Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 13:54
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe
-
Size
512KB
-
MD5
d67328a18465324ce700ae567bfccc11
-
SHA1
4d7a37475a7ba39543e1bc6bffcdbde1bec4c01a
-
SHA256
99d93a1815bbd6d58b4792df62a22dba2552205830519ff42ff4a3c01d0712d4
-
SHA512
8a344c8556d02bc99eec6ce82467736c69a8f4a421ad69310ea384592783b0bedc90f77d31fb094968e6feabfbb6ab8f466023447e5c3028c46289e45a044afc
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6T:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5O
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" eettdvptib.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" eettdvptib.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" eettdvptib.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" eettdvptib.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" eettdvptib.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" eettdvptib.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" eettdvptib.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eettdvptib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1472 eettdvptib.exe 4420 pgiossqjtkoxqzm.exe 2136 bypzlqva.exe 3884 ezwwkvwzccjpa.exe 636 bypzlqva.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" eettdvptib.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" eettdvptib.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" eettdvptib.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" eettdvptib.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" eettdvptib.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" eettdvptib.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wiwwqmna = "eettdvptib.exe" pgiossqjtkoxqzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vkrlnsxo = "pgiossqjtkoxqzm.exe" pgiossqjtkoxqzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ezwwkvwzccjpa.exe" pgiossqjtkoxqzm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: eettdvptib.exe File opened (read-only) \??\z: eettdvptib.exe File opened (read-only) \??\h: bypzlqva.exe File opened (read-only) \??\a: bypzlqva.exe File opened (read-only) \??\r: bypzlqva.exe File opened (read-only) \??\i: eettdvptib.exe File opened (read-only) \??\t: eettdvptib.exe File opened (read-only) \??\w: eettdvptib.exe File opened (read-only) \??\j: bypzlqva.exe File opened (read-only) \??\v: bypzlqva.exe File opened (read-only) \??\o: bypzlqva.exe File opened (read-only) \??\y: bypzlqva.exe File opened (read-only) \??\l: eettdvptib.exe File opened (read-only) \??\v: eettdvptib.exe File opened (read-only) \??\e: bypzlqva.exe File opened (read-only) \??\k: bypzlqva.exe File opened (read-only) \??\p: bypzlqva.exe File opened (read-only) \??\n: bypzlqva.exe File opened (read-only) \??\t: bypzlqva.exe File opened (read-only) \??\y: bypzlqva.exe File opened (read-only) \??\w: bypzlqva.exe File opened (read-only) \??\b: bypzlqva.exe File opened (read-only) \??\n: bypzlqva.exe File opened (read-only) \??\q: bypzlqva.exe File opened (read-only) \??\a: eettdvptib.exe File opened (read-only) \??\e: eettdvptib.exe File opened (read-only) \??\p: eettdvptib.exe File opened (read-only) \??\b: bypzlqva.exe File opened (read-only) \??\l: bypzlqva.exe File opened (read-only) \??\j: eettdvptib.exe File opened (read-only) \??\h: bypzlqva.exe File opened (read-only) \??\a: bypzlqva.exe File opened (read-only) \??\j: bypzlqva.exe File opened (read-only) \??\v: bypzlqva.exe File opened (read-only) \??\z: bypzlqva.exe File opened (read-only) \??\m: eettdvptib.exe File opened (read-only) \??\s: eettdvptib.exe File opened (read-only) \??\g: bypzlqva.exe File opened (read-only) \??\q: bypzlqva.exe File opened (read-only) \??\k: bypzlqva.exe File opened (read-only) \??\g: eettdvptib.exe File opened (read-only) \??\l: bypzlqva.exe File opened (read-only) \??\r: bypzlqva.exe File opened (read-only) \??\e: bypzlqva.exe File opened (read-only) \??\u: bypzlqva.exe File opened (read-only) \??\m: bypzlqva.exe File opened (read-only) \??\p: bypzlqva.exe File opened (read-only) \??\x: bypzlqva.exe File opened (read-only) \??\n: eettdvptib.exe File opened (read-only) \??\o: eettdvptib.exe File opened (read-only) \??\s: bypzlqva.exe File opened (read-only) \??\i: bypzlqva.exe File opened (read-only) \??\t: bypzlqva.exe File opened (read-only) \??\w: bypzlqva.exe File opened (read-only) \??\q: eettdvptib.exe File opened (read-only) \??\x: eettdvptib.exe File opened (read-only) \??\o: bypzlqva.exe File opened (read-only) \??\s: bypzlqva.exe File opened (read-only) \??\k: eettdvptib.exe File opened (read-only) \??\r: eettdvptib.exe File opened (read-only) \??\u: bypzlqva.exe File opened (read-only) \??\z: bypzlqva.exe File opened (read-only) \??\g: bypzlqva.exe File opened (read-only) \??\u: eettdvptib.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" eettdvptib.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" eettdvptib.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2728-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000234b4-9.dat autoit_exe behavioral2/files/0x00080000000234af-18.dat autoit_exe behavioral2/files/0x00070000000234b3-20.dat autoit_exe behavioral2/files/0x00070000000234b5-31.dat autoit_exe behavioral2/files/0x00070000000234be-57.dat autoit_exe behavioral2/files/0x00070000000234bf-63.dat autoit_exe behavioral2/files/0x000b0000000233e6-101.dat autoit_exe behavioral2/files/0x000b0000000233e6-109.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\eettdvptib.exe d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll eettdvptib.exe File opened for modification C:\Windows\SysWOW64\ezwwkvwzccjpa.exe d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bypzlqva.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bypzlqva.exe File opened for modification C:\Windows\SysWOW64\pgiossqjtkoxqzm.exe d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe File created C:\Windows\SysWOW64\ezwwkvwzccjpa.exe d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bypzlqva.exe d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bypzlqva.exe File created C:\Windows\SysWOW64\bypzlqva.exe d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bypzlqva.exe File opened for modification C:\Windows\SysWOW64\eettdvptib.exe d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe File created C:\Windows\SysWOW64\pgiossqjtkoxqzm.exe d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bypzlqva.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bypzlqva.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bypzlqva.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bypzlqva.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bypzlqva.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bypzlqva.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bypzlqva.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bypzlqva.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bypzlqva.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bypzlqva.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bypzlqva.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bypzlqva.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bypzlqva.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bypzlqva.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bypzlqva.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bypzlqva.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bypzlqva.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bypzlqva.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bypzlqva.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bypzlqva.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bypzlqva.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bypzlqva.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bypzlqva.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bypzlqva.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bypzlqva.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bypzlqva.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bypzlqva.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bypzlqva.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bypzlqva.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bypzlqva.exe File opened for modification C:\Windows\mydoc.rtf d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pgiossqjtkoxqzm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eettdvptib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bypzlqva.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ezwwkvwzccjpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bypzlqva.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" eettdvptib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc eettdvptib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" eettdvptib.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462C7D9D2D82206A4177D677262DDA7D8764DB" d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5FACAF964F19684083A42819A39E2B38B02FF43670248E2CF45EA08A7" d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FC8D4F27826F9133D6217E92BCE7E13159446736623ED7EC" d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" eettdvptib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" eettdvptib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" eettdvptib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B05844EE38E853B9B9D33393D7BC" d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F66BC3FF1A22DFD108D0A38A0C916B" d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat eettdvptib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh eettdvptib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC67A14E0DAB7B8CA7FE7EC9634C6" d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf eettdvptib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs eettdvptib.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" eettdvptib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg eettdvptib.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4396 WINWORD.EXE 4396 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 4420 pgiossqjtkoxqzm.exe 4420 pgiossqjtkoxqzm.exe 4420 pgiossqjtkoxqzm.exe 4420 pgiossqjtkoxqzm.exe 4420 pgiossqjtkoxqzm.exe 4420 pgiossqjtkoxqzm.exe 4420 pgiossqjtkoxqzm.exe 4420 pgiossqjtkoxqzm.exe 4420 pgiossqjtkoxqzm.exe 4420 pgiossqjtkoxqzm.exe 1472 eettdvptib.exe 1472 eettdvptib.exe 1472 eettdvptib.exe 1472 eettdvptib.exe 1472 eettdvptib.exe 1472 eettdvptib.exe 1472 eettdvptib.exe 1472 eettdvptib.exe 1472 eettdvptib.exe 1472 eettdvptib.exe 2136 bypzlqva.exe 2136 bypzlqva.exe 2136 bypzlqva.exe 2136 bypzlqva.exe 2136 bypzlqva.exe 2136 bypzlqva.exe 2136 bypzlqva.exe 2136 bypzlqva.exe 3884 ezwwkvwzccjpa.exe 3884 ezwwkvwzccjpa.exe 3884 ezwwkvwzccjpa.exe 3884 ezwwkvwzccjpa.exe 3884 ezwwkvwzccjpa.exe 3884 ezwwkvwzccjpa.exe 3884 ezwwkvwzccjpa.exe 3884 ezwwkvwzccjpa.exe 3884 ezwwkvwzccjpa.exe 3884 ezwwkvwzccjpa.exe 3884 ezwwkvwzccjpa.exe 3884 ezwwkvwzccjpa.exe 4420 pgiossqjtkoxqzm.exe 4420 pgiossqjtkoxqzm.exe 636 bypzlqva.exe 636 bypzlqva.exe 636 bypzlqva.exe 636 bypzlqva.exe 636 bypzlqva.exe 636 bypzlqva.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 4420 pgiossqjtkoxqzm.exe 4420 pgiossqjtkoxqzm.exe 4420 pgiossqjtkoxqzm.exe 1472 eettdvptib.exe 1472 eettdvptib.exe 1472 eettdvptib.exe 2136 bypzlqva.exe 2136 bypzlqva.exe 2136 bypzlqva.exe 3884 ezwwkvwzccjpa.exe 3884 ezwwkvwzccjpa.exe 3884 ezwwkvwzccjpa.exe 636 bypzlqva.exe 636 bypzlqva.exe 636 bypzlqva.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 4420 pgiossqjtkoxqzm.exe 4420 pgiossqjtkoxqzm.exe 4420 pgiossqjtkoxqzm.exe 1472 eettdvptib.exe 1472 eettdvptib.exe 1472 eettdvptib.exe 2136 bypzlqva.exe 2136 bypzlqva.exe 2136 bypzlqva.exe 3884 ezwwkvwzccjpa.exe 3884 ezwwkvwzccjpa.exe 3884 ezwwkvwzccjpa.exe 636 bypzlqva.exe 636 bypzlqva.exe 636 bypzlqva.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4396 WINWORD.EXE 4396 WINWORD.EXE 4396 WINWORD.EXE 4396 WINWORD.EXE 4396 WINWORD.EXE 4396 WINWORD.EXE 4396 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2728 wrote to memory of 1472 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 87 PID 2728 wrote to memory of 1472 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 87 PID 2728 wrote to memory of 1472 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 87 PID 2728 wrote to memory of 4420 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 88 PID 2728 wrote to memory of 4420 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 88 PID 2728 wrote to memory of 4420 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 88 PID 2728 wrote to memory of 2136 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 89 PID 2728 wrote to memory of 2136 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 89 PID 2728 wrote to memory of 2136 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 89 PID 2728 wrote to memory of 3884 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 90 PID 2728 wrote to memory of 3884 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 90 PID 2728 wrote to memory of 3884 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 90 PID 2728 wrote to memory of 4396 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 91 PID 2728 wrote to memory of 4396 2728 d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe 91 PID 1472 wrote to memory of 636 1472 eettdvptib.exe 93 PID 1472 wrote to memory of 636 1472 eettdvptib.exe 93 PID 1472 wrote to memory of 636 1472 eettdvptib.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d67328a18465324ce700ae567bfccc11_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\eettdvptib.exeeettdvptib.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\bypzlqva.exeC:\Windows\system32\bypzlqva.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:636
-
-
-
C:\Windows\SysWOW64\pgiossqjtkoxqzm.exepgiossqjtkoxqzm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4420
-
-
C:\Windows\SysWOW64\bypzlqva.exebypzlqva.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2136
-
-
C:\Windows\SysWOW64\ezwwkvwzccjpa.exeezwwkvwzccjpa.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3884
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4396
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5579dad2aedda9fcd82ce741eee5d6826
SHA1b3bc0f9ab0964d4f5a2e092ec5e88494d87c20e0
SHA256519814166116675d2b4b5371192e869f366838fa3390eb76cde4b31a6bc45d43
SHA512b4598e685fb790f288724e1d3393fa5acac1c914b60296a70d47b523f7e1585ae86d5f98b77577802d526e0f03aa70cb1dee516b79dde92be9bb883e2c1e344b
-
Filesize
512KB
MD5953788846e96876295ba48a59b20f267
SHA11a305230732828da5e5da6b6ab7235776481c3a4
SHA25624e39ae06c7b7814838d5c4cc4685de0e87c7722a4130587211d41268dc31ded
SHA512a025f7d78123b0de69c18c060139b00d7a5639d54219f441dc13cee5952cea8f713df0ee24c0591c55d3ee1f87ed5562573887fca0cd6d1115bd58b4e28325f0
-
Filesize
418B
MD5b09d1af036a9f328c455e068f23fc057
SHA1b3c74362744e02a3cd217932e4a034d80c930c77
SHA256e70800ff8cd2aab62314a04490ad95391f6da952920e5aa6f5af0a2e90101999
SHA512a8058ff281901ea3f81cf5758a81427c837372cac234375f937f40eeafc9dc0d7468dd5b35f4d84fab11c146ec1534d236be48689e80d68d2163df2f56417ac2
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD5f50ef6e4c65787bbaf16c2f75a37ff36
SHA174db41027ff8effafc5cc90bdf1b13c4670b0933
SHA256310f4e3e73af20aa5f56f844b3c55af3484286591d9ea18c4b4593a5dcea36e6
SHA5129c2d41e43d709cc7c86c3b968c2fc10636ff4e8f490d52174a675cc318106caa17b2cc3962d7780b122ea1041d9a8217c4e6c6ac16aa6da8b8a88ecaaf9ff905
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5c158c859b1c9ed7167bd21649d486331
SHA17003e12814091088a954d38592fc6b13a16cedc1
SHA25659e3d3101b8912ff7f3f2121970b65108565c89e2bba37429c0f1dcea03e2f57
SHA5129187e834f083bd37510dfcd98d03c675a89032aeb22ed54e4cc7b90b239465aa7ce5c15779c187a227bb7368af76c0de255db4a82242c86a65cd5db4d193791c
-
Filesize
512KB
MD55a06b7b2786a6a05fd60ba14ac996277
SHA1ef4021e9c3324bea519fab0270f55677bc979671
SHA256ef100f5636f7fef83069cb3bead55f96aec775d6045e44f33b553fec4f9725e1
SHA512aa62d057a73648fefcf68bf1dc7687605b89fa28928c152a0bff2591c0a8ef9d579ed2e519471d5ca864edf4e1b2a3eda25cfbf4b65a3bd39de75c799d4dddd7
-
Filesize
512KB
MD5ddd6ecaba0efb6a6d75d2d553bdff741
SHA1c3a100327f16300f038399d407bc52e12d8f4254
SHA25650286780c9e7e487a5073722414ce56cb4cf6d8c12f5779ccd4faf26032120c0
SHA512596e6d9475c196b86095401442f5b09b5801c8526dbb19e4220a295440b87f6b75b5d68cc29285a8da2d48500fd02d0f0d38a631b7feb8ced4d8dc44b40ac8ab
-
Filesize
512KB
MD5168a45bb062ed13a078f2eb0f6777706
SHA1ffb3e3b9632f2f2207b01118e57b6091f9ff7fbe
SHA2569d04cb403417d10ee5f590c0cf51157e48bc57600ae9b59b54b4989ba8a586c7
SHA512ab2d4126e04d161d59be30976b242857a77fd39c7a5ace65d2c8a56fc7cee78426e787892024bf638eed6e15fbbd4d811ae9d935abb5e685d9d8d158b26a86a1
-
Filesize
512KB
MD5ad0b796001427a21dd09face1b5531c8
SHA191501bdbe32125a1722b5e050578185de8cb4064
SHA25665de61e692b203528e0c0b6b08add465aa762d608748e0e771def3517fd9c36c
SHA5126fc6a7fb98153c25c831b17312776335a4f34d008468ad7b298750497a43953ae1794bf2fb1394d8d8d3941db46a19d2854bb091a6846c1d3846b3d2f0b2c07e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD51b36e3561a7308ce409792b1d248b0bb
SHA11d779b28d728bc9a0f4ca144a0c259df1f8860f8
SHA256100884f67b4cb6c0d6d52361e14a59071076e508547ecdfe8318e866f2a97821
SHA5123071805beac38bafbf1d4a1f71aa78475f19a155d8671755c06b07823d3244b873a80a22a3aba6f49efc90bad6b892eb317f9e1e72e68a92f418a14dbc78273b
-
Filesize
512KB
MD5cb753158e300d4cb817cd26699e27bfe
SHA186fd473d9113ed20ff5b468e40fa43dc98a78ae7
SHA256a5570ddd8513a6a38ae32a9347618d0224f5d64399d56c090c62365a34009c79
SHA5128e8ada76b5bfb7cb5a5b6bef774dba5285197d0a9b2c178a333d39b50c7a6268e444e8d545a1c6a727a0c586e34c07095375f3f091fe1a54d78555d2e5d1e538