Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29-08-2024 17:45
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
25 signatures
150 seconds
General
-
Target
c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe
-
Size
512KB
-
MD5
c94ea2f6a48225695425418fe79733b8
-
SHA1
3432e0772fc8987de30c8ba050cddd0e3d4be53e
-
SHA256
12f22440fe96d2b39af9e0516a6e0c3db809b30dc924eb69a0d50d3944831d35
-
SHA512
42ae7e83ad0fe859cd6deb8420ad555aa2b6cd86aa39f15dbdece023ea36a52613a466f632b4ae03e8ac24981aab1fbe6af0ddf5c560677da4d00d1358b92982
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5j
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" gjfxprorus.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gjfxprorus.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gjfxprorus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gjfxprorus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" gjfxprorus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gjfxprorus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gjfxprorus.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gjfxprorus.exe -
Executes dropped EXE 5 IoCs
pid Process 2044 gjfxprorus.exe 2156 bsdixxuyydshblb.exe 2768 iezoccyo.exe 2684 ongfplnsdniaj.exe 2664 iezoccyo.exe -
Loads dropped DLL 5 IoCs
pid Process 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2044 gjfxprorus.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gjfxprorus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" gjfxprorus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gjfxprorus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" gjfxprorus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gjfxprorus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gjfxprorus.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jjlncgfd = "gjfxprorus.exe" bsdixxuyydshblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zaryioem = "bsdixxuyydshblb.exe" bsdixxuyydshblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ongfplnsdniaj.exe" bsdixxuyydshblb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: iezoccyo.exe File opened (read-only) \??\w: gjfxprorus.exe File opened (read-only) \??\a: iezoccyo.exe File opened (read-only) \??\i: iezoccyo.exe File opened (read-only) \??\j: iezoccyo.exe File opened (read-only) \??\p: iezoccyo.exe File opened (read-only) \??\g: gjfxprorus.exe File opened (read-only) \??\s: gjfxprorus.exe File opened (read-only) \??\w: iezoccyo.exe File opened (read-only) \??\o: iezoccyo.exe File opened (read-only) \??\r: iezoccyo.exe File opened (read-only) \??\v: iezoccyo.exe File opened (read-only) \??\a: gjfxprorus.exe File opened (read-only) \??\l: gjfxprorus.exe File opened (read-only) \??\u: gjfxprorus.exe File opened (read-only) \??\h: iezoccyo.exe File opened (read-only) \??\x: gjfxprorus.exe File opened (read-only) \??\e: iezoccyo.exe File opened (read-only) \??\l: iezoccyo.exe File opened (read-only) \??\x: iezoccyo.exe File opened (read-only) \??\z: iezoccyo.exe File opened (read-only) \??\i: gjfxprorus.exe File opened (read-only) \??\o: gjfxprorus.exe File opened (read-only) \??\v: gjfxprorus.exe File opened (read-only) \??\g: iezoccyo.exe File opened (read-only) \??\l: iezoccyo.exe File opened (read-only) \??\m: iezoccyo.exe File opened (read-only) \??\m: gjfxprorus.exe File opened (read-only) \??\e: gjfxprorus.exe File opened (read-only) \??\t: gjfxprorus.exe File opened (read-only) \??\q: iezoccyo.exe File opened (read-only) \??\y: iezoccyo.exe File opened (read-only) \??\n: iezoccyo.exe File opened (read-only) \??\z: iezoccyo.exe File opened (read-only) \??\b: iezoccyo.exe File opened (read-only) \??\i: iezoccyo.exe File opened (read-only) \??\n: iezoccyo.exe File opened (read-only) \??\b: gjfxprorus.exe File opened (read-only) \??\x: iezoccyo.exe File opened (read-only) \??\y: iezoccyo.exe File opened (read-only) \??\j: gjfxprorus.exe File opened (read-only) \??\k: gjfxprorus.exe File opened (read-only) \??\k: iezoccyo.exe File opened (read-only) \??\u: iezoccyo.exe File opened (read-only) \??\u: iezoccyo.exe File opened (read-only) \??\y: gjfxprorus.exe File opened (read-only) \??\z: gjfxprorus.exe File opened (read-only) \??\e: iezoccyo.exe File opened (read-only) \??\h: iezoccyo.exe File opened (read-only) \??\h: gjfxprorus.exe File opened (read-only) \??\m: iezoccyo.exe File opened (read-only) \??\v: iezoccyo.exe File opened (read-only) \??\g: iezoccyo.exe File opened (read-only) \??\n: gjfxprorus.exe File opened (read-only) \??\p: gjfxprorus.exe File opened (read-only) \??\r: iezoccyo.exe File opened (read-only) \??\s: iezoccyo.exe File opened (read-only) \??\s: iezoccyo.exe File opened (read-only) \??\t: iezoccyo.exe File opened (read-only) \??\w: iezoccyo.exe File opened (read-only) \??\b: iezoccyo.exe File opened (read-only) \??\t: iezoccyo.exe File opened (read-only) \??\a: iezoccyo.exe File opened (read-only) \??\q: gjfxprorus.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" gjfxprorus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" gjfxprorus.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2476-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0004000000017801-5.dat autoit_exe behavioral1/files/0x0008000000016d74-17.dat autoit_exe behavioral1/files/0x00050000000186b7-28.dat autoit_exe behavioral1/files/0x00050000000186bb-37.dat autoit_exe behavioral1/files/0x000900000001722b-62.dat autoit_exe behavioral1/files/0x0008000000018b3e-68.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\ongfplnsdniaj.exe c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bsdixxuyydshblb.exe c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe File created C:\Windows\SysWOW64\iezoccyo.exe c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\iezoccyo.exe c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ongfplnsdniaj.exe c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll gjfxprorus.exe File created C:\Windows\SysWOW64\gjfxprorus.exe c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gjfxprorus.exe c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe File created C:\Windows\SysWOW64\bsdixxuyydshblb.exe c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe iezoccyo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal iezoccyo.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe iezoccyo.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe iezoccyo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe iezoccyo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal iezoccyo.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe iezoccyo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal iezoccyo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe iezoccyo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe iezoccyo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal iezoccyo.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe iezoccyo.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe iezoccyo.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe iezoccyo.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ongfplnsdniaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iezoccyo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gjfxprorus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bsdixxuyydshblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iezoccyo.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" gjfxprorus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFF89482785689047D72B7DE2BCEEE1365932674E633FD79E" c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC60914E0DBB2B8CD7C90EDE234BD" c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh gjfxprorus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEF9CEF910F19084783A32819E3E98B3FD02F042120348E1CC42EC08A8" c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B12F44E439ED53CDBAD1339CD7C9" c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" gjfxprorus.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs gjfxprorus.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" gjfxprorus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" gjfxprorus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" gjfxprorus.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc gjfxprorus.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf gjfxprorus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" gjfxprorus.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg gjfxprorus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442C0D9C5682576D4577D270522DDC7CF465DA" c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7806BC6FE6821ADD273D0A98A7F9111" c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat gjfxprorus.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2536 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2044 gjfxprorus.exe 2044 gjfxprorus.exe 2044 gjfxprorus.exe 2044 gjfxprorus.exe 2044 gjfxprorus.exe 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2768 iezoccyo.exe 2768 iezoccyo.exe 2768 iezoccyo.exe 2768 iezoccyo.exe 2156 bsdixxuyydshblb.exe 2156 bsdixxuyydshblb.exe 2156 bsdixxuyydshblb.exe 2156 bsdixxuyydshblb.exe 2156 bsdixxuyydshblb.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2664 iezoccyo.exe 2664 iezoccyo.exe 2664 iezoccyo.exe 2664 iezoccyo.exe 2156 bsdixxuyydshblb.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2156 bsdixxuyydshblb.exe 2156 bsdixxuyydshblb.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2156 bsdixxuyydshblb.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2156 bsdixxuyydshblb.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2156 bsdixxuyydshblb.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2156 bsdixxuyydshblb.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2156 bsdixxuyydshblb.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2156 bsdixxuyydshblb.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2156 bsdixxuyydshblb.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2156 bsdixxuyydshblb.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2156 bsdixxuyydshblb.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2044 gjfxprorus.exe 2044 gjfxprorus.exe 2044 gjfxprorus.exe 2768 iezoccyo.exe 2768 iezoccyo.exe 2768 iezoccyo.exe 2156 bsdixxuyydshblb.exe 2156 bsdixxuyydshblb.exe 2684 ongfplnsdniaj.exe 2156 bsdixxuyydshblb.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2664 iezoccyo.exe 2664 iezoccyo.exe 2664 iezoccyo.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 2044 gjfxprorus.exe 2044 gjfxprorus.exe 2044 gjfxprorus.exe 2768 iezoccyo.exe 2768 iezoccyo.exe 2768 iezoccyo.exe 2156 bsdixxuyydshblb.exe 2156 bsdixxuyydshblb.exe 2684 ongfplnsdniaj.exe 2156 bsdixxuyydshblb.exe 2684 ongfplnsdniaj.exe 2684 ongfplnsdniaj.exe 2664 iezoccyo.exe 2664 iezoccyo.exe 2664 iezoccyo.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2536 WINWORD.EXE 2536 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2044 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 31 PID 2476 wrote to memory of 2044 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 31 PID 2476 wrote to memory of 2044 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 31 PID 2476 wrote to memory of 2044 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 31 PID 2476 wrote to memory of 2156 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 32 PID 2476 wrote to memory of 2156 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 32 PID 2476 wrote to memory of 2156 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 32 PID 2476 wrote to memory of 2156 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 32 PID 2476 wrote to memory of 2768 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 33 PID 2476 wrote to memory of 2768 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 33 PID 2476 wrote to memory of 2768 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 33 PID 2476 wrote to memory of 2768 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 33 PID 2476 wrote to memory of 2684 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 34 PID 2476 wrote to memory of 2684 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 34 PID 2476 wrote to memory of 2684 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 34 PID 2476 wrote to memory of 2684 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 34 PID 2044 wrote to memory of 2664 2044 gjfxprorus.exe 35 PID 2044 wrote to memory of 2664 2044 gjfxprorus.exe 35 PID 2044 wrote to memory of 2664 2044 gjfxprorus.exe 35 PID 2044 wrote to memory of 2664 2044 gjfxprorus.exe 35 PID 2476 wrote to memory of 2536 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 36 PID 2476 wrote to memory of 2536 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 36 PID 2476 wrote to memory of 2536 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 36 PID 2476 wrote to memory of 2536 2476 c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe 36 PID 2536 wrote to memory of 2320 2536 WINWORD.EXE 38 PID 2536 wrote to memory of 2320 2536 WINWORD.EXE 38 PID 2536 wrote to memory of 2320 2536 WINWORD.EXE 38 PID 2536 wrote to memory of 2320 2536 WINWORD.EXE 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c94ea2f6a48225695425418fe79733b8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\gjfxprorus.exegjfxprorus.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\iezoccyo.exeC:\Windows\system32\iezoccyo.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2664
-
-
-
C:\Windows\SysWOW64\bsdixxuyydshblb.exebsdixxuyydshblb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2156
-
-
C:\Windows\SysWOW64\iezoccyo.exeiezoccyo.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2768
-
-
C:\Windows\SysWOW64\ongfplnsdniaj.exeongfplnsdniaj.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2684
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2320
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5342e1fe84d351bfabbf3fdc1e30c9728
SHA1c228d7b885ce3be2107c216e5851cea16bcb6e69
SHA25698bc923d54d9cb938a59198c749d3a5a18ae0947e0dd724f57be2d01f7443031
SHA51246344ddf333da3d812a654b236dd6c6d73e9dd8212cfcea1e2d7491df66d2c7c601c74023f3a0fb9575fcc24028dd75d17af130869cf5efeb0216826134e1623
-
Filesize
19KB
MD5c61bcca2d1dbc192b0ec7e2afef93e7d
SHA1c21263b2fc0823ae64c6b6857ca16a19ba4c4e18
SHA2561f9512eefbd9212d6cb4ffd086e7cf9e90a97a658f9f21221929de6890c00c7c
SHA512f10e3a3b45a70c474a7fdf98ea2b6b25d92a0ade14d82d1c31126feab3a94dccc74cad34b03c5b410bff3d4ebc6c71864c21faee1d1815c321f2d1010014e592
-
Filesize
512KB
MD57a7e4fa246503fd635019ef99b903eba
SHA1c1d988d7c24046c481bd25cfc3576ec25f04877c
SHA256ef2a13d079a24c4e19fa7c912c1b6d116171bc6e74146b6cfe26a04e1486a6fd
SHA51260df52255e459fda64316af9ecdf49cd8a124129944edfd8291958d457a7cbc56baa9c83592e528f83022b9f50ca1f5e73dbed4cad204b54a264bf73c0a36096
-
Filesize
512KB
MD5fb1bb38c76f7cdf18cfbb9752e964741
SHA11081ffacc512d30dbc9b0834e4e5fc2add4d2808
SHA25626bc61895a54c81bdfa84c5f87874ac86da2980417d1652cd114ea77944f8fea
SHA512fb366a6ee24ee4b469b8652f21bf3fdb3a03a2ad7609e839780c683a8cb92a64349dd6be05a37a5b684958b371b1fa924d93c7f0fb87d1fa16c3985651d2ae99
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5fdedfd8486a5cd7d60a449971e510a94
SHA1eae25d0fabe95cf24568304f511dd1e1c89f81c0
SHA25612c4bdc34cf73aa4e79a727365f108883e68088b5e407c47baf48eac72e603c7
SHA512555d930e75b600861fab89ddc0eaa81db876eb126693c08ad4a1d3db432d1521b82de54963d9ebb2a87a54e530f8ec65ae211a8153a50a55425e0e35381a180c
-
Filesize
512KB
MD5ea30bda81add8ab8ff502322dc2d50ab
SHA1dbdffb10cd839ff2cab4e6d322f9ec71610aec01
SHA256304bb7a0fd043b0d45f79ba8dd685db5b8fe4199ccfd9aa28bad9b0c3313e619
SHA5125dae41ab0a2e1c342885722892ceecdb173645e37b381c94baeb6d09fabf59966f34682e5f135a1f8fd7909650d0bb6a2b148e355e406845ddc8f5dbc6548fe9
-
Filesize
512KB
MD54ed1ca35ca23168e4bd9c7973642cc30
SHA1da52176a91b9b3963849efa17a2e538862f376c6
SHA256d676524eff2d447dded6c75db06dfdca76f348be940f95ed419d37d50c6c41e1
SHA512aff8392a222bb91bc2c8ae7d50f92da399b76d3c880a154e490779a4468c103705b23dc1f45a376b63093ce97817a7d26cd368b3fa802424889e9f6397fc7011