Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/09/2024, 00:39
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
28 signatures
150 seconds
General
-
Target
cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe
-
Size
512KB
-
MD5
cde469d78e0fb53505b664f337ef3da1
-
SHA1
55d26c8e6211812d4b09a44aacb09e19b9d47ff0
-
SHA256
f78717d667afdba2592ad2c25e71018ddf900e35d2a40f556e9118a85937770c
-
SHA512
188e8878de474fb39a816e90995a7f0af6ec3bb026937a572d3d6be2eaf4784870d995b36b16e68a07a9c9ee0d54678c6b8497eea8a2ea1ceebcff74d3480250
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" yzbppvwbfy.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yzbppvwbfy.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yzbppvwbfy.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yzbppvwbfy.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3380 yzbppvwbfy.exe 3472 uykpqallraweizr.exe 264 eacanpdp.exe 1316 uthyauxuqlawf.exe 1052 eacanpdp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yzbppvwbfy.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vfvimggk = "uykpqallraweizr.exe" uykpqallraweizr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "uthyauxuqlawf.exe" uykpqallraweizr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qnjpmxnl = "yzbppvwbfy.exe" uykpqallraweizr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: eacanpdp.exe File opened (read-only) \??\y: eacanpdp.exe File opened (read-only) \??\h: eacanpdp.exe File opened (read-only) \??\k: yzbppvwbfy.exe File opened (read-only) \??\h: eacanpdp.exe File opened (read-only) \??\p: eacanpdp.exe File opened (read-only) \??\g: eacanpdp.exe File opened (read-only) \??\a: yzbppvwbfy.exe File opened (read-only) \??\q: yzbppvwbfy.exe File opened (read-only) \??\u: yzbppvwbfy.exe File opened (read-only) \??\k: eacanpdp.exe File opened (read-only) \??\j: yzbppvwbfy.exe File opened (read-only) \??\j: eacanpdp.exe File opened (read-only) \??\w: eacanpdp.exe File opened (read-only) \??\g: yzbppvwbfy.exe File opened (read-only) \??\h: yzbppvwbfy.exe File opened (read-only) \??\n: yzbppvwbfy.exe File opened (read-only) \??\z: yzbppvwbfy.exe File opened (read-only) \??\o: yzbppvwbfy.exe File opened (read-only) \??\b: eacanpdp.exe File opened (read-only) \??\l: eacanpdp.exe File opened (read-only) \??\s: yzbppvwbfy.exe File opened (read-only) \??\e: eacanpdp.exe File opened (read-only) \??\u: eacanpdp.exe File opened (read-only) \??\k: eacanpdp.exe File opened (read-only) \??\l: yzbppvwbfy.exe File opened (read-only) \??\q: eacanpdp.exe File opened (read-only) \??\r: eacanpdp.exe File opened (read-only) \??\t: eacanpdp.exe File opened (read-only) \??\x: eacanpdp.exe File opened (read-only) \??\m: eacanpdp.exe File opened (read-only) \??\n: eacanpdp.exe File opened (read-only) \??\r: eacanpdp.exe File opened (read-only) \??\n: eacanpdp.exe File opened (read-only) \??\i: eacanpdp.exe File opened (read-only) \??\a: eacanpdp.exe File opened (read-only) \??\o: eacanpdp.exe File opened (read-only) \??\s: eacanpdp.exe File opened (read-only) \??\t: eacanpdp.exe File opened (read-only) \??\t: yzbppvwbfy.exe File opened (read-only) \??\v: yzbppvwbfy.exe File opened (read-only) \??\l: eacanpdp.exe File opened (read-only) \??\m: yzbppvwbfy.exe File opened (read-only) \??\p: yzbppvwbfy.exe File opened (read-only) \??\m: eacanpdp.exe File opened (read-only) \??\e: eacanpdp.exe File opened (read-only) \??\i: eacanpdp.exe File opened (read-only) \??\p: eacanpdp.exe File opened (read-only) \??\i: yzbppvwbfy.exe File opened (read-only) \??\r: yzbppvwbfy.exe File opened (read-only) \??\x: yzbppvwbfy.exe File opened (read-only) \??\q: eacanpdp.exe File opened (read-only) \??\v: eacanpdp.exe File opened (read-only) \??\e: yzbppvwbfy.exe File opened (read-only) \??\v: eacanpdp.exe File opened (read-only) \??\z: eacanpdp.exe File opened (read-only) \??\j: eacanpdp.exe File opened (read-only) \??\x: eacanpdp.exe File opened (read-only) \??\y: yzbppvwbfy.exe File opened (read-only) \??\z: eacanpdp.exe File opened (read-only) \??\b: yzbppvwbfy.exe File opened (read-only) \??\o: eacanpdp.exe File opened (read-only) \??\s: eacanpdp.exe File opened (read-only) \??\b: eacanpdp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" yzbppvwbfy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" yzbppvwbfy.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4620-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000234e3-5.dat autoit_exe behavioral2/files/0x00090000000234ce-18.dat autoit_exe behavioral2/files/0x00070000000234e7-24.dat autoit_exe behavioral2/files/0x00070000000234e8-32.dat autoit_exe behavioral2/files/0x00070000000234f5-66.dat autoit_exe behavioral2/files/0x0007000000023509-98.dat autoit_exe behavioral2/files/0x0007000000023509-104.dat autoit_exe behavioral2/files/0x0007000000023509-154.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\yzbppvwbfy.exe cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File created C:\Windows\SysWOW64\uykpqallraweizr.exe cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uthyauxuqlawf.exe cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe eacanpdp.exe File created C:\Windows\SysWOW64\uthyauxuqlawf.exe cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll yzbppvwbfy.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe eacanpdp.exe File created C:\Windows\SysWOW64\yzbppvwbfy.exe cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File created C:\Windows\SysWOW64\eacanpdp.exe cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\eacanpdp.exe cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uykpqallraweizr.exe cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe eacanpdp.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe eacanpdp.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe eacanpdp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal eacanpdp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe eacanpdp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe eacanpdp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe eacanpdp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe eacanpdp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe eacanpdp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe eacanpdp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe eacanpdp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe eacanpdp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal eacanpdp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe eacanpdp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe eacanpdp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal eacanpdp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal eacanpdp.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe eacanpdp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe eacanpdp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe eacanpdp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe eacanpdp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe eacanpdp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe eacanpdp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe eacanpdp.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe eacanpdp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe eacanpdp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe eacanpdp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe eacanpdp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe eacanpdp.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe eacanpdp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe eacanpdp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe eacanpdp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe eacanpdp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uthyauxuqlawf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eacanpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yzbppvwbfy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eacanpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uykpqallraweizr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs yzbppvwbfy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg yzbppvwbfy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" yzbppvwbfy.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B12B479439E353BFB9D232EAD4BF" cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC60C14E4DAB2B8C97CE3EDE034BB" cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" yzbppvwbfy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" yzbppvwbfy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat yzbppvwbfy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh yzbppvwbfy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" yzbppvwbfy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352D0D9C5282246D4577D677212CDC7DF165AB" cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFF9BDF966F299840E3B40869739E4B38D028A4216033CE1BE45EA09A8" cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F06BC2FE6E22D8D27DD1A68A0C9166" cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc yzbppvwbfy.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FC83482882189140D65B7E9DBC93E633594B67466242D7E9" cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" yzbppvwbfy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" yzbppvwbfy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf yzbppvwbfy.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2688 WINWORD.EXE 2688 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 3380 yzbppvwbfy.exe 3380 yzbppvwbfy.exe 3380 yzbppvwbfy.exe 3380 yzbppvwbfy.exe 3380 yzbppvwbfy.exe 3380 yzbppvwbfy.exe 3380 yzbppvwbfy.exe 3380 yzbppvwbfy.exe 3380 yzbppvwbfy.exe 3380 yzbppvwbfy.exe 264 eacanpdp.exe 264 eacanpdp.exe 264 eacanpdp.exe 264 eacanpdp.exe 264 eacanpdp.exe 264 eacanpdp.exe 264 eacanpdp.exe 264 eacanpdp.exe 3472 uykpqallraweizr.exe 3472 uykpqallraweizr.exe 3472 uykpqallraweizr.exe 3472 uykpqallraweizr.exe 3472 uykpqallraweizr.exe 3472 uykpqallraweizr.exe 3472 uykpqallraweizr.exe 3472 uykpqallraweizr.exe 3472 uykpqallraweizr.exe 3472 uykpqallraweizr.exe 1316 uthyauxuqlawf.exe 1316 uthyauxuqlawf.exe 1316 uthyauxuqlawf.exe 1316 uthyauxuqlawf.exe 1316 uthyauxuqlawf.exe 1316 uthyauxuqlawf.exe 1316 uthyauxuqlawf.exe 1316 uthyauxuqlawf.exe 1316 uthyauxuqlawf.exe 1316 uthyauxuqlawf.exe 1316 uthyauxuqlawf.exe 1316 uthyauxuqlawf.exe 1052 eacanpdp.exe 1052 eacanpdp.exe 1052 eacanpdp.exe 1052 eacanpdp.exe 1052 eacanpdp.exe 1052 eacanpdp.exe 1052 eacanpdp.exe 1052 eacanpdp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 3380 yzbppvwbfy.exe 3380 yzbppvwbfy.exe 3380 yzbppvwbfy.exe 3472 uykpqallraweizr.exe 264 eacanpdp.exe 3472 uykpqallraweizr.exe 264 eacanpdp.exe 264 eacanpdp.exe 3472 uykpqallraweizr.exe 1316 uthyauxuqlawf.exe 1316 uthyauxuqlawf.exe 1316 uthyauxuqlawf.exe 1052 eacanpdp.exe 1052 eacanpdp.exe 1052 eacanpdp.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 3380 yzbppvwbfy.exe 3380 yzbppvwbfy.exe 3380 yzbppvwbfy.exe 3472 uykpqallraweizr.exe 264 eacanpdp.exe 3472 uykpqallraweizr.exe 264 eacanpdp.exe 264 eacanpdp.exe 3472 uykpqallraweizr.exe 1316 uthyauxuqlawf.exe 1316 uthyauxuqlawf.exe 1316 uthyauxuqlawf.exe 1052 eacanpdp.exe 1052 eacanpdp.exe 1052 eacanpdp.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2688 WINWORD.EXE 2688 WINWORD.EXE 2688 WINWORD.EXE 2688 WINWORD.EXE 2688 WINWORD.EXE 2688 WINWORD.EXE 2688 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4620 wrote to memory of 3380 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 85 PID 4620 wrote to memory of 3380 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 85 PID 4620 wrote to memory of 3380 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 85 PID 4620 wrote to memory of 3472 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 86 PID 4620 wrote to memory of 3472 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 86 PID 4620 wrote to memory of 3472 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 86 PID 4620 wrote to memory of 264 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 87 PID 4620 wrote to memory of 264 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 87 PID 4620 wrote to memory of 264 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 87 PID 4620 wrote to memory of 1316 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 88 PID 4620 wrote to memory of 1316 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 88 PID 4620 wrote to memory of 1316 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 88 PID 4620 wrote to memory of 2688 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 89 PID 4620 wrote to memory of 2688 4620 cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe 89 PID 3380 wrote to memory of 1052 3380 yzbppvwbfy.exe 91 PID 3380 wrote to memory of 1052 3380 yzbppvwbfy.exe 91 PID 3380 wrote to memory of 1052 3380 yzbppvwbfy.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cde469d78e0fb53505b664f337ef3da1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\yzbppvwbfy.exeyzbppvwbfy.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\eacanpdp.exeC:\Windows\system32\eacanpdp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1052
-
-
-
C:\Windows\SysWOW64\uykpqallraweizr.exeuykpqallraweizr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3472
-
-
C:\Windows\SysWOW64\eacanpdp.exeeacanpdp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:264
-
-
C:\Windows\SysWOW64\uthyauxuqlawf.exeuthyauxuqlawf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1316
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2688
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD53099cb2a85c12904da45b1863b568272
SHA1db32528b1c2b83530c50d7dd0ba9e231f62d56c2
SHA25677a5057f0cac740d264a7a07d6bb68e3eb8f287e9339f7edcbfcf52ddbb9b336
SHA51228829e542693b2131aca41430cb2268c602e287e1a343d4207bc3db19324e9f88213cbd204627662b37508125be05a1c2aa0423e77fcec88f0b16d3232efedb3
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
337B
MD5e3a8122df01b6286084467da799536cb
SHA113f1cd83ce52247ba0e7a09796e6209c8aa1d4d6
SHA256968f008ab974338c26ae030707d72fad8b5ec0f867551152bd9e59d11a91230b
SHA5125945933be3729c19cf5688b01dc13ccad0bf6c8966e60089909c044e953dc471e5f0fe52d04ffc79ba6e5bb5e8d415b4df274b1ea801bcab984ab7f5af148c3d
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5153aad456c010ef74f0c58578b62b74d
SHA1c5a5b356f61f56b1dffc98ec171ec9099f455ef5
SHA2563f082879c2bcdefea8c457942a13e71de6859aebe465709b28489f8aad385756
SHA512158064f86c95b1fa468922052c1892e28936b026c34fbd6ab3421bc8e49bc5ec935358261de53fafa0dc31030e9c58340069e975417261beb20fe19ac65d5888
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD549a7c0f2a0b1bffcb25111ec3005b675
SHA199a5f3136319f3aff0da52c084c1189240733f87
SHA25638bcc01d7e6c6fcdd0a92aaa355f3dc6f808609b9cac6c5520613c8d505f1f0a
SHA512360927ee86d67b3dc6b97121fe01fcefbafb04be9360d90380cc339348d476bb371aefb069bcf6bf178ecf544e18c0a2d50c944fc747d5ca95b17e0f1b1507b6
-
Filesize
512KB
MD5b3179b725d220ea3616383268fc69fd4
SHA18e804e8fa2c874e848c1e94b3d6d8774758083c7
SHA2562c1c97f46845f5066e5691cf2cef977344dd23d3283d8a2f3aa0b59f65c7bc1d
SHA5120e8350333f61d224c9d0fc29786c7eaaeff2165bfc0f0c63800598b205abcab288c8efe19cddbdbd51b7a3943aeb2e991fcfc14ae4ac75c877c2fc133dee0d6a
-
Filesize
512KB
MD5e0f2ee3e7c34814745ab1c6009aa0a32
SHA182496cdeaa0864acdaaf02c2cef4bd3d469b554c
SHA256b7444599b0990736ab39c627bdc5622f1656bf80fe9bf35c115dee836ec63624
SHA512f80587037c0a8c4d8da2993e2d1275e1c57c5b79c6209a7e48ab4dab229068f5b9dce69ba34a4abf4f09590a7460b39f9c147e4142d011a6fb067eb2698b0624
-
Filesize
512KB
MD533dc18be7fe743c29201a2f1f7676f46
SHA129b4d5f1fc78f311bdc11412760bb8713669424f
SHA2565b2cc96c7f74983b57a72d82fd647123b10e1402f0c7b5a25b2abf7503590983
SHA5123ca719887ce381dbf37ad2c9edfdbf877245afe34d58d14a7d4baa9b6289fcff484f24ff72655ad849644af4fcaf01ab41727daeaf3c8fe14a87bdbe566fb341
-
Filesize
512KB
MD53529e70a95ac71f124f4c4d92266a89f
SHA1c597af5366c0d652ed799cd24350b3b963e2dd70
SHA2561cb9de4880009035635a0c20ad08d481adc8bc68eef20923ee8acdb31d1ce336
SHA512f17f74e5e4c565b9766d7d65edbb816f0d5a5593cc0ffd4634032ca615e8ebab156fa772f7919b018a99f083009b4e2932aaacc17f6c11d38731ea3397791f97
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5131329131156a412ec2c9bf87e05534e
SHA1489662c2875dcab4e128647d58b4e68fe8f5e8d0
SHA2560af410353ba5cfa1a9cf093eb89f01c897eed7f53c085c24a6e998bd45c44e1f
SHA5126bfda65b50560c1741f88ddc3799a1eb65d0ae0e07191db757de938970ad43c7ec6187c630339c5cd31cfccf7afb3a430b3426062388356525c4ffcd7746b3b2
-
Filesize
512KB
MD5cd8631ee17d4f97b6edc2ced2ba12710
SHA157aedade5555f386e0b1b644eef176cfa2198ae0
SHA2565d5114b29907135151b9d35bdbe5410e59f90dc557823aff92ae141a72233b9f
SHA5128766f99eea52a5b66eec628fef16b351efe63d5a668d965929732e83b26ca83ae0ce4b4f666a019355ba2818d20861503fb6f3b21094fca240b3f774f57df19f
-
Filesize
512KB
MD5ca67e7596b3e07c91646a43e829fa64f
SHA1687251b7a099ad22626c77bb1b29f39443b4afe8
SHA256382fbf285f90fd8bae81933dc070437f22380cc2ddbfe68a38899852ee706445
SHA512739f4d5fcec5154d76755e4632252ab9232d9f5d3a804b9ddc06c4c740780e36ca69baf474077de029e323e8e7bbb41618544011a5d2caf4b36388dd6a5cf0b8