Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 06:24
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
150 seconds
General
-
Target
eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe
-
Size
512KB
-
MD5
eac114f58a9f345918ae69a2d6639728
-
SHA1
92c695066304e0522537beae66419102922a4aae
-
SHA256
48d0f924456b627f09d6089c3f79e7bce69846cf9f1ead1ada2a21e7aa8a972a
-
SHA512
9098a49b4e0f9663e39a0eb45279276105bc20d11c0255c686b2782cde92ed9860795d49aa249b46585398d0bd08565d6119c3d36142d9181fa101fdba00e11f
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5t
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ssvchhydnb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ssvchhydnb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ssvchhydnb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ssvchhydnb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ssvchhydnb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ssvchhydnb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ssvchhydnb.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ssvchhydnb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 116 ssvchhydnb.exe 4976 erqcoopqmousicx.exe 2648 uyrgfqhtxnzuw.exe 208 xbatasuh.exe 1112 xbatasuh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ssvchhydnb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ssvchhydnb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ssvchhydnb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ssvchhydnb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ssvchhydnb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ssvchhydnb.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "uyrgfqhtxnzuw.exe" erqcoopqmousicx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aqesjhsj = "ssvchhydnb.exe" erqcoopqmousicx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgtatmsl = "erqcoopqmousicx.exe" erqcoopqmousicx.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: xbatasuh.exe File opened (read-only) \??\u: ssvchhydnb.exe File opened (read-only) \??\z: xbatasuh.exe File opened (read-only) \??\x: xbatasuh.exe File opened (read-only) \??\i: xbatasuh.exe File opened (read-only) \??\n: xbatasuh.exe File opened (read-only) \??\l: xbatasuh.exe File opened (read-only) \??\q: xbatasuh.exe File opened (read-only) \??\j: ssvchhydnb.exe File opened (read-only) \??\r: ssvchhydnb.exe File opened (read-only) \??\t: xbatasuh.exe File opened (read-only) \??\u: xbatasuh.exe File opened (read-only) \??\i: xbatasuh.exe File opened (read-only) \??\j: xbatasuh.exe File opened (read-only) \??\m: xbatasuh.exe File opened (read-only) \??\t: xbatasuh.exe File opened (read-only) \??\n: ssvchhydnb.exe File opened (read-only) \??\q: xbatasuh.exe File opened (read-only) \??\x: ssvchhydnb.exe File opened (read-only) \??\h: xbatasuh.exe File opened (read-only) \??\u: xbatasuh.exe File opened (read-only) \??\b: ssvchhydnb.exe File opened (read-only) \??\p: ssvchhydnb.exe File opened (read-only) \??\w: ssvchhydnb.exe File opened (read-only) \??\o: xbatasuh.exe File opened (read-only) \??\e: xbatasuh.exe File opened (read-only) \??\p: xbatasuh.exe File opened (read-only) \??\r: xbatasuh.exe File opened (read-only) \??\b: xbatasuh.exe File opened (read-only) \??\e: xbatasuh.exe File opened (read-only) \??\h: xbatasuh.exe File opened (read-only) \??\h: ssvchhydnb.exe File opened (read-only) \??\v: ssvchhydnb.exe File opened (read-only) \??\z: ssvchhydnb.exe File opened (read-only) \??\v: xbatasuh.exe File opened (read-only) \??\n: xbatasuh.exe File opened (read-only) \??\o: xbatasuh.exe File opened (read-only) \??\k: ssvchhydnb.exe File opened (read-only) \??\q: ssvchhydnb.exe File opened (read-only) \??\s: xbatasuh.exe File opened (read-only) \??\x: xbatasuh.exe File opened (read-only) \??\k: xbatasuh.exe File opened (read-only) \??\y: xbatasuh.exe File opened (read-only) \??\i: ssvchhydnb.exe File opened (read-only) \??\y: ssvchhydnb.exe File opened (read-only) \??\r: xbatasuh.exe File opened (read-only) \??\y: xbatasuh.exe File opened (read-only) \??\b: xbatasuh.exe File opened (read-only) \??\g: ssvchhydnb.exe File opened (read-only) \??\w: xbatasuh.exe File opened (read-only) \??\e: ssvchhydnb.exe File opened (read-only) \??\l: ssvchhydnb.exe File opened (read-only) \??\k: xbatasuh.exe File opened (read-only) \??\m: xbatasuh.exe File opened (read-only) \??\a: xbatasuh.exe File opened (read-only) \??\w: xbatasuh.exe File opened (read-only) \??\a: ssvchhydnb.exe File opened (read-only) \??\v: xbatasuh.exe File opened (read-only) \??\m: ssvchhydnb.exe File opened (read-only) \??\a: xbatasuh.exe File opened (read-only) \??\g: xbatasuh.exe File opened (read-only) \??\l: xbatasuh.exe File opened (read-only) \??\g: xbatasuh.exe File opened (read-only) \??\o: ssvchhydnb.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ssvchhydnb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ssvchhydnb.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2588-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00090000000234b6-5.dat autoit_exe behavioral2/files/0x00090000000234b2-18.dat autoit_exe behavioral2/files/0x00070000000234bc-29.dat autoit_exe behavioral2/files/0x00070000000234bb-32.dat autoit_exe behavioral2/files/0x00070000000234c6-57.dat autoit_exe behavioral2/files/0x00070000000234c7-65.dat autoit_exe behavioral2/files/0x00070000000234d7-96.dat autoit_exe behavioral2/files/0x00070000000234d7-101.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\erqcoopqmousicx.exe eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xbatasuh.exe eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xbatasuh.exe File created C:\Windows\SysWOW64\ssvchhydnb.exe eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe File created C:\Windows\SysWOW64\xbatasuh.exe eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe File created C:\Windows\SysWOW64\uyrgfqhtxnzuw.exe eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uyrgfqhtxnzuw.exe eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ssvchhydnb.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xbatasuh.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xbatasuh.exe File opened for modification C:\Windows\SysWOW64\erqcoopqmousicx.exe eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xbatasuh.exe File opened for modification C:\Windows\SysWOW64\ssvchhydnb.exe eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xbatasuh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xbatasuh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xbatasuh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xbatasuh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xbatasuh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xbatasuh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xbatasuh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xbatasuh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xbatasuh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xbatasuh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xbatasuh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xbatasuh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xbatasuh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xbatasuh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xbatasuh.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xbatasuh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xbatasuh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xbatasuh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xbatasuh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xbatasuh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xbatasuh.exe File opened for modification C:\Windows\mydoc.rtf eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xbatasuh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xbatasuh.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xbatasuh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xbatasuh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xbatasuh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xbatasuh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xbatasuh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xbatasuh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe xbatasuh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe xbatasuh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqcoopqmousicx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uyrgfqhtxnzuw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbatasuh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbatasuh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ssvchhydnb.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFF9CDFE17F1E3837F3B37819B3E90B0F902FB4214023AE1BE429C09A2" eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC60F14E6DAC5B9C07CE9ECE434BE" eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ssvchhydnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ssvchhydnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ssvchhydnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ssvchhydnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ssvchhydnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ssvchhydnb.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FC8E4F5D856F9145D65F7D9DBC90E643593266366244D6EA" eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F068B4FE1822DBD27AD0A68B7A9160" eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ssvchhydnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ssvchhydnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ssvchhydnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ssvchhydnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402D7B9D5683256A3476A7772F2CDA7D8064DB" eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B12847EF389F53CFB9D133E9D7CE" eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ssvchhydnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ssvchhydnb.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2900 WINWORD.EXE 2900 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 4976 erqcoopqmousicx.exe 4976 erqcoopqmousicx.exe 4976 erqcoopqmousicx.exe 4976 erqcoopqmousicx.exe 4976 erqcoopqmousicx.exe 4976 erqcoopqmousicx.exe 4976 erqcoopqmousicx.exe 4976 erqcoopqmousicx.exe 4976 erqcoopqmousicx.exe 4976 erqcoopqmousicx.exe 2648 uyrgfqhtxnzuw.exe 2648 uyrgfqhtxnzuw.exe 2648 uyrgfqhtxnzuw.exe 2648 uyrgfqhtxnzuw.exe 2648 uyrgfqhtxnzuw.exe 2648 uyrgfqhtxnzuw.exe 2648 uyrgfqhtxnzuw.exe 2648 uyrgfqhtxnzuw.exe 2648 uyrgfqhtxnzuw.exe 2648 uyrgfqhtxnzuw.exe 2648 uyrgfqhtxnzuw.exe 2648 uyrgfqhtxnzuw.exe 116 ssvchhydnb.exe 116 ssvchhydnb.exe 116 ssvchhydnb.exe 116 ssvchhydnb.exe 116 ssvchhydnb.exe 116 ssvchhydnb.exe 116 ssvchhydnb.exe 116 ssvchhydnb.exe 116 ssvchhydnb.exe 116 ssvchhydnb.exe 208 xbatasuh.exe 208 xbatasuh.exe 208 xbatasuh.exe 208 xbatasuh.exe 208 xbatasuh.exe 208 xbatasuh.exe 208 xbatasuh.exe 208 xbatasuh.exe 4976 erqcoopqmousicx.exe 4976 erqcoopqmousicx.exe 1112 xbatasuh.exe 1112 xbatasuh.exe 1112 xbatasuh.exe 1112 xbatasuh.exe 1112 xbatasuh.exe 1112 xbatasuh.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 4976 erqcoopqmousicx.exe 4976 erqcoopqmousicx.exe 4976 erqcoopqmousicx.exe 2648 uyrgfqhtxnzuw.exe 116 ssvchhydnb.exe 208 xbatasuh.exe 2648 uyrgfqhtxnzuw.exe 116 ssvchhydnb.exe 208 xbatasuh.exe 2648 uyrgfqhtxnzuw.exe 116 ssvchhydnb.exe 208 xbatasuh.exe 1112 xbatasuh.exe 1112 xbatasuh.exe 1112 xbatasuh.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 4976 erqcoopqmousicx.exe 4976 erqcoopqmousicx.exe 4976 erqcoopqmousicx.exe 2648 uyrgfqhtxnzuw.exe 116 ssvchhydnb.exe 208 xbatasuh.exe 2648 uyrgfqhtxnzuw.exe 116 ssvchhydnb.exe 208 xbatasuh.exe 2648 uyrgfqhtxnzuw.exe 116 ssvchhydnb.exe 208 xbatasuh.exe 1112 xbatasuh.exe 1112 xbatasuh.exe 1112 xbatasuh.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2900 WINWORD.EXE 2900 WINWORD.EXE 2900 WINWORD.EXE 2900 WINWORD.EXE 2900 WINWORD.EXE 2900 WINWORD.EXE 2900 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2588 wrote to memory of 116 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 82 PID 2588 wrote to memory of 116 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 82 PID 2588 wrote to memory of 116 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 82 PID 2588 wrote to memory of 4976 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 83 PID 2588 wrote to memory of 4976 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 83 PID 2588 wrote to memory of 4976 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 83 PID 2588 wrote to memory of 208 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 84 PID 2588 wrote to memory of 208 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 84 PID 2588 wrote to memory of 208 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 84 PID 2588 wrote to memory of 2648 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 85 PID 2588 wrote to memory of 2648 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 85 PID 2588 wrote to memory of 2648 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 85 PID 2588 wrote to memory of 2900 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 86 PID 2588 wrote to memory of 2900 2588 eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe 86 PID 116 wrote to memory of 1112 116 ssvchhydnb.exe 88 PID 116 wrote to memory of 1112 116 ssvchhydnb.exe 88 PID 116 wrote to memory of 1112 116 ssvchhydnb.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eac114f58a9f345918ae69a2d6639728_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\ssvchhydnb.exessvchhydnb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\xbatasuh.exeC:\Windows\system32\xbatasuh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1112
-
-
-
C:\Windows\SysWOW64\erqcoopqmousicx.exeerqcoopqmousicx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4976
-
-
C:\Windows\SysWOW64\xbatasuh.exexbatasuh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:208
-
-
C:\Windows\SysWOW64\uyrgfqhtxnzuw.exeuyrgfqhtxnzuw.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2648
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2900
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5fb313fe618586e617f6e944d8a162b30
SHA143aaa3eda64c9e8e87b5bee945391c8e6cdf4e0a
SHA256d584e84e575e88d568d82e06c4f8db9f4fa2f3c7d104904d89b50c46f41e3ed7
SHA5123aaca0a11847825c812a3454c46a3a9cd5afe87bf45c63f27ea201ef2b73cc5da888f68a5816b6305e4df0cdb09996cf41948fb622b6f1aaf7fac87f8d9633f9
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
293B
MD5c7a190a8f228e264aa56a1e7dbf4de7a
SHA1e97713439aa45c1440c94d8aa5c6473be3402ca6
SHA256f13d87b8c414399097a8f1c9ca465ea49058e8235bee47ec7e6c14ce81ebf04b
SHA5126fe275710a3ac60042915e6e5add1ac17a3de9f3c78264659567d10f7b4c78de097e466c2f2024976132e13d468a30af702ae1338529bae88a63dcffc26611ce
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD5a00fe9601b17c6b1c5b39c8dda6dffdc
SHA11f706bd0d27fe83632964df062cc529be0e1f7cf
SHA25667de9630747590c2484dc079179d0818ad904505b72e1e4f18ab6e007260a35a
SHA512db755a091db89026342df103d0d63c84037a187a5a7dcb07b51d3098f7bd766c5efe27a25f3567bcb915bf011caccd7454f5987845ec536ad31764e721a6ec6d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD523306e9d7c5f29c32aaed155f6da7d83
SHA1544dcf77fbe855efdfe2f035d06d99b030399a5c
SHA25694b813560620b5ad2379274f526a7188224358c8b50138f0d91fb8a82f7a0f7c
SHA5128717bc2a75e2c6e27fa57b1fdb79410c0cf9dc58e84f4ba6a5521b1fc07a03ab610b3f7e25aed14f11805b08db1ed49e69798833ccfac9d80c5262890072bd8c
-
Filesize
512KB
MD5f547badbf87cc3f0d74f345920b21c5c
SHA13abda61a7af02dddbddefd33249079c29a05d384
SHA25654264cdd71bf1f1b51ad5729cb508df147cce25f82b5de039534bf9b3b544918
SHA512479ff15f6885976ee290a46af6b782ddda029ada55258b0315baad69e26877228a574bf5377165d45f95dd36be877026e958d0f2e989b07f70f6cd364f33cfb4
-
Filesize
512KB
MD516a74997ba7e159504ce2b664a7a6427
SHA16270b187a59c506c5ff455dfa346964345ad015c
SHA256603b65c7346bb5fe8297457f4cfe1c4f8a182efa1badb5d7342f4ef9ac3a6c26
SHA5121f696a0c4314db6d1523217e9d8d790d3043626eb881d7fe85b9eb1aaf634ecec18deaf8280df2c7f79d83a388dcf6d32c7b1fdd357bacf99d07721de354269d
-
Filesize
512KB
MD57e3f4dbf5f2c0a022aade930ed98202c
SHA19c4bf5ac20778ef5a429895a34505902fb024911
SHA256a4181d3f2d18917bfb4a820207093740001da44c5e1b5d97762af8edcd771f57
SHA51222da1786973d5c40952a30903c11917be5ef21274339b49fc1ea56733c438a314dd4e489f3da62ecc27d3bc9aa2df9501833643c70c8e6d7370700f6e6af9fd1
-
Filesize
512KB
MD5457d867d14d80be0e0d22d7005491f3a
SHA1ae5d9c4e752e53ec43147f345af9ff1eb5f309cc
SHA256fbb6e9c2abda4c621facc7af2308a6a3a11f28fd6f73b86b4bbe4d2e4eeb9c1e
SHA512f4e964f443adc48932193532970a4c445116fd9ee5eab8e498ca958e4110fef6113a1b74d1dd077ea86153fe44be11c90a183164936cacc623a6607e36d5c3f4
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5b49dc91b75bb1ac350ad9bb5d3c981a2
SHA1068be5e4b7d3ed5151adc63c83905ba9ca8f14cc
SHA256fbcbffc7945c2ddb2713e7b7a0d673591c84606058545e4e6ed863903cb25dcb
SHA51228492859077fc54f74de5350123afbb2ab06d2807a73b2cd1c5d022f7a135e8418a8108afd85d00be84dd5d131dc1022999524f492abd5265e261629ac143404
-
Filesize
512KB
MD50fb0dfc2dae8ade1fce6a8d7d644205e
SHA13605901e71124f25473a932cbfc37f138da7f3b6
SHA256c9eb7157e4f14b33cfa71a462d7ac31037433ba528176536da28a8300627d395
SHA5128b41ad7f93bfc4b8059148612107798e090c770d409933903af5ded3b41a19e1bb5d88614a35b2fbaf0b8006ebc95afbe93feeac540d9ff0d77be61c88eee6c6
-
Filesize
512KB
MD5b991ee6fff390eedd85d52c7d50b237a
SHA182a0ebd6bba85e39a96fcf3042fb786fe6f6f0ff
SHA256241db5505858da1d233ceca8703a80717ab01c27a20bdfd9b067b2d81d702dc2
SHA512371447b55175f08591f5a9964deddd704e3b7f57bc2aa9ea1ca1e8e1758936a9768f93cb97c0fdfd915cf8076feb2d44501b699e636af36b4ebfd6ccf5514824