Analysis
-
max time kernel
149s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 08:32
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
25 signatures
150 seconds
General
-
Target
c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe
-
Size
512KB
-
MD5
c87cdf9a840433548111d5a9512f39e6
-
SHA1
34a2a891a166d5595b3c3a374b1d88ee279bb741
-
SHA256
8f59535ab29e2faf7af6dc164a22404da6ac68acdb66353ce6871f12c1ddf867
-
SHA512
cb2d0fa33a7209b3c5365d9c0b0b21f0d2bfd6c1a2beeddbef749c01d9ff47f7e786c16b033628bbf423e50918e6b2fe1fc2c5b4c433b67d78df8e23d58bcc45
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6R:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5g
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pexgoavpyi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pexgoavpyi.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pexgoavpyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pexgoavpyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pexgoavpyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pexgoavpyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pexgoavpyi.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pexgoavpyi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1484 pexgoavpyi.exe 2816 rgkbxemtsfdgzur.exe 3524 aykcfxkp.exe 1172 tmdynoacrnynb.exe 3980 aykcfxkp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pexgoavpyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pexgoavpyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pexgoavpyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pexgoavpyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pexgoavpyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pexgoavpyi.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahqmscpd = "rgkbxemtsfdgzur.exe" rgkbxemtsfdgzur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tmdynoacrnynb.exe" rgkbxemtsfdgzur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skufbrxp = "pexgoavpyi.exe" rgkbxemtsfdgzur.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: aykcfxkp.exe File opened (read-only) \??\s: aykcfxkp.exe File opened (read-only) \??\k: aykcfxkp.exe File opened (read-only) \??\n: pexgoavpyi.exe File opened (read-only) \??\p: pexgoavpyi.exe File opened (read-only) \??\h: aykcfxkp.exe File opened (read-only) \??\i: aykcfxkp.exe File opened (read-only) \??\o: aykcfxkp.exe File opened (read-only) \??\u: aykcfxkp.exe File opened (read-only) \??\b: pexgoavpyi.exe File opened (read-only) \??\l: aykcfxkp.exe File opened (read-only) \??\p: aykcfxkp.exe File opened (read-only) \??\e: aykcfxkp.exe File opened (read-only) \??\m: aykcfxkp.exe File opened (read-only) \??\m: pexgoavpyi.exe File opened (read-only) \??\s: pexgoavpyi.exe File opened (read-only) \??\z: aykcfxkp.exe File opened (read-only) \??\n: aykcfxkp.exe File opened (read-only) \??\t: aykcfxkp.exe File opened (read-only) \??\j: aykcfxkp.exe File opened (read-only) \??\k: aykcfxkp.exe File opened (read-only) \??\p: aykcfxkp.exe File opened (read-only) \??\r: aykcfxkp.exe File opened (read-only) \??\w: aykcfxkp.exe File opened (read-only) \??\r: pexgoavpyi.exe File opened (read-only) \??\y: pexgoavpyi.exe File opened (read-only) \??\a: aykcfxkp.exe File opened (read-only) \??\i: aykcfxkp.exe File opened (read-only) \??\t: aykcfxkp.exe File opened (read-only) \??\v: aykcfxkp.exe File opened (read-only) \??\y: aykcfxkp.exe File opened (read-only) \??\i: pexgoavpyi.exe File opened (read-only) \??\w: pexgoavpyi.exe File opened (read-only) \??\x: aykcfxkp.exe File opened (read-only) \??\l: aykcfxkp.exe File opened (read-only) \??\z: pexgoavpyi.exe File opened (read-only) \??\u: aykcfxkp.exe File opened (read-only) \??\w: aykcfxkp.exe File opened (read-only) \??\y: aykcfxkp.exe File opened (read-only) \??\z: aykcfxkp.exe File opened (read-only) \??\h: pexgoavpyi.exe File opened (read-only) \??\j: pexgoavpyi.exe File opened (read-only) \??\j: aykcfxkp.exe File opened (read-only) \??\v: aykcfxkp.exe File opened (read-only) \??\r: aykcfxkp.exe File opened (read-only) \??\b: aykcfxkp.exe File opened (read-only) \??\g: aykcfxkp.exe File opened (read-only) \??\a: pexgoavpyi.exe File opened (read-only) \??\o: pexgoavpyi.exe File opened (read-only) \??\b: aykcfxkp.exe File opened (read-only) \??\s: aykcfxkp.exe File opened (read-only) \??\g: pexgoavpyi.exe File opened (read-only) \??\k: pexgoavpyi.exe File opened (read-only) \??\q: pexgoavpyi.exe File opened (read-only) \??\v: pexgoavpyi.exe File opened (read-only) \??\a: aykcfxkp.exe File opened (read-only) \??\x: aykcfxkp.exe File opened (read-only) \??\e: pexgoavpyi.exe File opened (read-only) \??\l: pexgoavpyi.exe File opened (read-only) \??\u: pexgoavpyi.exe File opened (read-only) \??\q: aykcfxkp.exe File opened (read-only) \??\t: pexgoavpyi.exe File opened (read-only) \??\g: aykcfxkp.exe File opened (read-only) \??\o: aykcfxkp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pexgoavpyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pexgoavpyi.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3804-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000234a8-5.dat autoit_exe behavioral2/files/0x00080000000234a5-19.dat autoit_exe behavioral2/files/0x00070000000234ad-29.dat autoit_exe behavioral2/files/0x00070000000234ac-28.dat autoit_exe behavioral2/files/0x0008000000023480-66.dat autoit_exe behavioral2/files/0x00070000000234ba-74.dat autoit_exe behavioral2/files/0x000e0000000234be-105.dat autoit_exe behavioral2/files/0x000e0000000234be-107.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\aykcfxkp.exe c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tmdynoacrnynb.exe c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe aykcfxkp.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe aykcfxkp.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe aykcfxkp.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe aykcfxkp.exe File opened for modification C:\Windows\SysWOW64\pexgoavpyi.exe c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rgkbxemtsfdgzur.exe c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe File created C:\Windows\SysWOW64\tmdynoacrnynb.exe c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll pexgoavpyi.exe File created C:\Windows\SysWOW64\pexgoavpyi.exe c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe File created C:\Windows\SysWOW64\rgkbxemtsfdgzur.exe c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe File created C:\Windows\SysWOW64\aykcfxkp.exe c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aykcfxkp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aykcfxkp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aykcfxkp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal aykcfxkp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal aykcfxkp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aykcfxkp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aykcfxkp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aykcfxkp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aykcfxkp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal aykcfxkp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal aykcfxkp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aykcfxkp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aykcfxkp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aykcfxkp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aykcfxkp.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe aykcfxkp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe aykcfxkp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe aykcfxkp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe aykcfxkp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe aykcfxkp.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe aykcfxkp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe aykcfxkp.exe File opened for modification C:\Windows\mydoc.rtf c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe aykcfxkp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe aykcfxkp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe aykcfxkp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe aykcfxkp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe aykcfxkp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe aykcfxkp.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe aykcfxkp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe aykcfxkp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe aykcfxkp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pexgoavpyi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rgkbxemtsfdgzur.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmdynoacrnynb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aykcfxkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aykcfxkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pexgoavpyi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pexgoavpyi.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEFACAF966F1E084783B4486963E95B38C028B4313033EE2C4459E09A8" c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FF8A485F82189136D7287D94BDEEE6305932664E6330D7ED" c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pexgoavpyi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pexgoavpyi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pexgoavpyi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pexgoavpyi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pexgoavpyi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C7D9D2183586A3376D177202DDE7C8764AB" c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB05847E5399A53C8B9A1329ED4BF" c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C67914E3DAB6B9BE7CE7EC9E34CD" c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pexgoavpyi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pexgoavpyi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pexgoavpyi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F26BC5FF1821DED272D1D38B0E906A" c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pexgoavpyi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pexgoavpyi.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4992 WINWORD.EXE 4992 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 1484 pexgoavpyi.exe 1484 pexgoavpyi.exe 1484 pexgoavpyi.exe 1484 pexgoavpyi.exe 1484 pexgoavpyi.exe 1484 pexgoavpyi.exe 1484 pexgoavpyi.exe 1484 pexgoavpyi.exe 1484 pexgoavpyi.exe 1484 pexgoavpyi.exe 2816 rgkbxemtsfdgzur.exe 2816 rgkbxemtsfdgzur.exe 2816 rgkbxemtsfdgzur.exe 2816 rgkbxemtsfdgzur.exe 2816 rgkbxemtsfdgzur.exe 2816 rgkbxemtsfdgzur.exe 2816 rgkbxemtsfdgzur.exe 2816 rgkbxemtsfdgzur.exe 1172 tmdynoacrnynb.exe 1172 tmdynoacrnynb.exe 1172 tmdynoacrnynb.exe 1172 tmdynoacrnynb.exe 1172 tmdynoacrnynb.exe 1172 tmdynoacrnynb.exe 1172 tmdynoacrnynb.exe 1172 tmdynoacrnynb.exe 1172 tmdynoacrnynb.exe 1172 tmdynoacrnynb.exe 1172 tmdynoacrnynb.exe 1172 tmdynoacrnynb.exe 2816 rgkbxemtsfdgzur.exe 2816 rgkbxemtsfdgzur.exe 3524 aykcfxkp.exe 3524 aykcfxkp.exe 3524 aykcfxkp.exe 3524 aykcfxkp.exe 3524 aykcfxkp.exe 3524 aykcfxkp.exe 3524 aykcfxkp.exe 3524 aykcfxkp.exe 2816 rgkbxemtsfdgzur.exe 2816 rgkbxemtsfdgzur.exe 3980 aykcfxkp.exe 3980 aykcfxkp.exe 3980 aykcfxkp.exe 3980 aykcfxkp.exe 3980 aykcfxkp.exe 3980 aykcfxkp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 1484 pexgoavpyi.exe 1484 pexgoavpyi.exe 1484 pexgoavpyi.exe 2816 rgkbxemtsfdgzur.exe 2816 rgkbxemtsfdgzur.exe 2816 rgkbxemtsfdgzur.exe 1172 tmdynoacrnynb.exe 1172 tmdynoacrnynb.exe 1172 tmdynoacrnynb.exe 3524 aykcfxkp.exe 3524 aykcfxkp.exe 3524 aykcfxkp.exe 3980 aykcfxkp.exe 3980 aykcfxkp.exe 3980 aykcfxkp.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 1484 pexgoavpyi.exe 1484 pexgoavpyi.exe 1484 pexgoavpyi.exe 2816 rgkbxemtsfdgzur.exe 2816 rgkbxemtsfdgzur.exe 2816 rgkbxemtsfdgzur.exe 1172 tmdynoacrnynb.exe 1172 tmdynoacrnynb.exe 1172 tmdynoacrnynb.exe 3524 aykcfxkp.exe 3524 aykcfxkp.exe 3524 aykcfxkp.exe 3980 aykcfxkp.exe 3980 aykcfxkp.exe 3980 aykcfxkp.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4992 WINWORD.EXE 4992 WINWORD.EXE 4992 WINWORD.EXE 4992 WINWORD.EXE 4992 WINWORD.EXE 4992 WINWORD.EXE 4992 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3804 wrote to memory of 1484 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 85 PID 3804 wrote to memory of 1484 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 85 PID 3804 wrote to memory of 1484 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 85 PID 3804 wrote to memory of 2816 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 86 PID 3804 wrote to memory of 2816 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 86 PID 3804 wrote to memory of 2816 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 86 PID 3804 wrote to memory of 3524 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 87 PID 3804 wrote to memory of 3524 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 87 PID 3804 wrote to memory of 3524 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 87 PID 3804 wrote to memory of 1172 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 88 PID 3804 wrote to memory of 1172 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 88 PID 3804 wrote to memory of 1172 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 88 PID 3804 wrote to memory of 4992 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 89 PID 3804 wrote to memory of 4992 3804 c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe 89 PID 1484 wrote to memory of 3980 1484 pexgoavpyi.exe 91 PID 1484 wrote to memory of 3980 1484 pexgoavpyi.exe 91 PID 1484 wrote to memory of 3980 1484 pexgoavpyi.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c87cdf9a840433548111d5a9512f39e6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\pexgoavpyi.exepexgoavpyi.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\aykcfxkp.exeC:\Windows\system32\aykcfxkp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3980
-
-
-
C:\Windows\SysWOW64\rgkbxemtsfdgzur.exergkbxemtsfdgzur.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2816
-
-
C:\Windows\SysWOW64\aykcfxkp.exeaykcfxkp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3524
-
-
C:\Windows\SysWOW64\tmdynoacrnynb.exetmdynoacrnynb.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1172
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4992
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5a56f953e051a2e5d6fa165c261eff84e
SHA10a89a832450fd93321f635074d796b527ce6999d
SHA256abc020398781f63c5e2ef98cfa6a21e9f60ecfbbde50092e5f34008097ae4f78
SHA512876d38d03f8e403ec402e985c6337edffb88322f491ab810ea4986c82764df7965c66add534c02c9a4400aca6e71fb6e1d6f7a6c53575813e0db24ebc27fa524
-
Filesize
512KB
MD555ab1b6423f6d576024f0778723bd396
SHA124755737698004da967b973bb6a3a29ed6047a2a
SHA2561a23ae6685c19b3a9aa85ae337fbb0f3ebc02e36321e9a8bb7c3df61bfb7cbe8
SHA512d8bb10c8412cc46cb429f630a7b4b76ed3f1020b3c741038f126f5a8a1b6f1bdb384941d37955c3bdfabfec9f4514f9e8c1677098ebd638111ff5c37206f64e5
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
341B
MD5a07f6fd7d8173b77b6ca46124340def7
SHA1814e4eecc6bdee699237d29a6a231c83fef61745
SHA25612a8a0a80404ad7be91db53330c838adcabad3e32b0f6f32f1804ec01e49860c
SHA5121159c997d108163dd6268c745a9d73d36312c165f05e689ced12df294d111bf721e3ff2ff2e3aa41c1fe8976decd1a9d80b0ed2358742eac98fd61a217469cc2
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD585276b1ee92ef77fc8ff2ae555ec0bee
SHA133991a69481081c420b4d2893dac3278a3077566
SHA256512a2c6c6fd7dd5395d119f4612da09a386e0540c6b7620a2d69839a375d1e1b
SHA5126601e1b470dcd347f20743befc38679ca613bacfd3418b6d0121cc12917290e5eb0080ef651b911c3d8d3e2e7f0dfe24294ad17662c3f88d46b0295e9a073330
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD50724fb24ae72af1fa6fce15fc4afcd84
SHA180d19d98b679285a6ec69bd2f52aef795fce18ae
SHA2567cefb8e453b8b8cfae5229bf0d2218a4157aca16f907abf71522e7118f78135b
SHA51226e589566775e33ca4919c4a8d59e6e686142f116c43db09ef79c7196c2ccf8d5a1f5a3cbae5220916aa6cac708571834c5bbb5b6943dc58ba5fc074a3f72f9c
-
Filesize
512KB
MD5d0d09f0233ccca36d4919f53b89f3581
SHA1d54fe32d51195f1b6084d49f1e6a001034ab47ed
SHA256483a1955190fc174c64da06b7ff9c4762e17b2eb8d25731b0c069bb48624d979
SHA51212d1abf0ebf2fa840a10c9a527e6d367d678f8c542ed64ecfbcbf791a406c2d439dae19378d1600bc1562f8a62c5143c1c6b60cfbd9d8e1e393643c500c22f1e
-
Filesize
512KB
MD581e6d19ca32e7d62c912f9f694f1eba1
SHA121d865555b1355841b506bcec6d39c813842cfab
SHA256188d55edf50c23ceb7921c5a3b3f9b794409fdfbb88d76e721f6e9c4bc93e117
SHA5128414ce335f74c167baa2bb99ce4ae1f41a67777b13d45d24e36cacba4305b793fc13fa631a995d512ee654ea1da0921831ec61577b592885d8931dca37abbfb6
-
Filesize
512KB
MD59553ef7f914673cb815c6573511673e8
SHA158fdb73281bb11294c327a4d23f8fa6d5c6e16e7
SHA256c42b78c846d6a28d48e91a301e3943f7d667f2b286ce3d4d8bb4b549baa604b9
SHA512733674c503f6d526155aca077f810746ea3020c83da6ceaf1aa1f064d92cff390e595158fad679bbf7957e384afa92e51163617f6ec59f63d96ac40bc7ee517e
-
Filesize
512KB
MD55d75ef90f73445081a37156e958edb20
SHA1c5fce76d05e1d82af28ffa81ff3bf8c37baeb43d
SHA256b1b6bd1d38926fec37076a77cecccede8c25316cd729ad7eb5850903506a935d
SHA512ad661330bc5428cf70cfbc80925d0b0053c031cec414358381514536590b09cfd4fcedda90118321e43c06fdfbd9002993a4717676e2244c47bccd602dfabfbf
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD54ae2ddf9d21895fa85564a55ead0c5c4
SHA131977f17b9e66c3923514b987581a157b8b9e151
SHA256513c12e9537f9e34e61765c27af39b34ac156d0a28a2fc04387649ff1099cc61
SHA512cdccc458b8834cbcdd35576a2de5f1bf12bdd131e1fd4b238ab92884ca9b4616159b71f4f1d478984ab6e773fa6d3e5e424726d958e318ff8cbb1188f9c8e3f6
-
Filesize
512KB
MD5cef0cc3ba6dacceafd2831db6f8180aa
SHA1a893544039dfb7f535e3aa23b0df30f065c352df
SHA256671a133b90b6a6e094212fe9bf271cd53804f0c358fa3d34d4b920ff77f34a8e
SHA512945bf179cc20f89a70b881a7b1fb107e278883104d9ce265fa8227b794d871513a604c23cd76e88bdd111714afc4303beaa8f9ab1484243994f2ebb461ee7783