Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 22:20
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
25 signatures
150 seconds
General
-
Target
d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe
-
Size
512KB
-
MD5
d0901274aa7c321903124f1ad9096c69
-
SHA1
a54ef8d4ac46693775d0c4eb8dc79bef055d22be
-
SHA256
2d96443c35b8d0c00d70e6bc92bcd3d23ef4bfed55397b8957d0e126517da59b
-
SHA512
6c744c9e1c852bdc72029eeb78cb3ee931a646b487ca657c36e88f3c2efd0686809174be8c42906516e08fd45b012578ece6e8b2d2ff87e70ce906305b06b5ab
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6L:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tzgprkmzcw.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tzgprkmzcw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tzgprkmzcw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tzgprkmzcw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tzgprkmzcw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tzgprkmzcw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tzgprkmzcw.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzgprkmzcw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3924 tzgprkmzcw.exe 408 jsumvruwkvxybas.exe 4912 yemuiltw.exe 1528 kgbualpffaclp.exe 4216 yemuiltw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tzgprkmzcw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tzgprkmzcw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tzgprkmzcw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tzgprkmzcw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tzgprkmzcw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tzgprkmzcw.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hvysfyre = "jsumvruwkvxybas.exe" jsumvruwkvxybas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kgbualpffaclp.exe" jsumvruwkvxybas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljphwffs = "tzgprkmzcw.exe" jsumvruwkvxybas.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: tzgprkmzcw.exe File opened (read-only) \??\i: tzgprkmzcw.exe File opened (read-only) \??\o: tzgprkmzcw.exe File opened (read-only) \??\v: yemuiltw.exe File opened (read-only) \??\e: tzgprkmzcw.exe File opened (read-only) \??\x: tzgprkmzcw.exe File opened (read-only) \??\w: yemuiltw.exe File opened (read-only) \??\i: yemuiltw.exe File opened (read-only) \??\p: yemuiltw.exe File opened (read-only) \??\e: yemuiltw.exe File opened (read-only) \??\s: tzgprkmzcw.exe File opened (read-only) \??\v: tzgprkmzcw.exe File opened (read-only) \??\h: yemuiltw.exe File opened (read-only) \??\n: yemuiltw.exe File opened (read-only) \??\x: yemuiltw.exe File opened (read-only) \??\u: yemuiltw.exe File opened (read-only) \??\p: tzgprkmzcw.exe File opened (read-only) \??\l: yemuiltw.exe File opened (read-only) \??\r: yemuiltw.exe File opened (read-only) \??\n: tzgprkmzcw.exe File opened (read-only) \??\j: yemuiltw.exe File opened (read-only) \??\s: yemuiltw.exe File opened (read-only) \??\y: yemuiltw.exe File opened (read-only) \??\h: tzgprkmzcw.exe File opened (read-only) \??\r: yemuiltw.exe File opened (read-only) \??\s: yemuiltw.exe File opened (read-only) \??\v: yemuiltw.exe File opened (read-only) \??\z: yemuiltw.exe File opened (read-only) \??\b: yemuiltw.exe File opened (read-only) \??\t: yemuiltw.exe File opened (read-only) \??\k: yemuiltw.exe File opened (read-only) \??\b: yemuiltw.exe File opened (read-only) \??\q: yemuiltw.exe File opened (read-only) \??\k: yemuiltw.exe File opened (read-only) \??\l: yemuiltw.exe File opened (read-only) \??\x: yemuiltw.exe File opened (read-only) \??\e: yemuiltw.exe File opened (read-only) \??\j: yemuiltw.exe File opened (read-only) \??\m: yemuiltw.exe File opened (read-only) \??\p: yemuiltw.exe File opened (read-only) \??\q: yemuiltw.exe File opened (read-only) \??\o: yemuiltw.exe File opened (read-only) \??\q: tzgprkmzcw.exe File opened (read-only) \??\k: tzgprkmzcw.exe File opened (read-only) \??\w: tzgprkmzcw.exe File opened (read-only) \??\g: yemuiltw.exe File opened (read-only) \??\z: yemuiltw.exe File opened (read-only) \??\a: tzgprkmzcw.exe File opened (read-only) \??\j: tzgprkmzcw.exe File opened (read-only) \??\t: tzgprkmzcw.exe File opened (read-only) \??\u: tzgprkmzcw.exe File opened (read-only) \??\n: yemuiltw.exe File opened (read-only) \??\o: yemuiltw.exe File opened (read-only) \??\u: yemuiltw.exe File opened (read-only) \??\i: yemuiltw.exe File opened (read-only) \??\w: yemuiltw.exe File opened (read-only) \??\h: yemuiltw.exe File opened (read-only) \??\m: yemuiltw.exe File opened (read-only) \??\r: tzgprkmzcw.exe File opened (read-only) \??\y: tzgprkmzcw.exe File opened (read-only) \??\t: yemuiltw.exe File opened (read-only) \??\y: yemuiltw.exe File opened (read-only) \??\g: yemuiltw.exe File opened (read-only) \??\b: tzgprkmzcw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tzgprkmzcw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tzgprkmzcw.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/628-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023435-5.dat autoit_exe behavioral2/files/0x0008000000023431-18.dat autoit_exe behavioral2/files/0x0007000000023437-31.dat autoit_exe behavioral2/files/0x0007000000023436-26.dat autoit_exe behavioral2/files/0x000800000002341e-66.dat autoit_exe behavioral2/files/0x0007000000023443-69.dat autoit_exe behavioral2/files/0x0008000000023448-81.dat autoit_exe behavioral2/files/0x0007000000023449-87.dat autoit_exe behavioral2/files/0x0007000000023451-102.dat autoit_exe behavioral2/files/0x0007000000023451-107.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\tzgprkmzcw.exe d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe File created C:\Windows\SysWOW64\jsumvruwkvxybas.exe d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jsumvruwkvxybas.exe d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe File created C:\Windows\SysWOW64\yemuiltw.exe d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yemuiltw.exe File opened for modification C:\Windows\SysWOW64\tzgprkmzcw.exe d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yemuiltw.exe d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe File created C:\Windows\SysWOW64\kgbualpffaclp.exe d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kgbualpffaclp.exe d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tzgprkmzcw.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yemuiltw.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yemuiltw.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yemuiltw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal yemuiltw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yemuiltw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yemuiltw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yemuiltw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yemuiltw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yemuiltw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yemuiltw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yemuiltw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal yemuiltw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yemuiltw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal yemuiltw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yemuiltw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal yemuiltw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yemuiltw.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yemuiltw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yemuiltw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yemuiltw.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yemuiltw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yemuiltw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yemuiltw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yemuiltw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yemuiltw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yemuiltw.exe File opened for modification C:\Windows\mydoc.rtf d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yemuiltw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yemuiltw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yemuiltw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yemuiltw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yemuiltw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yemuiltw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yemuiltw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tzgprkmzcw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsumvruwkvxybas.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yemuiltw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kgbualpffaclp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yemuiltw.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tzgprkmzcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B12F47E3389853BEBAA533EAD4BE" d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tzgprkmzcw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tzgprkmzcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tzgprkmzcw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tzgprkmzcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tzgprkmzcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tzgprkmzcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD6BC6FF1F21D0D10ED0A88A7F9010" d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C70C1490DBC3B8B97F92ECE734CC" d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tzgprkmzcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tzgprkmzcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472D0D9C5582246D3E76A270542DAD7DF665DE" d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFFFB485D826D9140D72B7E95BD92E134594667446332D6EB" d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tzgprkmzcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tzgprkmzcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tzgprkmzcw.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFF9CEFE13F194840F3A43819E3E96B0FB038B4260024BE1CC429A09A9" d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1700 WINWORD.EXE 1700 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 3924 tzgprkmzcw.exe 3924 tzgprkmzcw.exe 3924 tzgprkmzcw.exe 3924 tzgprkmzcw.exe 3924 tzgprkmzcw.exe 3924 tzgprkmzcw.exe 3924 tzgprkmzcw.exe 3924 tzgprkmzcw.exe 3924 tzgprkmzcw.exe 3924 tzgprkmzcw.exe 408 jsumvruwkvxybas.exe 408 jsumvruwkvxybas.exe 4912 yemuiltw.exe 4912 yemuiltw.exe 4912 yemuiltw.exe 4912 yemuiltw.exe 4912 yemuiltw.exe 4912 yemuiltw.exe 4912 yemuiltw.exe 4912 yemuiltw.exe 408 jsumvruwkvxybas.exe 408 jsumvruwkvxybas.exe 408 jsumvruwkvxybas.exe 408 jsumvruwkvxybas.exe 408 jsumvruwkvxybas.exe 408 jsumvruwkvxybas.exe 408 jsumvruwkvxybas.exe 408 jsumvruwkvxybas.exe 1528 kgbualpffaclp.exe 1528 kgbualpffaclp.exe 1528 kgbualpffaclp.exe 1528 kgbualpffaclp.exe 1528 kgbualpffaclp.exe 1528 kgbualpffaclp.exe 1528 kgbualpffaclp.exe 1528 kgbualpffaclp.exe 1528 kgbualpffaclp.exe 1528 kgbualpffaclp.exe 1528 kgbualpffaclp.exe 1528 kgbualpffaclp.exe 408 jsumvruwkvxybas.exe 408 jsumvruwkvxybas.exe 4216 yemuiltw.exe 4216 yemuiltw.exe 4216 yemuiltw.exe 4216 yemuiltw.exe 4216 yemuiltw.exe 4216 yemuiltw.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 3924 tzgprkmzcw.exe 3924 tzgprkmzcw.exe 3924 tzgprkmzcw.exe 408 jsumvruwkvxybas.exe 408 jsumvruwkvxybas.exe 408 jsumvruwkvxybas.exe 4912 yemuiltw.exe 4912 yemuiltw.exe 4912 yemuiltw.exe 1528 kgbualpffaclp.exe 1528 kgbualpffaclp.exe 1528 kgbualpffaclp.exe 4216 yemuiltw.exe 4216 yemuiltw.exe 4216 yemuiltw.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 3924 tzgprkmzcw.exe 3924 tzgprkmzcw.exe 3924 tzgprkmzcw.exe 408 jsumvruwkvxybas.exe 408 jsumvruwkvxybas.exe 408 jsumvruwkvxybas.exe 4912 yemuiltw.exe 4912 yemuiltw.exe 4912 yemuiltw.exe 1528 kgbualpffaclp.exe 1528 kgbualpffaclp.exe 1528 kgbualpffaclp.exe 4216 yemuiltw.exe 4216 yemuiltw.exe 4216 yemuiltw.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1700 WINWORD.EXE 1700 WINWORD.EXE 1700 WINWORD.EXE 1700 WINWORD.EXE 1700 WINWORD.EXE 1700 WINWORD.EXE 1700 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 628 wrote to memory of 3924 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 85 PID 628 wrote to memory of 3924 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 85 PID 628 wrote to memory of 3924 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 85 PID 628 wrote to memory of 408 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 86 PID 628 wrote to memory of 408 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 86 PID 628 wrote to memory of 408 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 86 PID 628 wrote to memory of 4912 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 87 PID 628 wrote to memory of 4912 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 87 PID 628 wrote to memory of 4912 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 87 PID 628 wrote to memory of 1528 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 88 PID 628 wrote to memory of 1528 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 88 PID 628 wrote to memory of 1528 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 88 PID 628 wrote to memory of 1700 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 89 PID 628 wrote to memory of 1700 628 d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe 89 PID 3924 wrote to memory of 4216 3924 tzgprkmzcw.exe 91 PID 3924 wrote to memory of 4216 3924 tzgprkmzcw.exe 91 PID 3924 wrote to memory of 4216 3924 tzgprkmzcw.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d0901274aa7c321903124f1ad9096c69_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\tzgprkmzcw.exetzgprkmzcw.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\yemuiltw.exeC:\Windows\system32\yemuiltw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4216
-
-
-
C:\Windows\SysWOW64\jsumvruwkvxybas.exejsumvruwkvxybas.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:408
-
-
C:\Windows\SysWOW64\yemuiltw.exeyemuiltw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4912
-
-
C:\Windows\SysWOW64\kgbualpffaclp.exekgbualpffaclp.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1528
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1700
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD50cf5f3a39e3855520b56f1f0ea55c6cf
SHA16aeb87362b1d39a82d5b2102040057051243bec1
SHA2560953c560dc28757e03b838bf306cc10d69fd1baae989e9c6e5b77883be7c4807
SHA5121fb8026e65ecdf290912d8c302efa0dab13173411e39c98d401ad10a0e9c1f6cddd9c1ea828ed86d0bfa9a5a253ed149b0bd75da3d35106c9a31e7e574bf5097
-
Filesize
512KB
MD522986bedb379aa308be39f53bd8be729
SHA1c156ce5a10406010c3f060fc368a54d784a78dfd
SHA256c87cfb5f8b8f4299df4ee62bba64e6a8badee0f36d9a66a7ed7ee79267f60f04
SHA51275efba791d4f9092c10c0d8d12253860aad4aeb37f16bf0efb6cfcca2767fe79d5a5d19a72fafc7372b345d6d8e2477b500b97ad6be2a4a2ab04e8ff522a8eee
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
267B
MD5ad2e5030bad7c50cf0de7044cfcb9be4
SHA14d669d7e4283ad94a8945be69a6290a6691428c9
SHA256660d045ceed32a9453cb10e2e91bbabfb70b087502b3f28ca33c0355d9c2f03d
SHA5128eb12f787755fa29f834d8a254582eb5af1a0072639b06634271ac84bde6aae4da59e2ce5800029081266b5287e30153497b6217ae663a6428103a47268ab393
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD51403b956aa992e70f5b46cc02c90bdc8
SHA13bc7cbb7526f59e58d0ae06621856af8ca0e3b1b
SHA2568492a614a8743708b346780230b8b3d41481a89e39c31f853c4c92438ef9830f
SHA5122f013b81dc0ff2c40d5d213b4065f67c13e0bca99f9d7703caf5a287e58d6913f2bb0078f3a8556caede96d6f1b81dd04b6eb5e1321487b3276e8191a70496dc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize674B
MD5a07fcd08aa48eb4ef62984ca71b9c5d1
SHA1513fe199c595a353a5c94e7de0d532ba9deb5942
SHA256b53a13a2fb8dc034d5b78c47ed53dbd86108f8db32ce9d60bbe68a2476ad26f8
SHA51293032b3362c7362d2f3f90a0b3c2cb9d93e87b617e2b500f43ec0f30b1476d0ae6e4fac3d1c3e4ff1bc80b76389eac4cc0daee003c9054fa2ce8aa77a2831af4
-
Filesize
512KB
MD5dc05daef3b6b70eb721808ae97ef1ed1
SHA16c1741f12aad80a4967db2cc7e6e0abbbed637a0
SHA25625bc559b27e0c15d1ce0ca9448aa763ce616deb5c5825b176df03ab7bccad597
SHA51278a17d98b1dc377fee474e21099f6cfc21c2845c01ae970647fe47ba3557c560796bfda112180934d75f7a9a6f6a2a8a60ac9c0fb206e20f032a28df4841b202
-
Filesize
512KB
MD55614f29651dc42eb9c6ae5c7b3f6d2de
SHA1285517daed8ab8b542f80d4f46adbf9a4dae2152
SHA256f39d22154d8a2fec0300a9cb2e8e7c3ec576cd896ba5a49fd2179be70c46a682
SHA5120400b2a79a7905dac6df0bd7119e9970a95d0897ff7bc6340a1bcec610b22a2a3c70756e23fc5db96ea3f4695378c27ce6d8e3deecc7180de2b719c13385588c
-
Filesize
512KB
MD58552a399eb8762032b167b98de5cb23d
SHA19e431934628759e21bf24228225d33c3d0f7fc53
SHA256219c284d1a2184ad98e963fa65fb8d88b2e09ce712800948d2cc39d3f216a8c2
SHA512432bceaa045724621028c4cc1c7c52099d41c09f0dd02000d86123debaeb6fddb2aaa5f2b3c84aa174ab09901c007386a369acfd164b8b7ea2121cb3d0e90621
-
Filesize
512KB
MD5df593830d5550d773da2f1b4c3d60726
SHA193d6f716e8ed1b9464e2ce4dca592ed2d7fe25bb
SHA256f6796aeb227e4b90d17ed45acf35b447ea299152b363f357fc32edeec0b5d19b
SHA5123d310ea50c083d4218b7211b611d88e0d6a18937ccdc4d3212cc24375703230837fae7bb9ac6397e4944530828e766c8879eb6ef4490501b9a2a71f5f1d72dbb
-
Filesize
512KB
MD5d2b7c7074f09bd6e0cd4b855ea072e29
SHA12ef79de5cc9705da44c94e90e647e8905d85ccf8
SHA256faaa2b623a255009b36359e67de228af84ad6a60c75817168a3422f0f4b7c84b
SHA5125b725e073dd4289f2d14288b3cb7046364b084229407b297a4229077d258b7e9e124c818120e4cb393756cfd407ec282e95b1f2ec1f593b3ca2a740e05605727
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5df6b393835c0219f82a9b817e9ca4f7f
SHA16e6d06af68492bf6084d46e2f7168ab553b76abb
SHA256579603baa6e902eb74b5ead8e213d406a203764533499bd2e5bd341b32331f33
SHA512c4fde809c5dc9ff9d4dc5208adb8c29b49c9538d429dc1b37abcd2ffb3b279361a1a543ee4f0a1f5e582bb644bedc5a214102f216a6fc86d2e4c3081e8b443fd
-
Filesize
512KB
MD58ccae2ea720e9140065a67d36fe6ae43
SHA1fad4b994ebeb92aecc702a1195bf49a3609509e1
SHA256cb6dff866fd119c8d740601ba5a89e73d5e2cb1ef757ed20dd8eb184d4360979
SHA5121235a7bfeea8358298b86b2535e0690e3746a6a21dcf4874ace520fba5ac1085e16379c6b95a72345e72b60cd16c8782061025cc069d638467fd9012c88af65e
-
Filesize
512KB
MD5ee6f3dbceb478855d1b016dc87cd9e83
SHA1e28769b259ac658a16b3bf0682bafa98ef5677db
SHA256834e627435baaef2bd0a19573382eb0c7f3e8c08181164b0ed72849eb46020e0
SHA5128c37d1b97bd27f9e16022391c09de480e44a0cece2532c588e6fe0a48239d5c9f00a8bc85370ce08e5669798752e76a609374cdfa0fd784680c7ddc3c8671a1d