Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 01:46
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
25 signatures
150 seconds
General
-
Target
cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
-
Size
512KB
-
MD5
cdfaabe544a4b3a1fe3574561932bc46
-
SHA1
498fd62df89689b03593876b19b1bd317ce375c6
-
SHA256
d7231c9941f8b195f8e380c7f44b5bd114e46ba5afaf67b3b01a3d4ac7f40291
-
SHA512
42f4bcb4db36167256991c1859ead01eec56784bbf3ccf0ae8d109ff3f6d2774970c4376c3146228d819fe9ea3aa339647ae0719dbe8e60b6a7b6e0f4ae652f5
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6t:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5M
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rxahzcystx.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rxahzcystx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rxahzcystx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rxahzcystx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rxahzcystx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rxahzcystx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rxahzcystx.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rxahzcystx.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3516 rxahzcystx.exe 1788 ghtvvikwwqkmezo.exe 2548 cmrncpov.exe 4032 arnaefqcdxkpa.exe 2244 cmrncpov.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rxahzcystx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rxahzcystx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rxahzcystx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rxahzcystx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rxahzcystx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rxahzcystx.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vmyfpjvx = "rxahzcystx.exe" ghtvvikwwqkmezo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zguohwuj = "ghtvvikwwqkmezo.exe" ghtvvikwwqkmezo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "arnaefqcdxkpa.exe" ghtvvikwwqkmezo.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: rxahzcystx.exe File opened (read-only) \??\t: cmrncpov.exe File opened (read-only) \??\j: cmrncpov.exe File opened (read-only) \??\k: cmrncpov.exe File opened (read-only) \??\n: rxahzcystx.exe File opened (read-only) \??\r: rxahzcystx.exe File opened (read-only) \??\p: cmrncpov.exe File opened (read-only) \??\r: cmrncpov.exe File opened (read-only) \??\i: cmrncpov.exe File opened (read-only) \??\m: cmrncpov.exe File opened (read-only) \??\i: rxahzcystx.exe File opened (read-only) \??\m: cmrncpov.exe File opened (read-only) \??\b: cmrncpov.exe File opened (read-only) \??\l: cmrncpov.exe File opened (read-only) \??\o: cmrncpov.exe File opened (read-only) \??\u: rxahzcystx.exe File opened (read-only) \??\e: cmrncpov.exe File opened (read-only) \??\i: cmrncpov.exe File opened (read-only) \??\s: rxahzcystx.exe File opened (read-only) \??\r: cmrncpov.exe File opened (read-only) \??\q: rxahzcystx.exe File opened (read-only) \??\n: cmrncpov.exe File opened (read-only) \??\q: cmrncpov.exe File opened (read-only) \??\e: rxahzcystx.exe File opened (read-only) \??\v: rxahzcystx.exe File opened (read-only) \??\a: cmrncpov.exe File opened (read-only) \??\g: cmrncpov.exe File opened (read-only) \??\s: cmrncpov.exe File opened (read-only) \??\y: cmrncpov.exe File opened (read-only) \??\m: rxahzcystx.exe File opened (read-only) \??\l: rxahzcystx.exe File opened (read-only) \??\j: cmrncpov.exe File opened (read-only) \??\w: cmrncpov.exe File opened (read-only) \??\h: rxahzcystx.exe File opened (read-only) \??\o: cmrncpov.exe File opened (read-only) \??\x: cmrncpov.exe File opened (read-only) \??\p: rxahzcystx.exe File opened (read-only) \??\s: cmrncpov.exe File opened (read-only) \??\e: cmrncpov.exe File opened (read-only) \??\v: cmrncpov.exe File opened (read-only) \??\z: cmrncpov.exe File opened (read-only) \??\k: rxahzcystx.exe File opened (read-only) \??\w: rxahzcystx.exe File opened (read-only) \??\x: rxahzcystx.exe File opened (read-only) \??\h: cmrncpov.exe File opened (read-only) \??\x: cmrncpov.exe File opened (read-only) \??\b: rxahzcystx.exe File opened (read-only) \??\g: cmrncpov.exe File opened (read-only) \??\y: cmrncpov.exe File opened (read-only) \??\t: rxahzcystx.exe File opened (read-only) \??\n: cmrncpov.exe File opened (read-only) \??\v: cmrncpov.exe File opened (read-only) \??\b: cmrncpov.exe File opened (read-only) \??\z: rxahzcystx.exe File opened (read-only) \??\l: cmrncpov.exe File opened (read-only) \??\w: cmrncpov.exe File opened (read-only) \??\z: cmrncpov.exe File opened (read-only) \??\p: cmrncpov.exe File opened (read-only) \??\j: rxahzcystx.exe File opened (read-only) \??\q: cmrncpov.exe File opened (read-only) \??\u: cmrncpov.exe File opened (read-only) \??\u: cmrncpov.exe File opened (read-only) \??\a: rxahzcystx.exe File opened (read-only) \??\o: rxahzcystx.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rxahzcystx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rxahzcystx.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1808-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002345a-6.dat autoit_exe behavioral2/files/0x0008000000023456-18.dat autoit_exe behavioral2/files/0x000700000002345b-26.dat autoit_exe behavioral2/files/0x000700000002345c-32.dat autoit_exe behavioral2/files/0x0008000000023434-65.dat autoit_exe behavioral2/files/0x0003000000022921-71.dat autoit_exe behavioral2/files/0x000700000002346f-79.dat autoit_exe behavioral2/files/0x0007000000023470-84.dat autoit_exe behavioral2/files/0x000700000002347e-106.dat autoit_exe behavioral2/files/0x000700000002347e-210.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\cmrncpov.exe cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cmrncpov.exe File created C:\Windows\SysWOW64\rxahzcystx.exe cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rxahzcystx.exe cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File created C:\Windows\SysWOW64\ghtvvikwwqkmezo.exe cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ghtvvikwwqkmezo.exe cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cmrncpov.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cmrncpov.exe File created C:\Windows\SysWOW64\cmrncpov.exe cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File created C:\Windows\SysWOW64\arnaefqcdxkpa.exe cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\arnaefqcdxkpa.exe cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rxahzcystx.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cmrncpov.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cmrncpov.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cmrncpov.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cmrncpov.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cmrncpov.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cmrncpov.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal cmrncpov.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal cmrncpov.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal cmrncpov.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cmrncpov.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal cmrncpov.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cmrncpov.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cmrncpov.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cmrncpov.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cmrncpov.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cmrncpov.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cmrncpov.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cmrncpov.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cmrncpov.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cmrncpov.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cmrncpov.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cmrncpov.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cmrncpov.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cmrncpov.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cmrncpov.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cmrncpov.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cmrncpov.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cmrncpov.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cmrncpov.exe File opened for modification C:\Windows\mydoc.rtf cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cmrncpov.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxahzcystx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ghtvvikwwqkmezo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmrncpov.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arnaefqcdxkpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmrncpov.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rxahzcystx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rxahzcystx.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9FABCFE10F2E4840F3B3186E93E96B388038A4363034FE1CB45EA08A5" cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rxahzcystx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rxahzcystx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rxahzcystx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rxahzcystx.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F76BB8FF6D21DED10BD0A48B7F9062" cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC60F14E7DAB4B8CC7FE3ECE234BC" cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rxahzcystx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FCFC482E8569913DD7217E94BDEEE13658306735623ED7EC" cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B15C449739EC53CDB9D2329AD4B9" cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rxahzcystx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rxahzcystx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rxahzcystx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rxahzcystx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rxahzcystx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412D0B9C5783576D3676D3772F2DDD7CF365A8" cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1096 WINWORD.EXE 1096 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 3516 rxahzcystx.exe 3516 rxahzcystx.exe 3516 rxahzcystx.exe 3516 rxahzcystx.exe 3516 rxahzcystx.exe 3516 rxahzcystx.exe 3516 rxahzcystx.exe 3516 rxahzcystx.exe 3516 rxahzcystx.exe 3516 rxahzcystx.exe 1788 ghtvvikwwqkmezo.exe 1788 ghtvvikwwqkmezo.exe 1788 ghtvvikwwqkmezo.exe 1788 ghtvvikwwqkmezo.exe 1788 ghtvvikwwqkmezo.exe 1788 ghtvvikwwqkmezo.exe 1788 ghtvvikwwqkmezo.exe 1788 ghtvvikwwqkmezo.exe 1788 ghtvvikwwqkmezo.exe 1788 ghtvvikwwqkmezo.exe 4032 arnaefqcdxkpa.exe 4032 arnaefqcdxkpa.exe 4032 arnaefqcdxkpa.exe 4032 arnaefqcdxkpa.exe 4032 arnaefqcdxkpa.exe 4032 arnaefqcdxkpa.exe 4032 arnaefqcdxkpa.exe 4032 arnaefqcdxkpa.exe 4032 arnaefqcdxkpa.exe 4032 arnaefqcdxkpa.exe 4032 arnaefqcdxkpa.exe 4032 arnaefqcdxkpa.exe 2548 cmrncpov.exe 2548 cmrncpov.exe 2548 cmrncpov.exe 2548 cmrncpov.exe 2548 cmrncpov.exe 2548 cmrncpov.exe 2548 cmrncpov.exe 2548 cmrncpov.exe 1788 ghtvvikwwqkmezo.exe 1788 ghtvvikwwqkmezo.exe 2244 cmrncpov.exe 2244 cmrncpov.exe 2244 cmrncpov.exe 2244 cmrncpov.exe 2244 cmrncpov.exe 2244 cmrncpov.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 3516 rxahzcystx.exe 3516 rxahzcystx.exe 3516 rxahzcystx.exe 1788 ghtvvikwwqkmezo.exe 1788 ghtvvikwwqkmezo.exe 1788 ghtvvikwwqkmezo.exe 2548 cmrncpov.exe 2548 cmrncpov.exe 2548 cmrncpov.exe 4032 arnaefqcdxkpa.exe 4032 arnaefqcdxkpa.exe 4032 arnaefqcdxkpa.exe 2244 cmrncpov.exe 2244 cmrncpov.exe 2244 cmrncpov.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 3516 rxahzcystx.exe 3516 rxahzcystx.exe 3516 rxahzcystx.exe 1788 ghtvvikwwqkmezo.exe 1788 ghtvvikwwqkmezo.exe 1788 ghtvvikwwqkmezo.exe 2548 cmrncpov.exe 2548 cmrncpov.exe 2548 cmrncpov.exe 4032 arnaefqcdxkpa.exe 4032 arnaefqcdxkpa.exe 4032 arnaefqcdxkpa.exe 2244 cmrncpov.exe 2244 cmrncpov.exe 2244 cmrncpov.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1096 WINWORD.EXE 1096 WINWORD.EXE 1096 WINWORD.EXE 1096 WINWORD.EXE 1096 WINWORD.EXE 1096 WINWORD.EXE 1096 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1808 wrote to memory of 3516 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 84 PID 1808 wrote to memory of 3516 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 84 PID 1808 wrote to memory of 3516 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 84 PID 1808 wrote to memory of 1788 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 85 PID 1808 wrote to memory of 1788 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 85 PID 1808 wrote to memory of 1788 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 85 PID 1808 wrote to memory of 2548 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 86 PID 1808 wrote to memory of 2548 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 86 PID 1808 wrote to memory of 2548 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 86 PID 1808 wrote to memory of 4032 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 87 PID 1808 wrote to memory of 4032 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 87 PID 1808 wrote to memory of 4032 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 87 PID 3516 wrote to memory of 2244 3516 rxahzcystx.exe 88 PID 3516 wrote to memory of 2244 3516 rxahzcystx.exe 88 PID 3516 wrote to memory of 2244 3516 rxahzcystx.exe 88 PID 1808 wrote to memory of 1096 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 89 PID 1808 wrote to memory of 1096 1808 cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\rxahzcystx.exerxahzcystx.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\cmrncpov.exeC:\Windows\system32\cmrncpov.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2244
-
-
-
C:\Windows\SysWOW64\ghtvvikwwqkmezo.exeghtvvikwwqkmezo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1788
-
-
C:\Windows\SysWOW64\cmrncpov.execmrncpov.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2548
-
-
C:\Windows\SysWOW64\arnaefqcdxkpa.exearnaefqcdxkpa.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4032
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1096
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5da0378e356477e016f6b473d056ebc19
SHA1728e5468a0dbeb19136ec07d7a969ebc554e8a9e
SHA256b0d0e201125712d544ce00b624d751b7ac5d396fbee50566a4ab8d31a3835212
SHA512e4b96d782506f430a7c950bc5114186cc78642b663f10adc9139d35d89323f8ba570fd95263ada54af1ff0ec016df4b865f025af0e4d80c51cc53a1b0319f705
-
Filesize
512KB
MD5ef9a5d2d11dd409c76e161e3be10ce85
SHA1178fba3be31b1eb2c056d0f87c5fc2f909c7264d
SHA256366edacae1c5322b7fa56376470c4c2695f951edb8ac22cd6b87a19ec00a2489
SHA512619c43094a8d75be791fb40bfa5c709c7f21c586e697d278b3832f69cbb9f588c9637073d02e8b6b5372a32ac98e87aaee4c25a0fedb81c0e9a644b093dba3d1
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
309B
MD5ee6ff3ce2111e6360fbce045f3f4b4f4
SHA1afc3f0e33fdc79b1226ea09802e4e11e6b5195ae
SHA2563a2559b0acb21ca5645bac121eecf6cec7d2286ec64c44c77148a6bd3eec5469
SHA512f82a289bd554b5947131cf6865e3782a10981e74d7575482b9aadf0f1d36242a0073169593bf7197530bd2715e40ec34163fecf6ff681f9558f7b372b86493df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD58c1e0014f6c32ce3b771dae32b80ce7d
SHA17b04ac1768deb352ab03712f6fa6d4bf23c49cf6
SHA256185b922e4a2cec382a327172ad5c4828dd67840de5b6d9a229cf8106852ea87c
SHA5126bc2c4c7440ab32392533a425290bd08730f955300eae77d1b12e8c84e8337413a110ad06b5882a821860abc413cf2c3ef06058242f26c025e0870f77e968866
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD541218a04b2d7557667c0d3ff7343b836
SHA107b0f237a2c55f5edf85a278aab127d9ee0eb3d3
SHA25614bd4cea19cc3be3b0764820a33e667349c0864942e4642726b1f92cd8bd6efe
SHA512a2bc8ea1747e5737cbfe97a44a3e3a1ec0d5cacc4b3128e55db70a61867eb9aebb2e606a73a4db65df270ef25eab6f1bf5f6612c84f971aa6609230646a0ef9b
-
Filesize
512KB
MD505d27e0bcec58a80d787950e5fa6d336
SHA17c563c4b87022a4e18c20b509db166f4cdd83c09
SHA2564c76d0f1dae67cc019f73c7ed4f903d6e778934da69524aea9d0b63b08397169
SHA5129d31caae48e04884b49b1ddc3a2411769f4a4dd2de32fadd8690c6e5cae288119dc250ece5b61479b2e5581d21bfc0f3ea901c519c2a1aca2c1a937d71de3fb8
-
Filesize
512KB
MD528d69c3db60889ce22c7f28e527696b7
SHA11def2e6f3fd18f0d31be1f5fc19b12a05afc36a3
SHA25678d4480858dc9c8aa17a12a8af532439668054b3c5658f4a6d7462ff2f2094db
SHA512d5733c223b620060f3fa7ffb857103d9b651d1fba7bf27329fe3fef7b8100fe1d1ccfba61797385c6367ccaa841844e4890e1d95fc007a6149217bca2d36b45a
-
Filesize
512KB
MD5ef257501b0b26b92e60cfa0d9007ff18
SHA135d92d8cdf64135470faad36425edc0e2d67c0bb
SHA25600cac4ce197b5c09c6d48016f1366b89ec40e9178a479cde3c0b652f3c52ed5d
SHA512dd28945e148d96d4c96174000691ae9fe13b49c46e05717ca523a869c754105f0a305f783ce9d9cb778877df0a2162219fa19d3a8b6aec1c211a1be4c8a6459b
-
Filesize
512KB
MD54fc5d5cd94693bc9f39ea43fa58b7d94
SHA16779a06028fd7835a759392034e1a5a11e8501dd
SHA256495beb7cb2e923af3857601ab0a6afbe024a31e3b6937fcac1c4fcbb3c324c1b
SHA51220d3211fe2910563425d912b54f739f55eac0bdc05884cf2f6a428e6da38d852c7523d07c8d096cbd4610cad855f87e96dc09ddf013fc105ae76fe649372cfa9
-
Filesize
512KB
MD574510c102c5758d79fd1ab683fd0e020
SHA1537dfa18a3ca98ceae4cfac4fe74a7f9ec4c304f
SHA2565bf55d1b75e3e888e02c3ca23100a4b6b6513b8cec579a74e8b260e2e2d55a32
SHA512db4e5803e73adbf3da1c6c02f261f76be8e9feef3dfeb7bc1cb19ade1b3ddc1b603470b2bca764162153947ca52494c02d23beac625be64f31681c171b18f575
-
Filesize
512KB
MD5d8f14afe2d89512dc1642b47e524ad57
SHA116ecc2cb4b9869974f9801a311a9260dea0def00
SHA256f8c0a6b4fedaf130829575109c44b918ac571fd2468f8517ad688054ac12f75f
SHA512ee5e568f464c75c00b882b914e61d8ede010d4f5af7b812b66f4b816a07616c0e49fc545485efab115bfcf75ff049be863e81cf7fa9d15d292721502b9677f7a
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD50df11f98443c43d665f8992c7aa19454
SHA10572802ea3b14d6667f1b3362c23db5dd7f1fa49
SHA256e8de04002c973164dda4cc3dbc2fc110be056bf4909086e4731502b799dda38f
SHA512893b18140eac919792bdb488df051b1a77777b5b81afd8c71fd2d165c11ab961adfc782521f8996e286a0c76146c16ee28d95e0c863a598613ce993d14752fa4
-
Filesize
512KB
MD533db26a71ca3169e1dfd0510a5f91aa1
SHA1c87e9ecbd0c37f05af89c35a04a31e8a8a5bca6f
SHA256b0aff3540623fba3981e7f9b04c59810ce43856e67159b6332614753474df0f8
SHA5120bc3f0d1a43b1b54a77e9b10dfb525a6213d300afad945952fed9aa7ebd6ae03f7c818908080f034d737f3e1c5d2b7f084ed97bfb92c871ee150a3174a95c983