Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 05:13
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe
-
Size
512KB
-
MD5
eaa6403d4112a0e87a273b63f5fc9c70
-
SHA1
cc2a6ac1fbef8cd2bfc11c19cebe25bfaa884e96
-
SHA256
47cdf20c8fe73e5c608026562011329e97f38ccf75ac5ae24c84bcc49b099386
-
SHA512
4f5f80d403f33b98b9295648e9c415835ef4ed75d7bbcd29d92fb41892c9ddcf91da1a239b6db34b7ed561b27781f0c7eea77105bf624c319ac71099a7ab5cbf
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5m
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nazlwawdyy.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nazlwawdyy.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nazlwawdyy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nazlwawdyy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nazlwawdyy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nazlwawdyy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nazlwawdyy.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nazlwawdyy.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4708 nazlwawdyy.exe 2648 kcscsctazxxdzkx.exe 992 quyhjzbh.exe 704 maxanepucfvbn.exe 1720 quyhjzbh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nazlwawdyy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nazlwawdyy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nazlwawdyy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" nazlwawdyy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nazlwawdyy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nazlwawdyy.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dwvlzkyj = "nazlwawdyy.exe" kcscsctazxxdzkx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nwlawiwt = "kcscsctazxxdzkx.exe" kcscsctazxxdzkx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "maxanepucfvbn.exe" kcscsctazxxdzkx.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: nazlwawdyy.exe File opened (read-only) \??\k: nazlwawdyy.exe File opened (read-only) \??\g: quyhjzbh.exe File opened (read-only) \??\i: quyhjzbh.exe File opened (read-only) \??\j: quyhjzbh.exe File opened (read-only) \??\l: quyhjzbh.exe File opened (read-only) \??\w: quyhjzbh.exe File opened (read-only) \??\w: quyhjzbh.exe File opened (read-only) \??\z: quyhjzbh.exe File opened (read-only) \??\a: quyhjzbh.exe File opened (read-only) \??\h: quyhjzbh.exe File opened (read-only) \??\v: nazlwawdyy.exe File opened (read-only) \??\y: nazlwawdyy.exe File opened (read-only) \??\h: quyhjzbh.exe File opened (read-only) \??\g: quyhjzbh.exe File opened (read-only) \??\w: nazlwawdyy.exe File opened (read-only) \??\k: quyhjzbh.exe File opened (read-only) \??\q: quyhjzbh.exe File opened (read-only) \??\y: quyhjzbh.exe File opened (read-only) \??\p: quyhjzbh.exe File opened (read-only) \??\z: quyhjzbh.exe File opened (read-only) \??\j: nazlwawdyy.exe File opened (read-only) \??\y: quyhjzbh.exe File opened (read-only) \??\p: nazlwawdyy.exe File opened (read-only) \??\b: quyhjzbh.exe File opened (read-only) \??\k: quyhjzbh.exe File opened (read-only) \??\i: nazlwawdyy.exe File opened (read-only) \??\r: nazlwawdyy.exe File opened (read-only) \??\l: quyhjzbh.exe File opened (read-only) \??\b: quyhjzbh.exe File opened (read-only) \??\t: quyhjzbh.exe File opened (read-only) \??\s: nazlwawdyy.exe File opened (read-only) \??\a: quyhjzbh.exe File opened (read-only) \??\u: quyhjzbh.exe File opened (read-only) \??\e: nazlwawdyy.exe File opened (read-only) \??\o: nazlwawdyy.exe File opened (read-only) \??\i: quyhjzbh.exe File opened (read-only) \??\j: quyhjzbh.exe File opened (read-only) \??\n: quyhjzbh.exe File opened (read-only) \??\s: quyhjzbh.exe File opened (read-only) \??\a: nazlwawdyy.exe File opened (read-only) \??\b: nazlwawdyy.exe File opened (read-only) \??\x: nazlwawdyy.exe File opened (read-only) \??\o: quyhjzbh.exe File opened (read-only) \??\e: quyhjzbh.exe File opened (read-only) \??\o: quyhjzbh.exe File opened (read-only) \??\l: nazlwawdyy.exe File opened (read-only) \??\n: nazlwawdyy.exe File opened (read-only) \??\u: quyhjzbh.exe File opened (read-only) \??\v: quyhjzbh.exe File opened (read-only) \??\r: quyhjzbh.exe File opened (read-only) \??\x: quyhjzbh.exe File opened (read-only) \??\m: nazlwawdyy.exe File opened (read-only) \??\q: nazlwawdyy.exe File opened (read-only) \??\e: quyhjzbh.exe File opened (read-only) \??\x: quyhjzbh.exe File opened (read-only) \??\t: nazlwawdyy.exe File opened (read-only) \??\u: nazlwawdyy.exe File opened (read-only) \??\r: quyhjzbh.exe File opened (read-only) \??\n: quyhjzbh.exe File opened (read-only) \??\s: quyhjzbh.exe File opened (read-only) \??\h: nazlwawdyy.exe File opened (read-only) \??\z: nazlwawdyy.exe File opened (read-only) \??\q: quyhjzbh.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" nazlwawdyy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" nazlwawdyy.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4720-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000d000000023b85-5.dat autoit_exe behavioral2/files/0x000c000000023b38-18.dat autoit_exe behavioral2/files/0x000a000000023b8e-32.dat autoit_exe behavioral2/files/0x0031000000023b8d-28.dat autoit_exe behavioral2/files/0x000a000000023b9b-68.dat autoit_exe behavioral2/files/0x000a000000023b9c-73.dat autoit_exe behavioral2/files/0x000a000000023bb1-100.dat autoit_exe behavioral2/files/0x000a000000023bb1-105.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\kcscsctazxxdzkx.exe eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe quyhjzbh.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe quyhjzbh.exe File created C:\Windows\SysWOW64\nazlwawdyy.exe eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\nazlwawdyy.exe eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kcscsctazxxdzkx.exe eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe File created C:\Windows\SysWOW64\quyhjzbh.exe eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\quyhjzbh.exe eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe File created C:\Windows\SysWOW64\maxanepucfvbn.exe eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\maxanepucfvbn.exe eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll nazlwawdyy.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe quyhjzbh.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal quyhjzbh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe quyhjzbh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe quyhjzbh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe quyhjzbh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe quyhjzbh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe quyhjzbh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal quyhjzbh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal quyhjzbh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe quyhjzbh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe quyhjzbh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal quyhjzbh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe quyhjzbh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe quyhjzbh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe quyhjzbh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe quyhjzbh.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe quyhjzbh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe quyhjzbh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe quyhjzbh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe quyhjzbh.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe quyhjzbh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe quyhjzbh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe quyhjzbh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe quyhjzbh.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe quyhjzbh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe quyhjzbh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe quyhjzbh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe quyhjzbh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe quyhjzbh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe quyhjzbh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe quyhjzbh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe quyhjzbh.exe File opened for modification C:\Windows\mydoc.rtf eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nazlwawdyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcscsctazxxdzkx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language quyhjzbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language maxanepucfvbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language quyhjzbh.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" nazlwawdyy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs nazlwawdyy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEFACEFE11F1E384083B42819F3990B3FC03FC4260033DE2C442EB09A2" eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB02F44E739EA53C4B9A732E8D7CE" eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC70F1597DAC5B9BA7C92ECE037CD" eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" nazlwawdyy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf nazlwawdyy.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFFF94F2885699136D75B7E95BC93E131594166416345D79A" eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" nazlwawdyy.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F568B2FF1D21ABD17AD0A58B099160" eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh nazlwawdyy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg nazlwawdyy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" nazlwawdyy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342C799D2383536D4476D177212CDA7C8765AB" eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat nazlwawdyy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" nazlwawdyy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc nazlwawdyy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" nazlwawdyy.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4888 WINWORD.EXE 4888 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 2648 kcscsctazxxdzkx.exe 2648 kcscsctazxxdzkx.exe 2648 kcscsctazxxdzkx.exe 2648 kcscsctazxxdzkx.exe 2648 kcscsctazxxdzkx.exe 2648 kcscsctazxxdzkx.exe 2648 kcscsctazxxdzkx.exe 2648 kcscsctazxxdzkx.exe 4708 nazlwawdyy.exe 4708 nazlwawdyy.exe 4708 nazlwawdyy.exe 4708 nazlwawdyy.exe 4708 nazlwawdyy.exe 4708 nazlwawdyy.exe 4708 nazlwawdyy.exe 4708 nazlwawdyy.exe 4708 nazlwawdyy.exe 4708 nazlwawdyy.exe 2648 kcscsctazxxdzkx.exe 2648 kcscsctazxxdzkx.exe 992 quyhjzbh.exe 992 quyhjzbh.exe 992 quyhjzbh.exe 992 quyhjzbh.exe 992 quyhjzbh.exe 992 quyhjzbh.exe 992 quyhjzbh.exe 992 quyhjzbh.exe 704 maxanepucfvbn.exe 704 maxanepucfvbn.exe 704 maxanepucfvbn.exe 704 maxanepucfvbn.exe 704 maxanepucfvbn.exe 704 maxanepucfvbn.exe 704 maxanepucfvbn.exe 704 maxanepucfvbn.exe 704 maxanepucfvbn.exe 704 maxanepucfvbn.exe 704 maxanepucfvbn.exe 704 maxanepucfvbn.exe 2648 kcscsctazxxdzkx.exe 2648 kcscsctazxxdzkx.exe 1720 quyhjzbh.exe 1720 quyhjzbh.exe 1720 quyhjzbh.exe 1720 quyhjzbh.exe 1720 quyhjzbh.exe 1720 quyhjzbh.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4708 nazlwawdyy.exe 4708 nazlwawdyy.exe 4708 nazlwawdyy.exe 2648 kcscsctazxxdzkx.exe 2648 kcscsctazxxdzkx.exe 2648 kcscsctazxxdzkx.exe 992 quyhjzbh.exe 704 maxanepucfvbn.exe 992 quyhjzbh.exe 704 maxanepucfvbn.exe 992 quyhjzbh.exe 704 maxanepucfvbn.exe 1720 quyhjzbh.exe 1720 quyhjzbh.exe 1720 quyhjzbh.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 4708 nazlwawdyy.exe 4708 nazlwawdyy.exe 4708 nazlwawdyy.exe 2648 kcscsctazxxdzkx.exe 2648 kcscsctazxxdzkx.exe 2648 kcscsctazxxdzkx.exe 992 quyhjzbh.exe 704 maxanepucfvbn.exe 992 quyhjzbh.exe 704 maxanepucfvbn.exe 992 quyhjzbh.exe 704 maxanepucfvbn.exe 1720 quyhjzbh.exe 1720 quyhjzbh.exe 1720 quyhjzbh.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4888 WINWORD.EXE 4888 WINWORD.EXE 4888 WINWORD.EXE 4888 WINWORD.EXE 4888 WINWORD.EXE 4888 WINWORD.EXE 4888 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4720 wrote to memory of 4708 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 87 PID 4720 wrote to memory of 4708 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 87 PID 4720 wrote to memory of 4708 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 87 PID 4720 wrote to memory of 2648 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 88 PID 4720 wrote to memory of 2648 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 88 PID 4720 wrote to memory of 2648 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 88 PID 4720 wrote to memory of 992 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 89 PID 4720 wrote to memory of 992 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 89 PID 4720 wrote to memory of 992 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 89 PID 4720 wrote to memory of 704 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 90 PID 4720 wrote to memory of 704 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 90 PID 4720 wrote to memory of 704 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 90 PID 4720 wrote to memory of 4888 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 91 PID 4720 wrote to memory of 4888 4720 eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe 91 PID 4708 wrote to memory of 1720 4708 nazlwawdyy.exe 93 PID 4708 wrote to memory of 1720 4708 nazlwawdyy.exe 93 PID 4708 wrote to memory of 1720 4708 nazlwawdyy.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eaa6403d4112a0e87a273b63f5fc9c70_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\nazlwawdyy.exenazlwawdyy.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\quyhjzbh.exeC:\Windows\system32\quyhjzbh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1720
-
-
-
C:\Windows\SysWOW64\kcscsctazxxdzkx.exekcscsctazxxdzkx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2648
-
-
C:\Windows\SysWOW64\quyhjzbh.exequyhjzbh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:992
-
-
C:\Windows\SysWOW64\maxanepucfvbn.exemaxanepucfvbn.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:704
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4888
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5a0413313556a245ac32e8027a3d31108
SHA1defed278666be4bd1a454927d811b4225941c9b2
SHA2562e846762cfd91ab1d680c423919f72034b8f8c6e679b2fc5f7fa39f6b76a5c23
SHA5129e86d39d603b8f9fc440cf088ca5dc11b7bee732511ab6520cec4648588c93759d1af118418d60f1994955da0c8d4955250d3f2322cd6fd9483623bba36c97a3
-
Filesize
512KB
MD55bbfb96708eb3dbe08b8bfcf8b78da42
SHA1ab15a34a8a5072c0ba7029539fa1a119d7cafc4d
SHA256989f294878a6dc5d909d34afc9c2e502a23fc84f2f3d6cc5c6e8e8ed07938a0e
SHA51200fb8fa6ba2adc06f25e1ac29a30bad7e381ad5ef6661e6eef46340bddf71c910fb795bbe45ca410fb88ae75d2b489bb436575912cabb2203776d617be056d84
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
387B
MD5f33de9aa9db09245e6363c9e97585911
SHA16ae1f65d572ebadbfbbc214d28a2b9295d1de93a
SHA2568543b6ccd5013c1554bb8adf97cd0506ddd5fc7a7c79862fe5d6c9ba11ee7047
SHA5126f3729abfae6a1149493dbe586ebf5c7aa35e14b32f077c144da7991ad2dd0408bfab78f6e9eaac2c75791d9d98fe8c664f0139babdcb2906b7212696e1cbf24
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD57734674c2c1f222e6391e6b9ba62fd83
SHA1e5dbb9b97ab0d4ac4c4bbe1cd9d366a16fa0f95a
SHA2568ea58ba9e7b0d1748d487f10cece2439220558dba202eb500e2c970f08228842
SHA5120f0dcdb5abcac687d90d9dd2900dd100c574eb7f5581e3c05f877b9b450b62741850ebdedb18691497c4a68dc2028389dbf23049c72271040a9f3abb8c20e41c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5cf1566b7fa9a9cacfa3895ccc277820b
SHA163d0b5e6a501aecfaa20c936b80b238d3a5e3425
SHA256577d7ca0fc7462b54b52fbdb028026a6278e9c7d9c4542cd11dbb80bf39156dc
SHA51248ad6217b9ce83217262cd7d3d11297f1abd2a09ddc269e720c742b022d04889b49e2f05fb09f606b4cbc0e845a56a54f3a546cfcb8c227accead4353ce0d7b8
-
Filesize
512KB
MD5114a3b3da955b5f557bf9aaabb8a551e
SHA18e402db9f34fca2199a8e539dc4035957281754b
SHA256be004724885d3c7aa67c29f5bd8b7a204b8a5048952337201072f1a83fb0be62
SHA5122df0c54f3a9f5298fa73f2c5cfb2569c77f386089c9705a02fcee6b15cd096f649127d698d7d61fb862fd3af68c7d0d390aeecfa07a699324af32e640c9485f6
-
Filesize
512KB
MD5d4ac3fdc879f97fc47f12b98b09bc489
SHA196aa78e88c3d7c220c242c19064a14b22172dae1
SHA25610b0617b92e8e6642ac5ab8b93aa2d32901ef49ebe7b2528ab71c1fb19aa0d49
SHA5123ba7afe8e95555c7499dc464402e1e48313bfb5d7d9ab86be4019d3d3f0ebed5c04e7a7599feb8e6b1af1ead894b9859971301c4faf883cf44b16b698fcd24e6
-
Filesize
512KB
MD5554adaaedb5a00de62f6ee0112367b71
SHA18d8c5249b4cf7787c4364b6272646e1ad322eebb
SHA25647c42cd3b0c37e135fd555844776bca3241a0179d433b9eb490d461b690ac8e3
SHA512ba3521b161d27b2c4b40deb54946ae1d35ab0866e2e8943ebb7e7eb29f787ba4521df37ad32b0d7c74e9d430059a610de6816984f7e435dd277c1ab50b56ac46
-
Filesize
512KB
MD519757f386b86fc4f40a44d838db9bfe8
SHA1e047b4ce6d435647593e337deea43f85aff00f28
SHA25627906150acd37a272c398b0e56928aedbfacc537581c29c660bb109b2b9fc956
SHA5128203f40fbb30bb2c8d0ca497bab97d865a76c899cc53ed2a6ddace983bd653388194c3bd4c4701581474d73e4d9180927148b2c4bccc53e6693731f3bcdc6e8e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5a8b1c621eba6fa305fdcc74475767c39
SHA192e1d5a431414033d5ea1ba60273cae588519dcf
SHA2562859b4c35834fc7e7d305e6de8ab15f14aba6078bf6e670dc4c992576030fa4b
SHA5124f80213bf790b2d646be2646eecc93e60adca6c17d7b1e6085bf6fe22461664dc814e130de58673191a4b512064214a2f9d2d173f8e4e93557a72430b5182ae2
-
Filesize
512KB
MD5a5a08b1fbf6d234c9e9649afca01a4db
SHA1ec23575f5f1de5d70348045eae982211218a03c9
SHA256cf813b69ce1e9e425b4f9e77208b73376078048ab4c22a313326c613b41dce0e
SHA5121082a92b45bfaf97bb57e23e344fbe8cd159bea348fd08b997737a9ce1d6c4f838dd2308cf27141d21b02dc4c6d40806e104bbe49b1ee03857a8cab4939078e7