Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 23:28
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
25 signatures
150 seconds
General
-
Target
eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe
-
Size
512KB
-
MD5
eea3ff7a3533c37bb102a18ae801d651
-
SHA1
cd34b8cf0cc866cfd702bca069ae03782f7390e9
-
SHA256
124eb5af22ea3cd9780ab256cfaa916c999a232ec49a31aae5c88fa0d889694c
-
SHA512
14654258f230de1a13f37d1f8c02eeda3a58a6800ab5983093938b8d38c3e869cede1d662779080204cf634e58dc766c76d0d4663d93f4e4a6c04b07a5374ff3
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj68:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" kzesbmvokx.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kzesbmvokx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kzesbmvokx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kzesbmvokx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kzesbmvokx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kzesbmvokx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kzesbmvokx.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" kzesbmvokx.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2752 kzesbmvokx.exe 4460 tybrjowguticlxm.exe 2332 nqdgxeut.exe 516 enzdhzxrfmhhc.exe 2704 nqdgxeut.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kzesbmvokx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kzesbmvokx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" kzesbmvokx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kzesbmvokx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kzesbmvokx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kzesbmvokx.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "enzdhzxrfmhhc.exe" tybrjowguticlxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kdzoepvw = "kzesbmvokx.exe" tybrjowguticlxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wzufmopx = "tybrjowguticlxm.exe" tybrjowguticlxm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: nqdgxeut.exe File opened (read-only) \??\e: nqdgxeut.exe File opened (read-only) \??\p: nqdgxeut.exe File opened (read-only) \??\b: nqdgxeut.exe File opened (read-only) \??\l: kzesbmvokx.exe File opened (read-only) \??\v: kzesbmvokx.exe File opened (read-only) \??\z: kzesbmvokx.exe File opened (read-only) \??\y: nqdgxeut.exe File opened (read-only) \??\j: kzesbmvokx.exe File opened (read-only) \??\m: kzesbmvokx.exe File opened (read-only) \??\n: nqdgxeut.exe File opened (read-only) \??\g: nqdgxeut.exe File opened (read-only) \??\b: kzesbmvokx.exe File opened (read-only) \??\g: kzesbmvokx.exe File opened (read-only) \??\j: nqdgxeut.exe File opened (read-only) \??\p: nqdgxeut.exe File opened (read-only) \??\y: nqdgxeut.exe File opened (read-only) \??\o: nqdgxeut.exe File opened (read-only) \??\u: kzesbmvokx.exe File opened (read-only) \??\y: kzesbmvokx.exe File opened (read-only) \??\m: nqdgxeut.exe File opened (read-only) \??\v: nqdgxeut.exe File opened (read-only) \??\a: nqdgxeut.exe File opened (read-only) \??\h: kzesbmvokx.exe File opened (read-only) \??\i: kzesbmvokx.exe File opened (read-only) \??\w: nqdgxeut.exe File opened (read-only) \??\z: nqdgxeut.exe File opened (read-only) \??\q: nqdgxeut.exe File opened (read-only) \??\t: nqdgxeut.exe File opened (read-only) \??\z: nqdgxeut.exe File opened (read-only) \??\h: nqdgxeut.exe File opened (read-only) \??\j: nqdgxeut.exe File opened (read-only) \??\r: nqdgxeut.exe File opened (read-only) \??\t: kzesbmvokx.exe File opened (read-only) \??\a: nqdgxeut.exe File opened (read-only) \??\n: nqdgxeut.exe File opened (read-only) \??\a: kzesbmvokx.exe File opened (read-only) \??\q: kzesbmvokx.exe File opened (read-only) \??\o: kzesbmvokx.exe File opened (read-only) \??\p: kzesbmvokx.exe File opened (read-only) \??\s: kzesbmvokx.exe File opened (read-only) \??\w: kzesbmvokx.exe File opened (read-only) \??\h: nqdgxeut.exe File opened (read-only) \??\e: nqdgxeut.exe File opened (read-only) \??\q: nqdgxeut.exe File opened (read-only) \??\n: kzesbmvokx.exe File opened (read-only) \??\r: nqdgxeut.exe File opened (read-only) \??\s: nqdgxeut.exe File opened (read-only) \??\t: nqdgxeut.exe File opened (read-only) \??\k: nqdgxeut.exe File opened (read-only) \??\w: nqdgxeut.exe File opened (read-only) \??\i: nqdgxeut.exe File opened (read-only) \??\m: nqdgxeut.exe File opened (read-only) \??\s: nqdgxeut.exe File opened (read-only) \??\u: nqdgxeut.exe File opened (read-only) \??\g: nqdgxeut.exe File opened (read-only) \??\l: nqdgxeut.exe File opened (read-only) \??\o: nqdgxeut.exe File opened (read-only) \??\e: kzesbmvokx.exe File opened (read-only) \??\i: nqdgxeut.exe File opened (read-only) \??\b: nqdgxeut.exe File opened (read-only) \??\x: nqdgxeut.exe File opened (read-only) \??\x: kzesbmvokx.exe File opened (read-only) \??\u: nqdgxeut.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" kzesbmvokx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" kzesbmvokx.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1048-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002343a-8.dat autoit_exe behavioral2/files/0x00090000000233d9-18.dat autoit_exe behavioral2/files/0x000700000002343b-27.dat autoit_exe behavioral2/files/0x000700000002343c-32.dat autoit_exe behavioral2/files/0x0008000000023420-67.dat autoit_exe behavioral2/files/0x0007000000023448-73.dat autoit_exe behavioral2/files/0x000700000002345f-94.dat autoit_exe behavioral2/files/0x000700000002345f-100.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\tybrjowguticlxm.exe eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\enzdhzxrfmhhc.exe eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll kzesbmvokx.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nqdgxeut.exe File created C:\Windows\SysWOW64\kzesbmvokx.exe eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tybrjowguticlxm.exe eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File created C:\Windows\SysWOW64\nqdgxeut.exe eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\nqdgxeut.exe eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File created C:\Windows\SysWOW64\enzdhzxrfmhhc.exe eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nqdgxeut.exe File opened for modification C:\Windows\SysWOW64\kzesbmvokx.exe eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nqdgxeut.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nqdgxeut.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nqdgxeut.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nqdgxeut.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal nqdgxeut.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nqdgxeut.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nqdgxeut.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nqdgxeut.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nqdgxeut.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal nqdgxeut.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal nqdgxeut.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nqdgxeut.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nqdgxeut.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nqdgxeut.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nqdgxeut.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal nqdgxeut.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nqdgxeut.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nqdgxeut.exe File opened for modification C:\Windows\mydoc.rtf eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nqdgxeut.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nqdgxeut.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nqdgxeut.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nqdgxeut.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nqdgxeut.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nqdgxeut.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nqdgxeut.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nqdgxeut.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nqdgxeut.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nqdgxeut.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nqdgxeut.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nqdgxeut.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nqdgxeut.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nqdgxeut.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tybrjowguticlxm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nqdgxeut.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language enzdhzxrfmhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nqdgxeut.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kzesbmvokx.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat kzesbmvokx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh kzesbmvokx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" kzesbmvokx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf kzesbmvokx.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8F9BDF916F2E0837A3B37819C3996B38A03F04361033AE1B945E808A7" eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC5B02B4795399E52BDBAD733E9D4BB" eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc kzesbmvokx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" kzesbmvokx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" kzesbmvokx.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332D0D9C2C82256A3E76DD77202CAA7D8565A8" eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FF894F2A856E9130D62D7E9DBCEFE134594A674F6336D7EE" eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BB1FF6E21AED20CD1D58B7F9014" eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC77B14E7DAC4B8C97C90EC9E37BA" eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" kzesbmvokx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" kzesbmvokx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs kzesbmvokx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" kzesbmvokx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg kzesbmvokx.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2580 WINWORD.EXE 2580 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2752 kzesbmvokx.exe 2752 kzesbmvokx.exe 2752 kzesbmvokx.exe 2752 kzesbmvokx.exe 2752 kzesbmvokx.exe 2752 kzesbmvokx.exe 2752 kzesbmvokx.exe 2752 kzesbmvokx.exe 4460 tybrjowguticlxm.exe 4460 tybrjowguticlxm.exe 2752 kzesbmvokx.exe 2752 kzesbmvokx.exe 4460 tybrjowguticlxm.exe 4460 tybrjowguticlxm.exe 4460 tybrjowguticlxm.exe 4460 tybrjowguticlxm.exe 4460 tybrjowguticlxm.exe 4460 tybrjowguticlxm.exe 4460 tybrjowguticlxm.exe 4460 tybrjowguticlxm.exe 2332 nqdgxeut.exe 2332 nqdgxeut.exe 2332 nqdgxeut.exe 2332 nqdgxeut.exe 2332 nqdgxeut.exe 2332 nqdgxeut.exe 2332 nqdgxeut.exe 2332 nqdgxeut.exe 516 enzdhzxrfmhhc.exe 516 enzdhzxrfmhhc.exe 516 enzdhzxrfmhhc.exe 516 enzdhzxrfmhhc.exe 516 enzdhzxrfmhhc.exe 516 enzdhzxrfmhhc.exe 516 enzdhzxrfmhhc.exe 516 enzdhzxrfmhhc.exe 516 enzdhzxrfmhhc.exe 516 enzdhzxrfmhhc.exe 516 enzdhzxrfmhhc.exe 516 enzdhzxrfmhhc.exe 4460 tybrjowguticlxm.exe 4460 tybrjowguticlxm.exe 2704 nqdgxeut.exe 2704 nqdgxeut.exe 2704 nqdgxeut.exe 2704 nqdgxeut.exe 2704 nqdgxeut.exe 2704 nqdgxeut.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2752 kzesbmvokx.exe 2752 kzesbmvokx.exe 2752 kzesbmvokx.exe 4460 tybrjowguticlxm.exe 4460 tybrjowguticlxm.exe 4460 tybrjowguticlxm.exe 2332 nqdgxeut.exe 2332 nqdgxeut.exe 2332 nqdgxeut.exe 516 enzdhzxrfmhhc.exe 516 enzdhzxrfmhhc.exe 516 enzdhzxrfmhhc.exe 2704 nqdgxeut.exe 2704 nqdgxeut.exe 2704 nqdgxeut.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 2752 kzesbmvokx.exe 2752 kzesbmvokx.exe 2752 kzesbmvokx.exe 4460 tybrjowguticlxm.exe 4460 tybrjowguticlxm.exe 4460 tybrjowguticlxm.exe 2332 nqdgxeut.exe 2332 nqdgxeut.exe 2332 nqdgxeut.exe 516 enzdhzxrfmhhc.exe 516 enzdhzxrfmhhc.exe 516 enzdhzxrfmhhc.exe 2704 nqdgxeut.exe 2704 nqdgxeut.exe 2704 nqdgxeut.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2580 WINWORD.EXE 2580 WINWORD.EXE 2580 WINWORD.EXE 2580 WINWORD.EXE 2580 WINWORD.EXE 2580 WINWORD.EXE 2580 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1048 wrote to memory of 2752 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 82 PID 1048 wrote to memory of 2752 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 82 PID 1048 wrote to memory of 2752 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 82 PID 1048 wrote to memory of 4460 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 83 PID 1048 wrote to memory of 4460 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 83 PID 1048 wrote to memory of 4460 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 83 PID 1048 wrote to memory of 2332 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 84 PID 1048 wrote to memory of 2332 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 84 PID 1048 wrote to memory of 2332 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 84 PID 1048 wrote to memory of 516 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 85 PID 1048 wrote to memory of 516 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 85 PID 1048 wrote to memory of 516 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 85 PID 1048 wrote to memory of 2580 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 86 PID 1048 wrote to memory of 2580 1048 eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe 86 PID 2752 wrote to memory of 2704 2752 kzesbmvokx.exe 88 PID 2752 wrote to memory of 2704 2752 kzesbmvokx.exe 88 PID 2752 wrote to memory of 2704 2752 kzesbmvokx.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eea3ff7a3533c37bb102a18ae801d651_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\kzesbmvokx.exekzesbmvokx.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\nqdgxeut.exeC:\Windows\system32\nqdgxeut.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704
-
-
-
C:\Windows\SysWOW64\tybrjowguticlxm.exetybrjowguticlxm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4460
-
-
C:\Windows\SysWOW64\nqdgxeut.exenqdgxeut.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2332
-
-
C:\Windows\SysWOW64\enzdhzxrfmhhc.exeenzdhzxrfmhhc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:516
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2580
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD57066972494a1431c5656363746baecb0
SHA1dea626410380b9eae2918e6de0aabf40f4363561
SHA2563904d6214b0066072626aa94c5ec2e57737f68ada26532af9aa85677ef5955dd
SHA5123c779a885a7e197daa65ba69796b75773866f02e62d603feb1104ff884d561d99504ee2604c0454562b7ae71a813f59da36d9eb2747c33ed1aac5fd617535688
-
Filesize
512KB
MD5d86d0e2588505ccaef70fc9c95119ddd
SHA16e33cee2d1183b0d3929751975b6321e35d8f33c
SHA25610de6c1d3021465339136dc021f9fa1973df3f9320ada488e0e3af41ebeba1be
SHA512ad93f3feab832c7162bf695c96c4be5c3e2cee54dc1c9782ff6780d4aca3eea34030ea25f316a65b894ea3c12a13f097df390ad79059ca779388388378b78304
-
Filesize
331B
MD58693ca59ebd74ff12464633ee0bb1717
SHA1cc857b9b9aa65c0373e4a3670f7ebd7ae3039323
SHA2564ba31c2164da59fa0a5e4f58bf01cc981e9f6078936fd6d4c4a4818914fc0137
SHA51234a0cd6afb5f9841a71eccc83db29312fc99aa499d71dee446b2f3ea1c95e287d4ffda7f39823219afd26e1f737a2e65d72bd3cd36a4b1cb375bb91f42eed278
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl
Filesize263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD554085a3cdc6a7a3311c3dc99b3766654
SHA199d473cac2e2600eed060ff88f759d289a661e64
SHA256233f61bff7e4c76587043ddd81a6cebf6376b314e5a73e0ecb7244bbbc393200
SHA5128b152df4998f55246fc0320332366a5dbeb1e004f9c1e12c125ff5203f988bbbf701ebaa195578b33351e38558c6d2ce26f42537b25274053f00e6a7d2cad567
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD55748034d9f169574cf910178e34ab9b9
SHA19f2ee0a3bfd0f544b65f90b452c4cfec00cc5782
SHA25672337decb4a24f8b3f8b027ce02a70f3a198a2c37f06e44ab5f5995b75e85c03
SHA512c731bb3e566246bc361a3987afc0ba526ce79e64f968989319496e8ccf6f525bc1a3e1b34157b36fd6cd977d3c9e29f5f3529a8372bf89e51a580f19ec03bbac
-
Filesize
512KB
MD5f9b7f7ba16549036f86bf0b3b4011e3b
SHA142b6ac0f377fea2e804099c89e7459c1b45d321e
SHA256dd6f72bc92dbe3580dd8a834987f59034cc29af63f8db8735701406a4afb2ffd
SHA5120bfa21a84be3421e53983e187c0769a2a0c26963c0b9090000037533470e27beaa573e4424e07343bd57c4cd7bbc0bc442e8eda28a5c6d9c739dc27d3639e1c2
-
Filesize
512KB
MD5f37e4d7e1412555bf9e16e688b745afe
SHA148ebda6b43016b1ee87048eec4b6c00e7fa6b0b0
SHA25600c2761defee7c894194e0e8992a1114245726620f715d724a5f49011fa29dce
SHA512c0f15a35cb89c2d60b98dd0554fa5ee6c156c5ef0673eec492a8136b96bbaaa95c7917f279688178d663496ed69537d7807c432b5e387a7fc15aace43ec6d3a8
-
Filesize
512KB
MD5b2d98299ea650d9b4810c422b1dd6fd6
SHA1fab0401987ba6393ccf77af7b069a72b7ff600ce
SHA2565b814e1d9c8ba3eaefa06dbe846378d651d1df034ea537fd66f410ede599d9af
SHA512b2d8989fedef0144f4023a08e8acffcbdc034dd4f75c2436b4bc3188acd4a7a7cd032bbdb40a09353d31b100f0213c3acfaa39d6edc688bd85ceaae5e73700aa
-
Filesize
512KB
MD589c51b55b7809e9748d2d05d40664a27
SHA12d7d02a98bcc8cce513ec80455ad86a6632995ac
SHA256c0f715fef1592ffc824dc699e9137ddbb596605e1eb6f13f6e5c3f5a906b2f65
SHA512147dbff964d98cfe109fb97b98403161ededa5dfa8d754ca66f2071fde5dda1408bb0c3add181a0ae214d54dc67a6f7f97fdc7667a97ea74838b3deb9f259895
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD553ffdc7d7d2e986defce0acc1345ff6d
SHA1e061a0ef53c9b584e381f15cdea31fd19a3b4fe6
SHA256a251360db45756408b48a31c35f31313f109a992dd57a17c6d0112f52d26211b
SHA512299878cd387aa8dde6e70b3034e44b604bcb92578a3da99cf5a3ee1a07ea91aa969a7d2dbd5f14e29b3526122ae0f135ce51ee4d6c6fa7d8cb266ac41bf53b20
-
Filesize
512KB
MD5d900978dd013e9e7077c27a35da16c9f
SHA1f2e8e316d90be4a620709205373c2889285c021f
SHA256f17b8d63e761c5c3de115e1f38ff6f77b7fc33ff5f0d4d091b6fa86eb43dc62f
SHA512d39b4969d95aa909d58ba44891b7de3c691c812bba6bd32b8ead703b5a300b015138514004de53b188fa26e56ba1efa2fc3a9aaf5b0946a89b71f49ae2eda44c