Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2024 15:59
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe
-
Size
512KB
-
MD5
dc9063b98ddc0372cc6aabe10d00c379
-
SHA1
10bc51c8e9c32f6e07d45676c873961e3acb9495
-
SHA256
569b9bc09c033c0233bab251d651cd8ebfc6b294c6250862e6afa9dd57a9d7d4
-
SHA512
4b506c2607505fa2572a90b2888e2992cdfaed52e1edeea7eba743033432cf05b78fd035114d97e9518df2de28ebf84e321db51229934b7e770f56db6c7a05d4
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ypzwhlejop.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ypzwhlejop.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ypzwhlejop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ypzwhlejop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ypzwhlejop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ypzwhlejop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ypzwhlejop.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ypzwhlejop.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2784 ypzwhlejop.exe 4204 qnnkiazckypnmwe.exe 3844 ddeprebf.exe 4612 jfuyutgcovthg.exe 3348 ddeprebf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ypzwhlejop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ypzwhlejop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ypzwhlejop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ypzwhlejop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ypzwhlejop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ypzwhlejop.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\knbnpsqu = "ypzwhlejop.exe" qnnkiazckypnmwe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yycsldek = "qnnkiazckypnmwe.exe" qnnkiazckypnmwe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jfuyutgcovthg.exe" qnnkiazckypnmwe.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: ypzwhlejop.exe File opened (read-only) \??\i: ypzwhlejop.exe File opened (read-only) \??\j: ypzwhlejop.exe File opened (read-only) \??\j: ddeprebf.exe File opened (read-only) \??\o: ddeprebf.exe File opened (read-only) \??\x: ddeprebf.exe File opened (read-only) \??\w: ddeprebf.exe File opened (read-only) \??\q: ypzwhlejop.exe File opened (read-only) \??\u: ypzwhlejop.exe File opened (read-only) \??\e: ddeprebf.exe File opened (read-only) \??\s: ddeprebf.exe File opened (read-only) \??\v: ddeprebf.exe File opened (read-only) \??\k: ypzwhlejop.exe File opened (read-only) \??\n: ddeprebf.exe File opened (read-only) \??\s: ypzwhlejop.exe File opened (read-only) \??\r: ddeprebf.exe File opened (read-only) \??\w: ddeprebf.exe File opened (read-only) \??\x: ddeprebf.exe File opened (read-only) \??\a: ypzwhlejop.exe File opened (read-only) \??\q: ddeprebf.exe File opened (read-only) \??\h: ddeprebf.exe File opened (read-only) \??\x: ypzwhlejop.exe File opened (read-only) \??\g: ddeprebf.exe File opened (read-only) \??\k: ddeprebf.exe File opened (read-only) \??\l: ypzwhlejop.exe File opened (read-only) \??\r: ypzwhlejop.exe File opened (read-only) \??\w: ypzwhlejop.exe File opened (read-only) \??\l: ddeprebf.exe File opened (read-only) \??\g: ypzwhlejop.exe File opened (read-only) \??\z: ypzwhlejop.exe File opened (read-only) \??\j: ddeprebf.exe File opened (read-only) \??\q: ddeprebf.exe File opened (read-only) \??\z: ddeprebf.exe File opened (read-only) \??\m: ypzwhlejop.exe File opened (read-only) \??\p: ypzwhlejop.exe File opened (read-only) \??\y: ddeprebf.exe File opened (read-only) \??\m: ddeprebf.exe File opened (read-only) \??\p: ddeprebf.exe File opened (read-only) \??\u: ddeprebf.exe File opened (read-only) \??\v: ddeprebf.exe File opened (read-only) \??\n: ypzwhlejop.exe File opened (read-only) \??\u: ddeprebf.exe File opened (read-only) \??\o: ypzwhlejop.exe File opened (read-only) \??\t: ypzwhlejop.exe File opened (read-only) \??\v: ypzwhlejop.exe File opened (read-only) \??\i: ddeprebf.exe File opened (read-only) \??\r: ddeprebf.exe File opened (read-only) \??\s: ddeprebf.exe File opened (read-only) \??\b: ypzwhlejop.exe File opened (read-only) \??\m: ddeprebf.exe File opened (read-only) \??\e: ddeprebf.exe File opened (read-only) \??\y: ypzwhlejop.exe File opened (read-only) \??\t: ddeprebf.exe File opened (read-only) \??\z: ddeprebf.exe File opened (read-only) \??\b: ddeprebf.exe File opened (read-only) \??\t: ddeprebf.exe File opened (read-only) \??\y: ddeprebf.exe File opened (read-only) \??\h: ypzwhlejop.exe File opened (read-only) \??\h: ddeprebf.exe File opened (read-only) \??\a: ddeprebf.exe File opened (read-only) \??\i: ddeprebf.exe File opened (read-only) \??\k: ddeprebf.exe File opened (read-only) \??\o: ddeprebf.exe File opened (read-only) \??\b: ddeprebf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ypzwhlejop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ypzwhlejop.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2604-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002361c-5.dat autoit_exe behavioral2/files/0x0008000000023618-18.dat autoit_exe behavioral2/files/0x000700000002361d-27.dat autoit_exe behavioral2/files/0x000700000002361e-31.dat autoit_exe behavioral2/files/0x00060000000226c6-57.dat autoit_exe behavioral2/files/0x00030000000226ca-62.dat autoit_exe behavioral2/files/0x0006000000016911-86.dat autoit_exe behavioral2/files/0x000a0000000234dc-105.dat autoit_exe behavioral2/files/0x000a0000000234dc-326.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\ypzwhlejop.exe dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ddeprebf.exe File created C:\Windows\SysWOW64\jfuyutgcovthg.exe dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe File created C:\Windows\SysWOW64\qnnkiazckypnmwe.exe dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qnnkiazckypnmwe.exe dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ddeprebf.exe dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ypzwhlejop.exe dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jfuyutgcovthg.exe dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ddeprebf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ddeprebf.exe File created C:\Windows\SysWOW64\ddeprebf.exe dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ypzwhlejop.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ddeprebf.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ddeprebf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ddeprebf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ddeprebf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ddeprebf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ddeprebf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ddeprebf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ddeprebf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ddeprebf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ddeprebf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ddeprebf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ddeprebf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ddeprebf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ddeprebf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ddeprebf.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ddeprebf.exe File opened for modification C:\Windows\mydoc.rtf dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ddeprebf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ddeprebf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ddeprebf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ddeprebf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ddeprebf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ddeprebf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ddeprebf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ddeprebf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ddeprebf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ddeprebf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ddeprebf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ddeprebf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ddeprebf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ddeprebf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ddeprebf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddeprebf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypzwhlejop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qnnkiazckypnmwe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddeprebf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfuyutgcovthg.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ypzwhlejop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B12E479238E252CCBAD732E8D7B9" dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C77815E1DBC3B8C87CE0EDE234BB" dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ypzwhlejop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ypzwhlejop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ypzwhlejop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ypzwhlejop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ypzwhlejop.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352D789D2382586A3476DC70232CAD7D8165D9" dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFFF84F5C8218903DD6587D92BDEEE13D584166436336D7EA" dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BC2FE6621ADD10BD1D48B789016" dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ypzwhlejop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ypzwhlejop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4FABAF963F19283793B4081EA3992B0FB03FD4268034EE1BA45E708D6" dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ypzwhlejop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ypzwhlejop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ypzwhlejop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ypzwhlejop.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 884 WINWORD.EXE 884 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 4204 qnnkiazckypnmwe.exe 4204 qnnkiazckypnmwe.exe 4204 qnnkiazckypnmwe.exe 4204 qnnkiazckypnmwe.exe 4204 qnnkiazckypnmwe.exe 4204 qnnkiazckypnmwe.exe 4204 qnnkiazckypnmwe.exe 4204 qnnkiazckypnmwe.exe 4204 qnnkiazckypnmwe.exe 2784 ypzwhlejop.exe 2784 ypzwhlejop.exe 2784 ypzwhlejop.exe 2784 ypzwhlejop.exe 2784 ypzwhlejop.exe 2784 ypzwhlejop.exe 2784 ypzwhlejop.exe 2784 ypzwhlejop.exe 2784 ypzwhlejop.exe 2784 ypzwhlejop.exe 4204 qnnkiazckypnmwe.exe 3844 ddeprebf.exe 3844 ddeprebf.exe 3844 ddeprebf.exe 3844 ddeprebf.exe 3844 ddeprebf.exe 3844 ddeprebf.exe 3844 ddeprebf.exe 3844 ddeprebf.exe 4612 jfuyutgcovthg.exe 4612 jfuyutgcovthg.exe 4612 jfuyutgcovthg.exe 4612 jfuyutgcovthg.exe 4612 jfuyutgcovthg.exe 4612 jfuyutgcovthg.exe 4612 jfuyutgcovthg.exe 4612 jfuyutgcovthg.exe 4612 jfuyutgcovthg.exe 4612 jfuyutgcovthg.exe 4612 jfuyutgcovthg.exe 4612 jfuyutgcovthg.exe 4204 qnnkiazckypnmwe.exe 4204 qnnkiazckypnmwe.exe 3348 ddeprebf.exe 3348 ddeprebf.exe 3348 ddeprebf.exe 3348 ddeprebf.exe 3348 ddeprebf.exe 3348 ddeprebf.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 4204 qnnkiazckypnmwe.exe 4204 qnnkiazckypnmwe.exe 4204 qnnkiazckypnmwe.exe 2784 ypzwhlejop.exe 2784 ypzwhlejop.exe 3844 ddeprebf.exe 2784 ypzwhlejop.exe 3844 ddeprebf.exe 3844 ddeprebf.exe 4612 jfuyutgcovthg.exe 4612 jfuyutgcovthg.exe 4612 jfuyutgcovthg.exe 3348 ddeprebf.exe 3348 ddeprebf.exe 3348 ddeprebf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 4204 qnnkiazckypnmwe.exe 4204 qnnkiazckypnmwe.exe 4204 qnnkiazckypnmwe.exe 2784 ypzwhlejop.exe 2784 ypzwhlejop.exe 2784 ypzwhlejop.exe 3844 ddeprebf.exe 3844 ddeprebf.exe 3844 ddeprebf.exe 4612 jfuyutgcovthg.exe 4612 jfuyutgcovthg.exe 4612 jfuyutgcovthg.exe 3348 ddeprebf.exe 3348 ddeprebf.exe 3348 ddeprebf.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 884 WINWORD.EXE 884 WINWORD.EXE 884 WINWORD.EXE 884 WINWORD.EXE 884 WINWORD.EXE 884 WINWORD.EXE 884 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2784 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 92 PID 2604 wrote to memory of 2784 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 92 PID 2604 wrote to memory of 2784 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 92 PID 2604 wrote to memory of 4204 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 93 PID 2604 wrote to memory of 4204 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 93 PID 2604 wrote to memory of 4204 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 93 PID 2604 wrote to memory of 3844 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 94 PID 2604 wrote to memory of 3844 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 94 PID 2604 wrote to memory of 3844 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 94 PID 2604 wrote to memory of 4612 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 95 PID 2604 wrote to memory of 4612 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 95 PID 2604 wrote to memory of 4612 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 95 PID 2604 wrote to memory of 884 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 96 PID 2604 wrote to memory of 884 2604 dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe 96 PID 2784 wrote to memory of 3348 2784 ypzwhlejop.exe 98 PID 2784 wrote to memory of 3348 2784 ypzwhlejop.exe 98 PID 2784 wrote to memory of 3348 2784 ypzwhlejop.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dc9063b98ddc0372cc6aabe10d00c379_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\ypzwhlejop.exeypzwhlejop.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\ddeprebf.exeC:\Windows\system32\ddeprebf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3348
-
-
-
C:\Windows\SysWOW64\qnnkiazckypnmwe.exeqnnkiazckypnmwe.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4204
-
-
C:\Windows\SysWOW64\ddeprebf.exeddeprebf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3844
-
-
C:\Windows\SysWOW64\jfuyutgcovthg.exejfuyutgcovthg.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4612
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4508,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:81⤵PID:4588
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5e5fcb477ebfba3ef10fb7e74a755f00c
SHA1420ac4f6d8b13d66882c450919119774af0dd62a
SHA2561ec8b794912d924eaa9ddc8537d31ec672bb742268b689dbb4469c8053488e2c
SHA512f9470eef1ccfbfd022406ccac0720af4572166e4a0b1463c41260f3fad9652400197718902253c0d777d8e799dcc7c2f4e8f148bcb0f6ab992697c7174926741
-
Filesize
512KB
MD502325b53ab190d1b8daa2e9fd1e40544
SHA1972c5b8abfdf09e10823e4a41fb670c0e3e8ee13
SHA256b6d565598f43be1a3dba87c5a62a4a6305b7021075c2c6c5f5a3ec6b7b1862e9
SHA512c5e07f6b503ac2f39ec9787375c2f24ebedda0740c7d6cdefae4fb79f338946e1ccf078b31db3858c36d78e3abf066c14e1a132dfe0e64774ad06ed53ffa2df7
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
379B
MD5feeaa9629e0836f80e00068fbf753ca0
SHA1654d7966886f603359c1f64db2f87a16ea6214ad
SHA256888905e9263d45f858ee7806126758ab53f145be2f19b5b3b798ddd13a3ebf02
SHA5121d40b3fd9d390a7494f4473ede36b6a865655d3cf0d349da524ed5d01f88f4606b10c9ef451064d5e5bdb870b9ff456019bfbf47c8d8551534f91746081a697f
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD528e95c0f068e6ff795297b686a057f79
SHA131abf63b6127c55fad7e5a316e4ca9eb42289d08
SHA256f1bbaac0856a1b84088555fa7cd09b2f1452ffa4f7e84c36aeaadfec7a9b181d
SHA5120f53a3d0ad45c774d214ffd81a6ba5d047c275bb4898b8b638f5e99f8387cd099fb4d2d5df6a0f2d50dc581a127224224e14f7e3d9353ce0dfcbfc7f67193870
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5e6d96a85788a281972a3842f1e935694
SHA158578a74c8574320f85e75ef30b986af858c299c
SHA256f367f0d873a3be7c2c6ae8c7d51e481e81582644d32a5b93c44f95f30c1546a9
SHA512f485d1d088b29aadf5363c2c9c669c1a9aeb7f348cb6363084ea9fc3be329db0a8c24dacc21f1058421f944a32f8456c6bc73edcba8f1be045589bb1251c0152
-
Filesize
512KB
MD5dc5453995520715443e02def901d1461
SHA1c8655e053b559a7d892105a95e288bdc7d4876e3
SHA256a0e86053402c61f032d8f30207ce60ed73f426574cf0caa19b866e67982032c9
SHA51230753da9040eeef47e33be3bf449eac3ec4e2fa2b53d5012fd9f9af1d8b69289caa802ddd0b337c3011fc85be1a9c2737cf2ceb4a1d715d83bdd282828337f1f
-
Filesize
512KB
MD547aafe80ed9dd6094da691fcb35d2396
SHA15a592b4c698908082159380d7f7d5c7ea4a2671a
SHA25668f1b5698a779e804e252a78b267477b93459eeb6bd9eea5709ca9e50be4d1d2
SHA5124dd7b92e636eadb57950ad813f9575f348b2697b72a45ce401164cea9aec735fe870eb985c3b60d2e406486a8a701b8160789ca2d05eb1897f55897f0f125470
-
Filesize
512KB
MD57f242f2196680a765a39506197346f63
SHA12d407b527c44391bc5d5f109485be0cd3eeb144f
SHA256b1da9c03bc237270570d2e90e84c251111f26729ac3945a68e1eb4a256aac708
SHA512bdd5086f3c1ba917ebf798314f5d86e5b3552ed3f4d7717746e6a28dd8646f0bd8b3bfa5aae5f06fed6c324ad404ad5c628d98a8adf2831ea56aed2a7ba2591c
-
Filesize
512KB
MD50dc4826653b68f6e1c339ab997fe419d
SHA15d458c2d37fc655d321b83021156315404905ce0
SHA25656e711d1f58f3191e304d2d97ce03744244f5131732996d0990688d79e72b959
SHA512f6d55f8a333bdd8a097b763306170cc382e73f7026d512817a69533216b4f9455d50bbe94a304caf8d5e7b573867be7aee931e96a96de05577117370d08dd596
-
Filesize
512KB
MD5b3bb2054b403ff47b4012b4c76c8066c
SHA127c94dce1a2213804dcbd19c051cd2fb2a3fc632
SHA25606ce473de7000fa45a0017fc6c0fc64f5e6e4825c3ee5469e37d970b857cfccc
SHA5127a833ae249cf0a825dfc93b58bc43881d14ecbb1117088d1b28392d3c971f4d2560faf6077b14e0fa87dd1fd6d9577e062c966611b85f9fa2658990b0e3a57a9
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5764e3634e2e5dfe6b624b0c162360f4f
SHA131b83a72a25e0c2d8f5b273e9e511a359484c012
SHA256f7b2d85724a9b53d0ae45105dcdaa8eb078b5cf745d793f0e65b2e42aa6c63a6
SHA512daf9139a7fa724bfefcd895f3221b785197e477f0fb2c854baa5aad34c37b1e72ea5297ac3a3b189f3e77e70caeac30957dd30b10c73b1747e45ad148b2c613a
-
Filesize
512KB
MD5a7ffddcd45f785b014d417e731e8e759
SHA1ab2f5869175b95da88ad8d4bf3abdd7ba44f8224
SHA256d2091c224a12eace1bf17870dc86fe6ad935989bcab18023b890a1a72e7e2e00
SHA512dd7a01bdf8460878f1a9ec6c5ab149e1c47f0ec13fa696bdf883d6af4fe71f003d56bdb6fcf1f44e7c9b5ba27611f8c9c13a7ad805f08959484f47c3d93fd06f