Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 00:39
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
28 signatures
150 seconds
General
-
Target
cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe
-
Size
512KB
-
MD5
cde469d78e0fb53505b664f337ef3da1
-
SHA1
55d26c8e6211812d4b09a44aacb09e19b9d47ff0
-
SHA256
f78717d667afdba2592ad2c25e71018ddf900e35d2a40f556e9118a85937770c
-
SHA512
188e8878de474fb39a816e90995a7f0af6ec3bb026937a572d3d6be2eaf4784870d995b36b16e68a07a9c9ee0d54678c6b8497eea8a2ea1ceebcff74d3480250
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" yzbppvwbfy.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yzbppvwbfy.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yzbppvwbfy.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yzbppvwbfy.exe -
Executes dropped EXE 5 IoCs
pid Process 2312 yzbppvwbfy.exe 808 uykpqallraweizr.exe 2728 eacanpdp.exe 2804 uthyauxuqlawf.exe 2904 eacanpdp.exe -
Loads dropped DLL 5 IoCs
pid Process 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 2312 yzbppvwbfy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" yzbppvwbfy.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qnjpmxnl = "yzbppvwbfy.exe" uykpqallraweizr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vfvimggk = "uykpqallraweizr.exe" uykpqallraweizr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "uthyauxuqlawf.exe" uykpqallraweizr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: eacanpdp.exe File opened (read-only) \??\p: yzbppvwbfy.exe File opened (read-only) \??\v: yzbppvwbfy.exe File opened (read-only) \??\m: eacanpdp.exe File opened (read-only) \??\s: eacanpdp.exe File opened (read-only) \??\e: eacanpdp.exe File opened (read-only) \??\k: eacanpdp.exe File opened (read-only) \??\t: eacanpdp.exe File opened (read-only) \??\w: eacanpdp.exe File opened (read-only) \??\x: yzbppvwbfy.exe File opened (read-only) \??\q: yzbppvwbfy.exe File opened (read-only) \??\u: yzbppvwbfy.exe File opened (read-only) \??\i: eacanpdp.exe File opened (read-only) \??\n: eacanpdp.exe File opened (read-only) \??\z: eacanpdp.exe File opened (read-only) \??\r: eacanpdp.exe File opened (read-only) \??\u: eacanpdp.exe File opened (read-only) \??\o: eacanpdp.exe File opened (read-only) \??\l: eacanpdp.exe File opened (read-only) \??\k: yzbppvwbfy.exe File opened (read-only) \??\z: yzbppvwbfy.exe File opened (read-only) \??\t: eacanpdp.exe File opened (read-only) \??\g: eacanpdp.exe File opened (read-only) \??\k: eacanpdp.exe File opened (read-only) \??\w: eacanpdp.exe File opened (read-only) \??\e: eacanpdp.exe File opened (read-only) \??\l: eacanpdp.exe File opened (read-only) \??\b: eacanpdp.exe File opened (read-only) \??\j: yzbppvwbfy.exe File opened (read-only) \??\m: yzbppvwbfy.exe File opened (read-only) \??\i: eacanpdp.exe File opened (read-only) \??\r: yzbppvwbfy.exe File opened (read-only) \??\g: eacanpdp.exe File opened (read-only) \??\b: yzbppvwbfy.exe File opened (read-only) \??\q: eacanpdp.exe File opened (read-only) \??\i: yzbppvwbfy.exe File opened (read-only) \??\l: yzbppvwbfy.exe File opened (read-only) \??\a: eacanpdp.exe File opened (read-only) \??\p: eacanpdp.exe File opened (read-only) \??\y: eacanpdp.exe File opened (read-only) \??\o: eacanpdp.exe File opened (read-only) \??\u: eacanpdp.exe File opened (read-only) \??\h: eacanpdp.exe File opened (read-only) \??\v: eacanpdp.exe File opened (read-only) \??\g: yzbppvwbfy.exe File opened (read-only) \??\t: yzbppvwbfy.exe File opened (read-only) \??\q: eacanpdp.exe File opened (read-only) \??\a: eacanpdp.exe File opened (read-only) \??\x: eacanpdp.exe File opened (read-only) \??\e: yzbppvwbfy.exe File opened (read-only) \??\y: yzbppvwbfy.exe File opened (read-only) \??\b: eacanpdp.exe File opened (read-only) \??\h: eacanpdp.exe File opened (read-only) \??\m: eacanpdp.exe File opened (read-only) \??\o: yzbppvwbfy.exe File opened (read-only) \??\s: yzbppvwbfy.exe File opened (read-only) \??\v: eacanpdp.exe File opened (read-only) \??\z: eacanpdp.exe File opened (read-only) \??\j: eacanpdp.exe File opened (read-only) \??\r: eacanpdp.exe File opened (read-only) \??\x: eacanpdp.exe File opened (read-only) \??\s: eacanpdp.exe File opened (read-only) \??\a: yzbppvwbfy.exe File opened (read-only) \??\h: yzbppvwbfy.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" yzbppvwbfy.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1648-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0008000000016fb3-5.dat autoit_exe behavioral1/files/0x0007000000012119-17.dat autoit_exe behavioral1/files/0x00080000000173c8-27.dat autoit_exe behavioral1/files/0x00070000000174a8-33.dat autoit_exe behavioral1/files/0x0008000000016dcb-66.dat autoit_exe behavioral1/files/0x00070000000174f5-71.dat autoit_exe behavioral1/files/0x000900000001756a-77.dat autoit_exe behavioral1/files/0x00080000000175ed-83.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\uykpqallraweizr.exe cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File created C:\Windows\SysWOW64\eacanpdp.exe cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\eacanpdp.exe cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uthyauxuqlawf.exe cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll yzbppvwbfy.exe File created C:\Windows\SysWOW64\yzbppvwbfy.exe cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File created C:\Windows\SysWOW64\uykpqallraweizr.exe cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yzbppvwbfy.exe cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File created C:\Windows\SysWOW64\uthyauxuqlawf.exe cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe eacanpdp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe eacanpdp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe eacanpdp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal eacanpdp.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe eacanpdp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe eacanpdp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal eacanpdp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe eacanpdp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe eacanpdp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe eacanpdp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe eacanpdp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal eacanpdp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe eacanpdp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal eacanpdp.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yzbppvwbfy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eacanpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uykpqallraweizr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uthyauxuqlawf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eacanpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg yzbppvwbfy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" yzbppvwbfy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352D0D9C5282246D4577D677212CDC7DF165AB" cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FC83482882189140D65B7E9DBC93E633594B67466242D7E9" cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC60C14E4DAB2B8C97CE3EDE034BB" cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat yzbppvwbfy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc yzbppvwbfy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" yzbppvwbfy.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" yzbppvwbfy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" yzbppvwbfy.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFF9BDF966F299840E3B40869739E4B38D028A4216033CE1BE45EA09A8" cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B12B479439E353BFB9D232EAD4BF" cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf yzbppvwbfy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs yzbppvwbfy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F06BC2FE6E22D8D27DD1A68A0C9166" cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh yzbppvwbfy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" yzbppvwbfy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" yzbppvwbfy.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2916 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 2312 yzbppvwbfy.exe 2312 yzbppvwbfy.exe 2312 yzbppvwbfy.exe 2312 yzbppvwbfy.exe 2312 yzbppvwbfy.exe 2728 eacanpdp.exe 2728 eacanpdp.exe 2728 eacanpdp.exe 2728 eacanpdp.exe 808 uykpqallraweizr.exe 808 uykpqallraweizr.exe 808 uykpqallraweizr.exe 808 uykpqallraweizr.exe 808 uykpqallraweizr.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 2904 eacanpdp.exe 2904 eacanpdp.exe 2904 eacanpdp.exe 2904 eacanpdp.exe 808 uykpqallraweizr.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 808 uykpqallraweizr.exe 808 uykpqallraweizr.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 808 uykpqallraweizr.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 808 uykpqallraweizr.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 808 uykpqallraweizr.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 808 uykpqallraweizr.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 808 uykpqallraweizr.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 808 uykpqallraweizr.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 808 uykpqallraweizr.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 808 uykpqallraweizr.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 808 uykpqallraweizr.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 1540 explorer.exe Token: SeShutdownPrivilege 1540 explorer.exe Token: SeShutdownPrivilege 1540 explorer.exe Token: SeShutdownPrivilege 1540 explorer.exe Token: SeShutdownPrivilege 1540 explorer.exe Token: SeShutdownPrivilege 1540 explorer.exe Token: SeShutdownPrivilege 1540 explorer.exe Token: SeShutdownPrivilege 1540 explorer.exe Token: SeShutdownPrivilege 1540 explorer.exe Token: SeShutdownPrivilege 1540 explorer.exe Token: SeShutdownPrivilege 1540 explorer.exe Token: SeShutdownPrivilege 1540 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 2312 yzbppvwbfy.exe 2312 yzbppvwbfy.exe 2312 yzbppvwbfy.exe 2728 eacanpdp.exe 2728 eacanpdp.exe 2728 eacanpdp.exe 808 uykpqallraweizr.exe 808 uykpqallraweizr.exe 808 uykpqallraweizr.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 2904 eacanpdp.exe 2904 eacanpdp.exe 2904 eacanpdp.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe -
Suspicious use of SendNotifyMessage 37 IoCs
pid Process 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 2312 yzbppvwbfy.exe 2312 yzbppvwbfy.exe 2312 yzbppvwbfy.exe 2728 eacanpdp.exe 2728 eacanpdp.exe 2728 eacanpdp.exe 808 uykpqallraweizr.exe 808 uykpqallraweizr.exe 808 uykpqallraweizr.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 2804 uthyauxuqlawf.exe 2904 eacanpdp.exe 2904 eacanpdp.exe 2904 eacanpdp.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2916 WINWORD.EXE 2916 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1648 wrote to memory of 2312 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 31 PID 1648 wrote to memory of 2312 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 31 PID 1648 wrote to memory of 2312 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 31 PID 1648 wrote to memory of 2312 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 31 PID 1648 wrote to memory of 808 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 32 PID 1648 wrote to memory of 808 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 32 PID 1648 wrote to memory of 808 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 32 PID 1648 wrote to memory of 808 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 32 PID 1648 wrote to memory of 2728 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 33 PID 1648 wrote to memory of 2728 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 33 PID 1648 wrote to memory of 2728 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 33 PID 1648 wrote to memory of 2728 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 33 PID 1648 wrote to memory of 2804 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 34 PID 1648 wrote to memory of 2804 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 34 PID 1648 wrote to memory of 2804 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 34 PID 1648 wrote to memory of 2804 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 34 PID 2312 wrote to memory of 2904 2312 yzbppvwbfy.exe 35 PID 2312 wrote to memory of 2904 2312 yzbppvwbfy.exe 35 PID 2312 wrote to memory of 2904 2312 yzbppvwbfy.exe 35 PID 2312 wrote to memory of 2904 2312 yzbppvwbfy.exe 35 PID 1648 wrote to memory of 2916 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 36 PID 1648 wrote to memory of 2916 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 36 PID 1648 wrote to memory of 2916 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 36 PID 1648 wrote to memory of 2916 1648 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 36 PID 2916 wrote to memory of 2396 2916 WINWORD.EXE 39 PID 2916 wrote to memory of 2396 2916 WINWORD.EXE 39 PID 2916 wrote to memory of 2396 2916 WINWORD.EXE 39 PID 2916 wrote to memory of 2396 2916 WINWORD.EXE 39 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\yzbppvwbfy.exeyzbppvwbfy.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\eacanpdp.exeC:\Windows\system32\eacanpdp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904
-
-
-
C:\Windows\SysWOW64\uykpqallraweizr.exeuykpqallraweizr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:808
-
-
C:\Windows\SysWOW64\eacanpdp.exeeacanpdp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2728
-
-
C:\Windows\SysWOW64\uthyauxuqlawf.exeuthyauxuqlawf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2804
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2396
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1540
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5d9271e9c202090e696ff6b00df622308
SHA19710086da62ac0ce91453608019dae9aef764929
SHA256b9e482f4b5551bfe0aab22e60ea87faba66f1854543039f16c30f2a476e5cb3e
SHA5126d9a3378230c1d5efcdd8e4afc9b879abd690ba940bbdc2afae326dfe568db6f9ad6b07cda038e08cecaa1cfcce4c04982ba49dcdb93ed98331c46f1aa7943b8
-
Filesize
512KB
MD5e92588a957f38b23ba649a5fd7caaa4c
SHA1e1d181f2ad0731f054e94e40e6d03de4b1e03815
SHA256cb02b8a310c0513849957219f0642d71894dea4a40b43c97ad853ddd6cd0fff9
SHA51261261344e57407a672ab950b830066a7690192fc30ce8655c043d5ad83af045daf8e5557b64bd75338f81cd750cacd656e7b9e3fbb16003dce8df623c72f482a
-
Filesize
512KB
MD59db4b71a10439f6b13ed11620620a4ad
SHA17a0e03a5b47de1dbc6a350147890370c18da9fe0
SHA256523c61f8e692809041f4e42031234ca0c21ecf094b1e425107bbad2fafc6ddf7
SHA51228cabf4ca8317b204d7e8c8304e08fc64a6fff853596fa602fa89ccc9d4fcf6ed7a1fef605788269e66719fc827452811bc8c0d927835609c883037e29e11632
-
Filesize
512KB
MD5537a95e58f03be357e7faf151eec14a5
SHA19087423c77cf2deeec3561b6fa392902af81ad92
SHA2566c167056c4aa6ced859d76394a7da13b3e3c575e6f19952dc3260ea7144b1239
SHA512d18c478bed28afdf7a0e878811c2447c9d229d77cdd2a799c6e1d12bbb85a0e3dc8908304e9c947c8f95f3eb9d8c3cca1fbeb0f1284e070aba2c3faed719d668
-
Filesize
512KB
MD595a055623b56099bfa3421c2f5a04f27
SHA15b675b65d6d5d0bc7db1e26680a155f479cd5eac
SHA256e5d323ce55e754880cf6d7699f9aac0436637d3b1fd488410c3ebdbce7b6092f
SHA512eca478cc6c74ccb95c5ea8502c2991b42f3830f2d5740c22e485a16abb7d9ee296cf0bfebfe2073c3e4cefde9643e1b8c62ed8f3e61881d2e2d6a556bf55d030
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD51eed8bdd3ff37f71997cb7bb78de395c
SHA1d2e03d9a4c7e62df54eba1e01caf98a9afa544ea
SHA256202a56188986e61cfef0a61bc77e962093df72c8c611f8a359d25b9df77f0693
SHA512f990f3e62f19c5c01993fd75dade47744ee132e920a3de913efe7997683c941f512985e7745363ba864b1f7b24f26f65a281dec67d0f2546754378a4de810835
-
Filesize
512KB
MD5e5558244a9bee27d32be731755ebfe78
SHA192c85e745618080905adb8d77b6301e8b970d13f
SHA256b3a74e8bdccf1ee892119c530d555e669c0497447c7dab9719d52e9802dd24f6
SHA5120b8d8a67cb6c2a7088b556964b4e5edabd554482498d1984a1934d0c496873b6b2cf3f172a3b8e6c87f60a294ba7fb7e13ba4e1b1afeaa8897bb479d09a889b4
-
Filesize
512KB
MD5147080e3b397963eef40605e36f5fc98
SHA1d6baa96ddf4abbe53bdec3ea1a791dd1e9e267b0
SHA256244693bc8437719df58a4b2ada98f5bb1e5ac456d97b6084c204c5c35b5f323e
SHA5127a689f4fdce938f5bd771f732c6d5bb7d026cdcc6305dd63969595d2429cc43e0011f2c5ac1d9a9b00822377ff1bb8bb044e670f88a6c0df1e6d33fc402570a1