Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 02:54
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe
-
Size
512KB
-
MD5
ea74a30434592a4890be2e6b6945e9f3
-
SHA1
02eaa622cc6ec787393e4c2bf4c1972932ca4f48
-
SHA256
628aa0bc37ab01ae98277fe219cec0e3deb65c0409fbfef2edc1e5705e0593e8
-
SHA512
05bdce325193db3f9d452aa3343f71c82d4a542425e6c0297d422d058b3348bf40f80bf9944044659e400f7072ef19bc84190a6c56f2c9f78bdfb2e03fa5aa9e
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6c:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5n
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vpvcuofinp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vpvcuofinp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" vpvcuofinp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vpvcuofinp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vpvcuofinp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vpvcuofinp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vpvcuofinp.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vpvcuofinp.exe -
Executes dropped EXE 5 IoCs
pid Process 1920 vpvcuofinp.exe 2948 bcuqyupstznyvcg.exe 2284 bvkipjmb.exe 2740 giunuyfersrsd.exe 2728 bvkipjmb.exe -
Loads dropped DLL 5 IoCs
pid Process 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 1920 vpvcuofinp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vpvcuofinp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vpvcuofinp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vpvcuofinp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vpvcuofinp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vpvcuofinp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" vpvcuofinp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lvuosdav = "vpvcuofinp.exe" bcuqyupstznyvcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gskdmysa = "bcuqyupstznyvcg.exe" bcuqyupstznyvcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "giunuyfersrsd.exe" bcuqyupstznyvcg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: vpvcuofinp.exe File opened (read-only) \??\i: vpvcuofinp.exe File opened (read-only) \??\n: vpvcuofinp.exe File opened (read-only) \??\l: bvkipjmb.exe File opened (read-only) \??\n: bvkipjmb.exe File opened (read-only) \??\g: bvkipjmb.exe File opened (read-only) \??\p: bvkipjmb.exe File opened (read-only) \??\o: vpvcuofinp.exe File opened (read-only) \??\t: vpvcuofinp.exe File opened (read-only) \??\w: bvkipjmb.exe File opened (read-only) \??\x: bvkipjmb.exe File opened (read-only) \??\w: bvkipjmb.exe File opened (read-only) \??\y: bvkipjmb.exe File opened (read-only) \??\j: vpvcuofinp.exe File opened (read-only) \??\u: vpvcuofinp.exe File opened (read-only) \??\s: bvkipjmb.exe File opened (read-only) \??\l: bvkipjmb.exe File opened (read-only) \??\t: bvkipjmb.exe File opened (read-only) \??\l: vpvcuofinp.exe File opened (read-only) \??\b: bvkipjmb.exe File opened (read-only) \??\e: vpvcuofinp.exe File opened (read-only) \??\z: vpvcuofinp.exe File opened (read-only) \??\j: bvkipjmb.exe File opened (read-only) \??\r: bvkipjmb.exe File opened (read-only) \??\u: bvkipjmb.exe File opened (read-only) \??\r: vpvcuofinp.exe File opened (read-only) \??\b: bvkipjmb.exe File opened (read-only) \??\h: bvkipjmb.exe File opened (read-only) \??\k: bvkipjmb.exe File opened (read-only) \??\t: bvkipjmb.exe File opened (read-only) \??\i: bvkipjmb.exe File opened (read-only) \??\o: bvkipjmb.exe File opened (read-only) \??\q: bvkipjmb.exe File opened (read-only) \??\a: vpvcuofinp.exe File opened (read-only) \??\b: vpvcuofinp.exe File opened (read-only) \??\g: vpvcuofinp.exe File opened (read-only) \??\o: bvkipjmb.exe File opened (read-only) \??\p: bvkipjmb.exe File opened (read-only) \??\z: bvkipjmb.exe File opened (read-only) \??\s: bvkipjmb.exe File opened (read-only) \??\x: bvkipjmb.exe File opened (read-only) \??\v: vpvcuofinp.exe File opened (read-only) \??\e: bvkipjmb.exe File opened (read-only) \??\m: bvkipjmb.exe File opened (read-only) \??\q: bvkipjmb.exe File opened (read-only) \??\e: bvkipjmb.exe File opened (read-only) \??\j: bvkipjmb.exe File opened (read-only) \??\s: vpvcuofinp.exe File opened (read-only) \??\y: vpvcuofinp.exe File opened (read-only) \??\h: bvkipjmb.exe File opened (read-only) \??\n: bvkipjmb.exe File opened (read-only) \??\v: bvkipjmb.exe File opened (read-only) \??\m: vpvcuofinp.exe File opened (read-only) \??\p: vpvcuofinp.exe File opened (read-only) \??\a: bvkipjmb.exe File opened (read-only) \??\z: bvkipjmb.exe File opened (read-only) \??\k: bvkipjmb.exe File opened (read-only) \??\k: vpvcuofinp.exe File opened (read-only) \??\i: bvkipjmb.exe File opened (read-only) \??\v: bvkipjmb.exe File opened (read-only) \??\x: vpvcuofinp.exe File opened (read-only) \??\r: bvkipjmb.exe File opened (read-only) \??\u: bvkipjmb.exe File opened (read-only) \??\a: bvkipjmb.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vpvcuofinp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vpvcuofinp.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2516-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0008000000015d59-9.dat autoit_exe behavioral1/files/0x0007000000012119-20.dat autoit_exe behavioral1/files/0x0008000000015d41-21.dat autoit_exe behavioral1/files/0x0008000000015d81-36.dat autoit_exe behavioral1/files/0x0008000000015d0e-58.dat autoit_exe behavioral1/files/0x0009000000016241-70.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\vpvcuofinp.exe ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\giunuyfersrsd.exe ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vpvcuofinp.exe File created C:\Windows\SysWOW64\vpvcuofinp.exe ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe File created C:\Windows\SysWOW64\bcuqyupstznyvcg.exe ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bcuqyupstznyvcg.exe ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe File created C:\Windows\SysWOW64\bvkipjmb.exe ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bvkipjmb.exe ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe File created C:\Windows\SysWOW64\giunuyfersrsd.exe ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bvkipjmb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bvkipjmb.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bvkipjmb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bvkipjmb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal bvkipjmb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal bvkipjmb.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bvkipjmb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bvkipjmb.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bvkipjmb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal bvkipjmb.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bvkipjmb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal bvkipjmb.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bvkipjmb.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bvkipjmb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bvkipjmb.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvcuofinp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcuqyupstznyvcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvkipjmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giunuyfersrsd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvkipjmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vpvcuofinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFF8E4F5C851F903DD62E7D93BD93E630584466456246D790" ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vpvcuofinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vpvcuofinp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vpvcuofinp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vpvcuofinp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vpvcuofinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vpvcuofinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vpvcuofinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vpvcuofinp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vpvcuofinp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vpvcuofinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452D789D5683256D4276A670202CD77D8065D9" ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFACEFE13F29884793A44819B3E92B38B03FE4366024BE2C8429C08D4" ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B02C47E539EB52CEBAA73298D7C4" ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD68B3FF1821AED173D0D18A789017" ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC70B1596DABFB8C97F92ECE434C8" ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vpvcuofinp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2892 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 1920 vpvcuofinp.exe 1920 vpvcuofinp.exe 1920 vpvcuofinp.exe 1920 vpvcuofinp.exe 1920 vpvcuofinp.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2948 bcuqyupstznyvcg.exe 2948 bcuqyupstznyvcg.exe 2948 bcuqyupstznyvcg.exe 2948 bcuqyupstznyvcg.exe 2948 bcuqyupstznyvcg.exe 2284 bvkipjmb.exe 2284 bvkipjmb.exe 2284 bvkipjmb.exe 2284 bvkipjmb.exe 2728 bvkipjmb.exe 2728 bvkipjmb.exe 2728 bvkipjmb.exe 2728 bvkipjmb.exe 2948 bcuqyupstznyvcg.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2948 bcuqyupstznyvcg.exe 2948 bcuqyupstznyvcg.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2948 bcuqyupstznyvcg.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2948 bcuqyupstznyvcg.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2948 bcuqyupstznyvcg.exe 2948 bcuqyupstznyvcg.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2948 bcuqyupstznyvcg.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2948 bcuqyupstznyvcg.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2948 bcuqyupstznyvcg.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2948 bcuqyupstznyvcg.exe 2948 bcuqyupstznyvcg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 1920 vpvcuofinp.exe 1920 vpvcuofinp.exe 1920 vpvcuofinp.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2948 bcuqyupstznyvcg.exe 2284 bvkipjmb.exe 2948 bcuqyupstznyvcg.exe 2284 bvkipjmb.exe 2284 bvkipjmb.exe 2948 bcuqyupstznyvcg.exe 2728 bvkipjmb.exe 2728 bvkipjmb.exe 2728 bvkipjmb.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 1920 vpvcuofinp.exe 1920 vpvcuofinp.exe 1920 vpvcuofinp.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2740 giunuyfersrsd.exe 2948 bcuqyupstznyvcg.exe 2284 bvkipjmb.exe 2948 bcuqyupstznyvcg.exe 2284 bvkipjmb.exe 2284 bvkipjmb.exe 2948 bcuqyupstznyvcg.exe 2728 bvkipjmb.exe 2728 bvkipjmb.exe 2728 bvkipjmb.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2892 WINWORD.EXE 2892 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2516 wrote to memory of 1920 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 30 PID 2516 wrote to memory of 1920 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 30 PID 2516 wrote to memory of 1920 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 30 PID 2516 wrote to memory of 1920 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 30 PID 2516 wrote to memory of 2948 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 31 PID 2516 wrote to memory of 2948 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 31 PID 2516 wrote to memory of 2948 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 31 PID 2516 wrote to memory of 2948 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 31 PID 2516 wrote to memory of 2284 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 32 PID 2516 wrote to memory of 2284 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 32 PID 2516 wrote to memory of 2284 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 32 PID 2516 wrote to memory of 2284 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 32 PID 2516 wrote to memory of 2740 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 33 PID 2516 wrote to memory of 2740 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 33 PID 2516 wrote to memory of 2740 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 33 PID 2516 wrote to memory of 2740 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 33 PID 1920 wrote to memory of 2728 1920 vpvcuofinp.exe 34 PID 1920 wrote to memory of 2728 1920 vpvcuofinp.exe 34 PID 1920 wrote to memory of 2728 1920 vpvcuofinp.exe 34 PID 1920 wrote to memory of 2728 1920 vpvcuofinp.exe 34 PID 2516 wrote to memory of 2892 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 35 PID 2516 wrote to memory of 2892 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 35 PID 2516 wrote to memory of 2892 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 35 PID 2516 wrote to memory of 2892 2516 ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe 35 PID 2892 wrote to memory of 2656 2892 WINWORD.EXE 37 PID 2892 wrote to memory of 2656 2892 WINWORD.EXE 37 PID 2892 wrote to memory of 2656 2892 WINWORD.EXE 37 PID 2892 wrote to memory of 2656 2892 WINWORD.EXE 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea74a30434592a4890be2e6b6945e9f3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\vpvcuofinp.exevpvcuofinp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\bvkipjmb.exeC:\Windows\system32\bvkipjmb.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2728
-
-
-
C:\Windows\SysWOW64\bcuqyupstznyvcg.exebcuqyupstznyvcg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2948
-
-
C:\Windows\SysWOW64\bvkipjmb.exebvkipjmb.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2284
-
-
C:\Windows\SysWOW64\giunuyfersrsd.exegiunuyfersrsd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2740
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2656
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD504ebc7d359c3e5d1ff28d9cfa865bf2c
SHA1bc4fb263ecd4fc1f2efb12c3e017e9731c2977e1
SHA25680cc6f0563f8cf18a920bd6b6b9ce722db13d24c31506989ee2b55307594c28b
SHA512c0ca307f37266882f5bbc533c0fce8ba545b70f2432ba53f8c54de7dfa98d48b390472bb1205bdf49285b33029408a3a0102198ce261417c9d331b2b0cfc0cad
-
Filesize
512KB
MD5c9a087d0dc8e013d69e65bf225c7c2d9
SHA116cb3ddccae9cfc2aa392f6dc5dd433e417987f8
SHA256a71847b109f5deac19616f7de93e2c22c5b8ac5b544dacfa10faca25040f6899
SHA5122908afc929fb9ba21c620f677092f563e3f96b0492e63362e82719b729c82d3b5f440d55d81ce14fa3dd6507640f984971cdd17eeaeff2b968a597ce57de9832
-
Filesize
19KB
MD5e1166a085488aed1d93c31ee52d3ac42
SHA1b6bbefeb5c26d40498efb9e336178e1309ceee3d
SHA256c574f319315b74c2352ccda8ffb85eb0cdf161b8ca61075338263fb7bfc91f2f
SHA51255be0b080be96154e76e3388938c2d7fd45528358d2f7d4aef2e19622318691bc01da94b747ee58c212d975965c658f9a3a8c3b1e05d51511ab0850b7aaf254f
-
Filesize
512KB
MD5e83c8e3f2a327d831017c987de203ddc
SHA1254e5775823460a53846120067eb273f5c7fa351
SHA256a864f126eaf128bc650b3788c04d8725bbcfa72a894e87ea314d7626441be3ee
SHA512c375f12488fb5ea413a90112e2ee8556fa7a627344eddb85969fd3c36aa9ddf0f315ffc7f373334b7abebb7a01588b9eb65535a3c635c12a0afce341b73352b8
-
Filesize
512KB
MD5061e59e0056b95644f64af6588a54670
SHA1633257734c9a566a52cb6269f8352d85127a79f6
SHA2567ce81319b30ecffcaf4b409470fc5dd2867bea600e0e30c3ab84d3cdcbf4aefd
SHA512b4a7a433955af3d91d7e10e640ac60e421aa6442e7d8d3bfc16424ea8f00229c738c2e3593a7f864c14ffe222b192957e976e92aacb02c26ab01ca9ec14bd0e6
-
Filesize
512KB
MD520361a21aea8202e70196315662dbd2f
SHA17f4874c635d767416c4b4c96e754bac6e6e41be8
SHA256e3841e3f25542b5f5f9ddfca57180e76284de93d42ff15f6b9fcebabd02a9c50
SHA51297b215c479ace635ec50ebd63d1a1a56fdbabd4fc9caec5ca0471ee479c4fcf67ce820564b9edd94a53035e9827ca0166889b2ef7f7c910e3568b2ffe5e5b09c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD50f89012d816ca4f0303810499060f2f8
SHA13b63dde66339301fa00af293c109b1c544baf242
SHA256ca2b6c74fd959d6b6184c66fc8e645589ad1dc512728f52f629a101fd8d12901
SHA51297b3f6c36dd2d876205d02b620228e9a6e45ee8d242be7013dd0d107623f8044d777f70edb24d0a0c1de01ce755a0ab903c2e00fb3d416c3746d63b4abeb9e06