3b74a729e0bf5771021627bfb42ddaf18e3598ae6de5744a026f4ca66863cbf5e78beb74fa0ddbf
-
Filesize
512KB
MD50642f4344416c1c5b862708bceee7992
SHA165f85e1e8448c2a3f3f83df88460ed0b81c7be08
SHA2560b6f9b89ed24b1ef34a8acc1692dfc548f3bc8a53f0022cf290a6980aaa45f7d
SHA5127cf2416fc9b55e76f0bd9a3c8eff98a0b76ef53f2bd721dfc19a112ef64034a4028411f041f436cf334c2862b38d8d7e86eef0e1bd6e45b0344ebb8924395344
-
Filesize
512KB
MD5e772b025e108488306e578278b3b56d6
SHA1b22638ede9af35950ed877f72e11ecef055f81fe
SHA25685490b7928d38eb2e33e82b1a706bb129c2de261ac9c5831a4af79ae8d88bbd9
SHA51202c6e923a919dda777bf96536cecc72f17b90f6f98af91e081a68193d354d52e59cd06499c2e60c095601da0bbb0b72d5c133432891113573fa6b1cacbf134cb
-
Filesize
512KB
MD545823bed0ad6a0f2a73e3c7c2a4385a1
SHA15989721ef9b4a1fec790cbf7e7e6eba1d2457eed
SHA256720612061c29cd5d8fd410aa9d271302eeae897f6677b0300475fe135f1034af
SHA512699e546e16a27ff1615e0454fab231b0ac7d380b9b8658860db25b46b71ae9a7306b339ae45c30dc04f9b04c09909e32920f1ee6969647b516a4db7de93dbafc
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5d4b2f64507408822bd57b809fcebefeb
SHA1afd16f9b648d9113f13593424d9636a73b568ea1
SHA2561016378616d316b9e72a6d406e9c0da4d162f825658407bcc8fe6d78a6406156
SHA512e562ae529c88ef46277fb4272769e5efa96f0c1aa8e9bf09ace0f82edf0218da7feebbdbef07528a78c9ec21a41a756007f2ce895e35b3beffe0a62906392912
-
Filesize
512KB
MD509dbc9ea79a46071eb9f4a1c2119f128
SHA15157410dae36ea10c6a527308f496fdea8675039
SHA256c7df4f7d1f306574ca4199727d0dd9248227fc68f64c6ffc449f334aae5ec781
SHA5120845f5cd314f02d64c349e53dfe6ad76144369ea07dc07ef9789502033e4d4aa2eb4e1457f346909662643c01b8a944e9ea95f7028a596baac13a5ba69986326