Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 09:04
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
150 seconds
General
-
Target
e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe
-
Size
512KB
-
MD5
e22363a9bf090c96c9cbbd60dded7842
-
SHA1
5149473f2ca50240947bd08fabea6889649e219e
-
SHA256
a6b684502b288e48c8d30c266440d96e349a80113287bdaad7692aaf8657505f
-
SHA512
2221ba04ee745fd9f7fa6763883fbf0c9c804eaf7d1747f2c4ce496e5df231193920e6bd79bb8a62a813f1da2817268db36908a74999b7c93a9577d151e278d1
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6m:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5P
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ewswocmaxi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ewswocmaxi.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ewswocmaxi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ewswocmaxi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ewswocmaxi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ewswocmaxi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ewswocmaxi.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ewswocmaxi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3336 ewswocmaxi.exe 4304 wyyfysasycmlnxe.exe 2768 bxrgitei.exe 2308 gmpqwfcizgoko.exe 4124 bxrgitei.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ewswocmaxi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ewswocmaxi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ewswocmaxi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ewswocmaxi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ewswocmaxi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ewswocmaxi.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\neagjckm = "ewswocmaxi.exe" wyyfysasycmlnxe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypzlpqjt = "wyyfysasycmlnxe.exe" wyyfysasycmlnxe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gmpqwfcizgoko.exe" wyyfysasycmlnxe.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: bxrgitei.exe File opened (read-only) \??\b: bxrgitei.exe File opened (read-only) \??\e: bxrgitei.exe File opened (read-only) \??\k: ewswocmaxi.exe File opened (read-only) \??\l: ewswocmaxi.exe File opened (read-only) \??\n: ewswocmaxi.exe File opened (read-only) \??\w: ewswocmaxi.exe File opened (read-only) \??\n: bxrgitei.exe File opened (read-only) \??\e: ewswocmaxi.exe File opened (read-only) \??\i: ewswocmaxi.exe File opened (read-only) \??\p: ewswocmaxi.exe File opened (read-only) \??\v: ewswocmaxi.exe File opened (read-only) \??\u: bxrgitei.exe File opened (read-only) \??\g: ewswocmaxi.exe File opened (read-only) \??\x: ewswocmaxi.exe File opened (read-only) \??\l: bxrgitei.exe File opened (read-only) \??\z: bxrgitei.exe File opened (read-only) \??\x: bxrgitei.exe File opened (read-only) \??\p: bxrgitei.exe File opened (read-only) \??\r: bxrgitei.exe File opened (read-only) \??\b: ewswocmaxi.exe File opened (read-only) \??\o: ewswocmaxi.exe File opened (read-only) \??\u: ewswocmaxi.exe File opened (read-only) \??\b: bxrgitei.exe File opened (read-only) \??\u: bxrgitei.exe File opened (read-only) \??\w: bxrgitei.exe File opened (read-only) \??\q: ewswocmaxi.exe File opened (read-only) \??\s: ewswocmaxi.exe File opened (read-only) \??\t: ewswocmaxi.exe File opened (read-only) \??\j: bxrgitei.exe File opened (read-only) \??\q: bxrgitei.exe File opened (read-only) \??\t: bxrgitei.exe File opened (read-only) \??\m: bxrgitei.exe File opened (read-only) \??\a: ewswocmaxi.exe File opened (read-only) \??\z: ewswocmaxi.exe File opened (read-only) \??\z: bxrgitei.exe File opened (read-only) \??\n: bxrgitei.exe File opened (read-only) \??\y: bxrgitei.exe File opened (read-only) \??\q: bxrgitei.exe File opened (read-only) \??\v: bxrgitei.exe File opened (read-only) \??\r: ewswocmaxi.exe File opened (read-only) \??\a: bxrgitei.exe File opened (read-only) \??\g: bxrgitei.exe File opened (read-only) \??\k: bxrgitei.exe File opened (read-only) \??\y: ewswocmaxi.exe File opened (read-only) \??\t: bxrgitei.exe File opened (read-only) \??\v: bxrgitei.exe File opened (read-only) \??\j: bxrgitei.exe File opened (read-only) \??\m: bxrgitei.exe File opened (read-only) \??\p: bxrgitei.exe File opened (read-only) \??\j: ewswocmaxi.exe File opened (read-only) \??\w: bxrgitei.exe File opened (read-only) \??\a: bxrgitei.exe File opened (read-only) \??\g: bxrgitei.exe File opened (read-only) \??\l: bxrgitei.exe File opened (read-only) \??\o: bxrgitei.exe File opened (read-only) \??\s: bxrgitei.exe File opened (read-only) \??\y: bxrgitei.exe File opened (read-only) \??\h: bxrgitei.exe File opened (read-only) \??\r: bxrgitei.exe File opened (read-only) \??\i: bxrgitei.exe File opened (read-only) \??\o: bxrgitei.exe File opened (read-only) \??\i: bxrgitei.exe File opened (read-only) \??\k: bxrgitei.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ewswocmaxi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ewswocmaxi.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3256-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000234e7-5.dat autoit_exe behavioral2/files/0x00080000000234e3-18.dat autoit_exe behavioral2/files/0x00070000000234e8-26.dat autoit_exe behavioral2/files/0x00070000000234e9-32.dat autoit_exe behavioral2/files/0x00080000000234d0-66.dat autoit_exe behavioral2/files/0x00070000000234f5-72.dat autoit_exe behavioral2/files/0x00070000000234fb-78.dat autoit_exe behavioral2/files/0x0011000000023504-103.dat autoit_exe behavioral2/files/0x0011000000023504-198.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ewswocmaxi.exe File created C:\Windows\SysWOW64\ewswocmaxi.exe e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ewswocmaxi.exe e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe File created C:\Windows\SysWOW64\wyyfysasycmlnxe.exe e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wyyfysasycmlnxe.exe e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe File created C:\Windows\SysWOW64\gmpqwfcizgoko.exe e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gmpqwfcizgoko.exe e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe File created C:\Windows\SysWOW64\bxrgitei.exe e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bxrgitei.exe e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bxrgitei.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bxrgitei.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bxrgitei.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bxrgitei.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bxrgitei.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bxrgitei.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bxrgitei.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bxrgitei.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bxrgitei.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bxrgitei.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bxrgitei.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bxrgitei.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bxrgitei.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bxrgitei.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bxrgitei.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bxrgitei.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bxrgitei.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bxrgitei.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bxrgitei.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bxrgitei.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bxrgitei.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bxrgitei.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bxrgitei.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bxrgitei.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bxrgitei.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bxrgitei.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bxrgitei.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bxrgitei.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bxrgitei.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bxrgitei.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bxrgitei.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bxrgitei.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bxrgitei.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bxrgitei.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gmpqwfcizgoko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxrgitei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ewswocmaxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wyyfysasycmlnxe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxrgitei.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9F9BDFE64F1E484793A42869A3E92B3FD028C4365034CE1BF45E808D6" e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ewswocmaxi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ewswocmaxi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ewswocmaxi.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ewswocmaxi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ewswocmaxi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ewswocmaxi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ewswocmaxi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B05B4497399E53BEB9D632E9D7CF" e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFF8A4F5B82699046D7217D96BDE4E641594067316335D79B" e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C70E1491DAB7B9BB7FE5ED9437CD" e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ewswocmaxi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ewswocmaxi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ewswocmaxi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ewswocmaxi.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462D7F9D5182586A3376D370542CDF7C8664AB" e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BB0FE1C21DFD27AD0D48A0B9167" e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ewswocmaxi.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3000 WINWORD.EXE 3000 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3336 ewswocmaxi.exe 3336 ewswocmaxi.exe 3336 ewswocmaxi.exe 3336 ewswocmaxi.exe 3336 ewswocmaxi.exe 3336 ewswocmaxi.exe 3336 ewswocmaxi.exe 3336 ewswocmaxi.exe 3336 ewswocmaxi.exe 3336 ewswocmaxi.exe 2768 bxrgitei.exe 2768 bxrgitei.exe 2768 bxrgitei.exe 2768 bxrgitei.exe 2768 bxrgitei.exe 2768 bxrgitei.exe 2768 bxrgitei.exe 2768 bxrgitei.exe 4304 wyyfysasycmlnxe.exe 4304 wyyfysasycmlnxe.exe 4304 wyyfysasycmlnxe.exe 4304 wyyfysasycmlnxe.exe 4304 wyyfysasycmlnxe.exe 4304 wyyfysasycmlnxe.exe 4304 wyyfysasycmlnxe.exe 4304 wyyfysasycmlnxe.exe 4304 wyyfysasycmlnxe.exe 4304 wyyfysasycmlnxe.exe 2308 gmpqwfcizgoko.exe 2308 gmpqwfcizgoko.exe 2308 gmpqwfcizgoko.exe 2308 gmpqwfcizgoko.exe 2308 gmpqwfcizgoko.exe 2308 gmpqwfcizgoko.exe 2308 gmpqwfcizgoko.exe 2308 gmpqwfcizgoko.exe 2308 gmpqwfcizgoko.exe 2308 gmpqwfcizgoko.exe 2308 gmpqwfcizgoko.exe 2308 gmpqwfcizgoko.exe 4124 bxrgitei.exe 4124 bxrgitei.exe 4124 bxrgitei.exe 4124 bxrgitei.exe 4124 bxrgitei.exe 4124 bxrgitei.exe 4124 bxrgitei.exe 4124 bxrgitei.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3336 ewswocmaxi.exe 3336 ewswocmaxi.exe 3336 ewswocmaxi.exe 2768 bxrgitei.exe 2768 bxrgitei.exe 2768 bxrgitei.exe 4304 wyyfysasycmlnxe.exe 4304 wyyfysasycmlnxe.exe 4304 wyyfysasycmlnxe.exe 2308 gmpqwfcizgoko.exe 2308 gmpqwfcizgoko.exe 2308 gmpqwfcizgoko.exe 4124 bxrgitei.exe 4124 bxrgitei.exe 4124 bxrgitei.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 3336 ewswocmaxi.exe 3336 ewswocmaxi.exe 3336 ewswocmaxi.exe 2768 bxrgitei.exe 2768 bxrgitei.exe 2768 bxrgitei.exe 4304 wyyfysasycmlnxe.exe 4304 wyyfysasycmlnxe.exe 4304 wyyfysasycmlnxe.exe 2308 gmpqwfcizgoko.exe 2308 gmpqwfcizgoko.exe 2308 gmpqwfcizgoko.exe 4124 bxrgitei.exe 4124 bxrgitei.exe 4124 bxrgitei.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3000 WINWORD.EXE 3000 WINWORD.EXE 3000 WINWORD.EXE 3000 WINWORD.EXE 3000 WINWORD.EXE 3000 WINWORD.EXE 3000 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3256 wrote to memory of 3336 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 84 PID 3256 wrote to memory of 3336 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 84 PID 3256 wrote to memory of 3336 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 84 PID 3256 wrote to memory of 4304 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 85 PID 3256 wrote to memory of 4304 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 85 PID 3256 wrote to memory of 4304 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 85 PID 3256 wrote to memory of 2768 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 86 PID 3256 wrote to memory of 2768 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 86 PID 3256 wrote to memory of 2768 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 86 PID 3256 wrote to memory of 2308 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 87 PID 3256 wrote to memory of 2308 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 87 PID 3256 wrote to memory of 2308 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 87 PID 3256 wrote to memory of 3000 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 88 PID 3256 wrote to memory of 3000 3256 e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe 88 PID 3336 wrote to memory of 4124 3336 ewswocmaxi.exe 90 PID 3336 wrote to memory of 4124 3336 ewswocmaxi.exe 90 PID 3336 wrote to memory of 4124 3336 ewswocmaxi.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e22363a9bf090c96c9cbbd60dded7842_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\ewswocmaxi.exeewswocmaxi.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\bxrgitei.exeC:\Windows\system32\bxrgitei.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4124
-
-
-
C:\Windows\SysWOW64\wyyfysasycmlnxe.exewyyfysasycmlnxe.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4304
-
-
C:\Windows\SysWOW64\bxrgitei.exebxrgitei.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2768
-
-
C:\Windows\SysWOW64\gmpqwfcizgoko.exegmpqwfcizgoko.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2308
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3000
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD54150a4dc43d8691594631bbe5fea62a8
SHA19bc426848934b84176f7b411e6410f49c7fa3656
SHA2564e9c75c57f45b2bb47398dfc33021d23c4270ae344849af6815b26f1ef968b57
SHA512551b0982470e961605945c8468e4e3ef69abc95ca5411f9153e636801eb93dd910b4f8f676a60338135cd28dcb8e2e63c1736f06e5d87e9de7f0a8f9877241de
-
Filesize
512KB
MD5cdd2712bfc023d41211ef665b9c0c372
SHA1e1cc4cc8caa5c51eab511e75f69cfd15b177ad99
SHA256e9b28cb09e5d19ca9c31f3bf4fb06d1cce6fd720006749eb8823b4a1cde23583
SHA512fef24bdef0071adc622e49000212aaaf2ff7c6f179f8da4ccb8e5f5e1d16106776d44da8ebe025a80c395976cebeb672c061e6bc8ae2c56c8acb013630eae605
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
414B
MD5c4d533e683f53883c7231206cd18bf37
SHA107f075e942b9b6b5bec45b991b6b5b41c69e2b8c
SHA2562f5a204b57af38481712184e7f593283d9aad4da49981fab96f2a83aee1597dc
SHA5127ef39fac284871653eddb51c1c81312ef6ee3f7d8ecc8c2187009f9fd8d841f4a1a7fc83aae6d533a581535496a76cab3cdf9958be4b4c6fe11a3fb28ef299a5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5269263b988992fdce22cab7263f2e2c6
SHA1f3428afa30b04f9bc2097f1722ae85530fb3cabd
SHA2563f02361a2bf6b6ff02b94f84123caedb58575c9732c5b3d2659bdae051e09ef2
SHA51269bceb7da91fe450b8cdd2a6b21bc44a218f339fa51182a264393cb610e01365451dc0f86e3e5dd60656f2918e6d832ef0d1dd59e6b1901749ef71d087677a97
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD506b2355952073aa135e2cd9c23c26a4f
SHA1b036e16bfe776ca782c852d9c20bd3264f226f7e
SHA25691508e67ed699bc99c333c93e452b74bda4931821a11b821f4975b95daace788
SHA512903834bc4cefcf0b40c7d3e655aaf42df46851ab2a1d8a6ea47263b6f8695498359ecb7783e92e7c715e6d2c6ae1b19b66a373a3e43da6f0796618d6a1c0d16d
-
Filesize
512KB
MD541dd0017e4131c5a391d64e4c6438b7b
SHA1d7b6c64a0afd89eeb1307f173a5c6ad75e245c71
SHA256e1887532af6249272d0928f11e5971495be24619be67c832efd263f96c819e1a
SHA5123d54b7c0a0ed475581a3d838b5eb58a816630993b9082df4f24075c20e383fbac7ac9dae36b40f3bb6fc463b5258b25daac9e23f50786b1a4d944872854d3251
-
Filesize
512KB
MD5cdb3bf0cad819372c79328699b48b6ba
SHA138d391be277c1d9c3e396b6034c8b3ad19fd108c
SHA256bb2f0e1a15b3f0d95008e2847b5a8eac6b210d979b125383bd8fe86646a5da01
SHA512f1d060e1fb7df25472438dcf8a1b80b608af7a4861d9e3160ed265818de91524499eec72e0482825d7f5a73220a2bc64142c4945bbdb873f546cfcaea890de55
-
Filesize
512KB
MD57c7dcb7854f2fd9ff3857187c0cb1154
SHA1c5361dbfb39ec005f058b74ad72f272393c4ef28
SHA25678cc9b127242cee2ea7a424eee3ce1950eb98933a880efc5a504c50897ff605b
SHA5126662690282b7084351a5f99b527ee1808a96ba4e7f55c1e4da2289af60fecf3d5a665a6d4f37d08f15b9e2319bcb249818fd5b56fae562630c5649813d365abe
-
Filesize
512KB
MD5fbd9c2488a8a38130eb706cc833569ee
SHA144f028c38d5e0b420c52a0cba9e3134ef77dc365
SHA256004e157ad93cb8619cf2c91a25d05b38c8b2494eb53ec4bfe3e3972fc0c27421
SHA512c4510f019648a681c311fd5d86ed747273e8fad8bb04354eb6dea487fb427f3e0c3ed5f2fa0b79289742ad347c0d5fe16c839041d6fee063511181b9cc74694d
-
Filesize
512KB
MD5c07757103cd48b723a88e6e82cb997dc
SHA1c8c1cf2c6a292a571c6868f51696f71e92b22dd4
SHA256455650a723091aaa6c6e11d36c5885aef6517e7b76545823858eebe3585559d6
SHA51274b3365a2252ba347c214d18e2f146d9fadb0259e45904124313b4d9be7d84012808a3f66c1260e56b6f1b7db7d8a9d273a747c5bc872b4ea03e4997a52dbf95
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5f744b7c6c3eee6e474dfe2b2b5c48eef
SHA1b3fc1e3aa9d524bec5a29f120905a724eefab37c
SHA256e4b4a793349756b6fae64e0d2e4f4f129a0740e4d18c07c92ff39d96eb22aad2
SHA512408c40ce1e917aa45fcbaedb32882bb35c59766dc48c3088b5a9a52e8d2145cf66b292db54efd8900bc2a30278b1ce42ad870ce30694b1a61daf9373f7cd1337
-
Filesize
512KB
MD5d3feaed863185bb4672b627f1d6deb7e
SHA1b659452ef2bbbd4af5ed83a7a746446f8f374b4e
SHA256d66a0367f6bdfb475065f74fb2160711c818b2b06877b0d1a851e6faa6d9e97c
SHA512d386dc21c32088b6456fbd006cead287ac706261dbd4c7b98c0b476e8175e5b6f478958542dff2a2c4b74f02407fdee60a0e91428fda52690de0dcc4691e3984