Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2024 13:08
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
150 seconds
General
-
Target
e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe
-
Size
512KB
-
MD5
e03f500b36e8020ee26c3349d5eabd79
-
SHA1
a7e508f52c70862ed0649438b8ed935c2ad3c6ea
-
SHA256
ae740a14f78523070dc3112e9b734ab85b9838b9d9cd841e354beababc023091
-
SHA512
c85bb67b4f35152165391fef12ffce21f0bf573753692505ea8563b7e37abcffcc3ca3d829bb1502d4d435a87dc76d2ad20bfec80e72c61df6f96906e4af42af
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6H:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" joasybchet.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" joasybchet.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" joasybchet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" joasybchet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" joasybchet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" joasybchet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" joasybchet.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" joasybchet.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3044 joasybchet.exe 1856 cnuvryxkoncxxhy.exe 2896 wmrfkeuj.exe 4300 bllngjbogtspt.exe 4480 wmrfkeuj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" joasybchet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" joasybchet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" joasybchet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" joasybchet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" joasybchet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" joasybchet.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bllngjbogtspt.exe" cnuvryxkoncxxhy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bcpayhxo = "joasybchet.exe" cnuvryxkoncxxhy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umatwsls = "cnuvryxkoncxxhy.exe" cnuvryxkoncxxhy.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: wmrfkeuj.exe File opened (read-only) \??\w: joasybchet.exe File opened (read-only) \??\y: joasybchet.exe File opened (read-only) \??\w: wmrfkeuj.exe File opened (read-only) \??\g: wmrfkeuj.exe File opened (read-only) \??\p: wmrfkeuj.exe File opened (read-only) \??\v: wmrfkeuj.exe File opened (read-only) \??\p: joasybchet.exe File opened (read-only) \??\u: wmrfkeuj.exe File opened (read-only) \??\q: wmrfkeuj.exe File opened (read-only) \??\s: wmrfkeuj.exe File opened (read-only) \??\j: joasybchet.exe File opened (read-only) \??\b: wmrfkeuj.exe File opened (read-only) \??\b: joasybchet.exe File opened (read-only) \??\o: joasybchet.exe File opened (read-only) \??\t: joasybchet.exe File opened (read-only) \??\a: wmrfkeuj.exe File opened (read-only) \??\i: joasybchet.exe File opened (read-only) \??\v: joasybchet.exe File opened (read-only) \??\t: wmrfkeuj.exe File opened (read-only) \??\i: wmrfkeuj.exe File opened (read-only) \??\l: wmrfkeuj.exe File opened (read-only) \??\k: joasybchet.exe File opened (read-only) \??\a: wmrfkeuj.exe File opened (read-only) \??\g: wmrfkeuj.exe File opened (read-only) \??\r: wmrfkeuj.exe File opened (read-only) \??\z: wmrfkeuj.exe File opened (read-only) \??\j: wmrfkeuj.exe File opened (read-only) \??\n: wmrfkeuj.exe File opened (read-only) \??\t: wmrfkeuj.exe File opened (read-only) \??\u: wmrfkeuj.exe File opened (read-only) \??\w: wmrfkeuj.exe File opened (read-only) \??\x: wmrfkeuj.exe File opened (read-only) \??\l: joasybchet.exe File opened (read-only) \??\e: wmrfkeuj.exe File opened (read-only) \??\h: wmrfkeuj.exe File opened (read-only) \??\m: joasybchet.exe File opened (read-only) \??\s: joasybchet.exe File opened (read-only) \??\x: joasybchet.exe File opened (read-only) \??\n: wmrfkeuj.exe File opened (read-only) \??\p: wmrfkeuj.exe File opened (read-only) \??\r: wmrfkeuj.exe File opened (read-only) \??\h: joasybchet.exe File opened (read-only) \??\n: joasybchet.exe File opened (read-only) \??\m: wmrfkeuj.exe File opened (read-only) \??\x: wmrfkeuj.exe File opened (read-only) \??\m: wmrfkeuj.exe File opened (read-only) \??\a: joasybchet.exe File opened (read-only) \??\z: joasybchet.exe File opened (read-only) \??\e: wmrfkeuj.exe File opened (read-only) \??\h: wmrfkeuj.exe File opened (read-only) \??\o: wmrfkeuj.exe File opened (read-only) \??\i: wmrfkeuj.exe File opened (read-only) \??\z: wmrfkeuj.exe File opened (read-only) \??\u: joasybchet.exe File opened (read-only) \??\j: wmrfkeuj.exe File opened (read-only) \??\k: wmrfkeuj.exe File opened (read-only) \??\k: wmrfkeuj.exe File opened (read-only) \??\l: wmrfkeuj.exe File opened (read-only) \??\v: wmrfkeuj.exe File opened (read-only) \??\b: wmrfkeuj.exe File opened (read-only) \??\e: joasybchet.exe File opened (read-only) \??\g: joasybchet.exe File opened (read-only) \??\y: wmrfkeuj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" joasybchet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" joasybchet.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3712-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00090000000234ce-5.dat autoit_exe behavioral2/files/0x000900000002347c-19.dat autoit_exe behavioral2/files/0x00070000000234d9-27.dat autoit_exe behavioral2/files/0x00070000000234da-32.dat autoit_exe behavioral2/files/0x00070000000234e8-72.dat autoit_exe behavioral2/files/0x00070000000234e7-66.dat autoit_exe behavioral2/files/0x00070000000234ef-84.dat autoit_exe behavioral2/files/0x00070000000234f9-107.dat autoit_exe behavioral2/files/0x00070000000234f9-109.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll joasybchet.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wmrfkeuj.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wmrfkeuj.exe File created C:\Windows\SysWOW64\joasybchet.exe e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe File created C:\Windows\SysWOW64\cnuvryxkoncxxhy.exe e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmrfkeuj.exe e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe File created C:\Windows\SysWOW64\bllngjbogtspt.exe e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bllngjbogtspt.exe e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\joasybchet.exe e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cnuvryxkoncxxhy.exe e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmrfkeuj.exe e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wmrfkeuj.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wmrfkeuj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wmrfkeuj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wmrfkeuj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wmrfkeuj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wmrfkeuj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wmrfkeuj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wmrfkeuj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wmrfkeuj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wmrfkeuj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wmrfkeuj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wmrfkeuj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wmrfkeuj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wmrfkeuj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wmrfkeuj.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wmrfkeuj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wmrfkeuj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wmrfkeuj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wmrfkeuj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wmrfkeuj.exe File opened for modification C:\Windows\mydoc.rtf e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wmrfkeuj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wmrfkeuj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wmrfkeuj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wmrfkeuj.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wmrfkeuj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wmrfkeuj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wmrfkeuj.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wmrfkeuj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wmrfkeuj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wmrfkeuj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wmrfkeuj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language joasybchet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cnuvryxkoncxxhy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmrfkeuj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bllngjbogtspt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmrfkeuj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302C779C5782256D3576D270252CD67DF465DD" e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C67C15E3DBBFB9BA7FE7ED9237CA" e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs joasybchet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFABAFE13F2E4840B3A3181EC39E1B08002FA43120248E2BD42E809A3" e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc joasybchet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" joasybchet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" joasybchet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B15C4497399D53C5BAD733E9D7CC" e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F36BB6FF1F21D9D179D0A68B0E9165" e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat joasybchet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" joasybchet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" joasybchet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FF8B482C851F9146D72D7D97BDE2E13558436644623ED690" e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh joasybchet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf joasybchet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" joasybchet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg joasybchet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" joasybchet.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 932 WINWORD.EXE 932 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 1856 cnuvryxkoncxxhy.exe 1856 cnuvryxkoncxxhy.exe 1856 cnuvryxkoncxxhy.exe 1856 cnuvryxkoncxxhy.exe 1856 cnuvryxkoncxxhy.exe 1856 cnuvryxkoncxxhy.exe 1856 cnuvryxkoncxxhy.exe 1856 cnuvryxkoncxxhy.exe 1856 cnuvryxkoncxxhy.exe 1856 cnuvryxkoncxxhy.exe 3044 joasybchet.exe 3044 joasybchet.exe 3044 joasybchet.exe 3044 joasybchet.exe 3044 joasybchet.exe 3044 joasybchet.exe 3044 joasybchet.exe 3044 joasybchet.exe 3044 joasybchet.exe 3044 joasybchet.exe 2896 wmrfkeuj.exe 2896 wmrfkeuj.exe 2896 wmrfkeuj.exe 2896 wmrfkeuj.exe 2896 wmrfkeuj.exe 2896 wmrfkeuj.exe 2896 wmrfkeuj.exe 2896 wmrfkeuj.exe 4300 bllngjbogtspt.exe 4300 bllngjbogtspt.exe 4300 bllngjbogtspt.exe 4300 bllngjbogtspt.exe 4300 bllngjbogtspt.exe 4300 bllngjbogtspt.exe 4300 bllngjbogtspt.exe 4300 bllngjbogtspt.exe 4300 bllngjbogtspt.exe 4300 bllngjbogtspt.exe 4300 bllngjbogtspt.exe 4300 bllngjbogtspt.exe 1856 cnuvryxkoncxxhy.exe 1856 cnuvryxkoncxxhy.exe 4480 wmrfkeuj.exe 4480 wmrfkeuj.exe 4480 wmrfkeuj.exe 4480 wmrfkeuj.exe 4480 wmrfkeuj.exe 4480 wmrfkeuj.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3044 joasybchet.exe 3044 joasybchet.exe 3044 joasybchet.exe 1856 cnuvryxkoncxxhy.exe 1856 cnuvryxkoncxxhy.exe 1856 cnuvryxkoncxxhy.exe 2896 wmrfkeuj.exe 2896 wmrfkeuj.exe 2896 wmrfkeuj.exe 4300 bllngjbogtspt.exe 4300 bllngjbogtspt.exe 4300 bllngjbogtspt.exe 4480 wmrfkeuj.exe 4480 wmrfkeuj.exe 4480 wmrfkeuj.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 3044 joasybchet.exe 3044 joasybchet.exe 3044 joasybchet.exe 1856 cnuvryxkoncxxhy.exe 1856 cnuvryxkoncxxhy.exe 1856 cnuvryxkoncxxhy.exe 2896 wmrfkeuj.exe 2896 wmrfkeuj.exe 2896 wmrfkeuj.exe 4300 bllngjbogtspt.exe 4300 bllngjbogtspt.exe 4300 bllngjbogtspt.exe 4480 wmrfkeuj.exe 4480 wmrfkeuj.exe 4480 wmrfkeuj.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3712 wrote to memory of 3044 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 85 PID 3712 wrote to memory of 3044 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 85 PID 3712 wrote to memory of 3044 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 85 PID 3712 wrote to memory of 1856 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 86 PID 3712 wrote to memory of 1856 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 86 PID 3712 wrote to memory of 1856 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 86 PID 3712 wrote to memory of 2896 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 87 PID 3712 wrote to memory of 2896 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 87 PID 3712 wrote to memory of 2896 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 87 PID 3712 wrote to memory of 4300 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 88 PID 3712 wrote to memory of 4300 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 88 PID 3712 wrote to memory of 4300 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 88 PID 3712 wrote to memory of 932 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 89 PID 3712 wrote to memory of 932 3712 e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe 89 PID 3044 wrote to memory of 4480 3044 joasybchet.exe 91 PID 3044 wrote to memory of 4480 3044 joasybchet.exe 91 PID 3044 wrote to memory of 4480 3044 joasybchet.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e03f500b36e8020ee26c3349d5eabd79_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\joasybchet.exejoasybchet.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\wmrfkeuj.exeC:\Windows\system32\wmrfkeuj.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4480
-
-
-
C:\Windows\SysWOW64\cnuvryxkoncxxhy.execnuvryxkoncxxhy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1856
-
-
C:\Windows\SysWOW64\wmrfkeuj.exewmrfkeuj.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896
-
-
C:\Windows\SysWOW64\bllngjbogtspt.exebllngjbogtspt.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4300
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:932
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD548dc5560dd612ee7e18498d1d987df17
SHA1bbb44fc9f8960d5c71692376c25554a359fc6e4e
SHA2568cf7121a3e3288d689e84b25dd5b96a6aaf9c4cdb94d1dd736641937ce34b3e8
SHA512028cf4690b764651cfed5e75afaae255e2839042adc5da459d06fe6b4c70de676fa8a13f3c2f61d0d215fd1f8c832db6158ec8358a14bfa22ae81dcf689ff666
-
Filesize
512KB
MD5581242d6162cae6ebbc6e2dd62e6110b
SHA14c3fdc5263c2583c3365b2c9197dc45d77f192d7
SHA256cf85fde34b8e7fe04f34b067d8a33165383e2393e758f231bbf07a0a3295d0ae
SHA512115a7a59a070a5d3e6a514647cf15dd153176601dd6dd29189e53d8001aa8a158f36df48a4c8a6da69914e8e3501ae8e08a928e0828b5764959d1259cde946f7
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
349B
MD56d2d88ec6e57ae7fcf9ff099b6a80849
SHA13e6ed2b2d39346332401af1b949d257fbc3ad7af
SHA256510c0cccc796e9ea865b7901b00618fe40e3c4cf238822c958f8e104be3755b4
SHA512efe8794be831175c88d6777876bbcc2cabb4a503c356ae8b68e207a75d10d96bd73d67b3d8d7ba21916807cf140177546549002bb58680bd62406bb7f88b5c7c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize677B
MD52509788ffe5967a74a78df60249e0cf6
SHA17695706d030e069d1e09340fc2a139e3c9cd3890
SHA256301ea64d76443be6cfe62988bc17dbb2375e31ac9ee075658798bbd2a9d55b0b
SHA5128ad7d6c37dcb1e0a4e5181f63b0632e0c9524e82e38f23aa29692d25cd3d6975362f32ee42000b52f4f7edbc720f3499ef5cd90e4f849ffb1162b86e3143f63d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5ded7965c46a68da75f9af66ceca498d1
SHA142cf963b05f671119ba53eca7648840386198e73
SHA2560e897e040ddda9c7b38a9e12a29528ea8673fbe8d7d0e6b75a0cd402c5ec6c1a
SHA512852918434d974c401a07d6fb8e81e650ff905a545cc0441de75f72dee8244da5db0df1d78f9ddf63f713de3b8eacddd9e237884db6b565780adddb745fffc1eb
-
Filesize
512KB
MD5a3b253d3cb247a2a4fb97e9f110a4532
SHA10a47e4d518691def9dfa8f32c3298b6f681c1bc8
SHA25682eb82c4eab2059162631d63fc48239d08383fb72bb9790e19949f8566c8c3d4
SHA512d16b5ec6a80d6b7230695598a660e17764c82afa2b85786a060db541808f4121813f509dcc5b90bc4b1a177afc980035ed3413e7a46799f1fbf4c31ec8756c17
-
Filesize
512KB
MD5ef88fdcd5c635af0d95cdbb574f6be31
SHA160c1415715eb8110cf58e7de9c434e5c767b4b80
SHA25647d022e404f8b7a363096bb4533f68d4f900d871d48c58e5dfbe280d66a89c35
SHA5120e4c4ecf53bc83440f469619d3ae378ab1b8bbf78647f46afa23591d2dcd39f6cd98d65e85bc157195c253f78c9c73ebe60440851eb8c406b7d27a740e750e1e
-
Filesize
512KB
MD51d7f9ef0a864a03858d5644df7f38489
SHA13e28f52a9a8a105202a6ec0ffd81539fd78977b2
SHA2564d2c18b31489730482e892c1f3400285b83fba6a65a3a79d9a6120a381241299
SHA512bdf6943d89945ba9a54de7b43f9298119f51e1318eed28de62434a5aeaff487b4da776468a0f0637cca52375f1f21abadd2583121eefad2e25b20c0a50fb3598
-
Filesize
512KB
MD5f3a882fb74269b5d31d091e0313d9c01
SHA1163d231718c03a400b827e01e4c923a2b8b33714
SHA256bba273b8e4cc7ded82c362e9dd14d69e35a31bc9adecacdee3d287da530370bf
SHA512c4971e26f51b86e36939be24e3f7f71a316c5b9c0723d9ead9d226a490ca9900c65674c75bc5d62084ce24bcea9dc435f3be93049e10545f7f54692b99103ec9
-
Filesize
512KB
MD59ea82218e1d79af980a477f055bfbdcc
SHA150a93c5e7d0566828e59665e154ccea839242084
SHA256df8d6ad666ef921901910c30cb65b2e4803c5ebc98e03b2893a04b31aa5b3042
SHA512d05d4f1da95666071d53adcd1c28ab1104aa0e2b45c16f1d62a71875a925dff08844421ce597f2943001abcdd1ed95232924e2d18ef4fc4670accfeefd8e700d
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5fad974ad1cc9d03fe1ae5e9217502390
SHA1936cedaec529ccd4214c73e748f6fc430c7b944e
SHA256d14722375d2be1cccd8e44f4d3917d51e78866e358858015b85c3a8771013d23
SHA51204cc7c6389617345a00568b2ff39ce43d3834c8c1a2924256a5efb25cc74c1278ae67b5876797cd68e99fd6dbfab71d650eee2463ddc25429982da4d7482508f
-
Filesize
512KB
MD5f097a95779e723b651d011b0e5cb355e
SHA1df991a0a2d3ab69664e20fd74f0d5a14cfe2bb67
SHA25603288bb21d255670fc1f726fb6866716b11ca0d1f692f76f740e7ab5e79b3b6f
SHA512b6323137d9be6c1f412dd551c2d302f2e403cbf467955fe26dd666ce3062e08346bd8f3587e8f2eb2b321924d6e783f06c83bb01b1f56ef04937979e8a1cdcd2