Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 23:52
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe
-
Size
512KB
-
MD5
eeae49ada7ea91c10c6b3ad8c17efb23
-
SHA1
8dc8ca1ba225cc9a0bffea5ca78a63cf901f7f6d
-
SHA256
37d85a211b7bbf2ede2fe15c557146b0fa2db301c053dfd3817534a8b677d9ab
-
SHA512
b68e8c46428b39f38abad31bec82c82334d94c6329437542a7727ee2133573816db3cd80d897454bbe0118379e2d781ad7b994527dbf8858417cdb4909bd20a2
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6c:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5R
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" haiypnhjhg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" haiypnhjhg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" haiypnhjhg.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" haiypnhjhg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3708 haiypnhjhg.exe 3476 pmjwyhcefzqoswr.exe 3796 vvcufoii.exe 3948 wbimgjrxrgnte.exe 736 vvcufoii.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" haiypnhjhg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wbimgjrxrgnte.exe" pmjwyhcefzqoswr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xsvrshys = "haiypnhjhg.exe" pmjwyhcefzqoswr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bwkuertq = "pmjwyhcefzqoswr.exe" pmjwyhcefzqoswr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: vvcufoii.exe File opened (read-only) \??\e: vvcufoii.exe File opened (read-only) \??\z: vvcufoii.exe File opened (read-only) \??\a: vvcufoii.exe File opened (read-only) \??\n: haiypnhjhg.exe File opened (read-only) \??\u: haiypnhjhg.exe File opened (read-only) \??\y: haiypnhjhg.exe File opened (read-only) \??\z: haiypnhjhg.exe File opened (read-only) \??\s: vvcufoii.exe File opened (read-only) \??\v: vvcufoii.exe File opened (read-only) \??\i: haiypnhjhg.exe File opened (read-only) \??\l: haiypnhjhg.exe File opened (read-only) \??\s: vvcufoii.exe File opened (read-only) \??\e: vvcufoii.exe File opened (read-only) \??\h: vvcufoii.exe File opened (read-only) \??\m: vvcufoii.exe File opened (read-only) \??\u: vvcufoii.exe File opened (read-only) \??\b: vvcufoii.exe File opened (read-only) \??\u: vvcufoii.exe File opened (read-only) \??\w: vvcufoii.exe File opened (read-only) \??\a: haiypnhjhg.exe File opened (read-only) \??\g: haiypnhjhg.exe File opened (read-only) \??\m: haiypnhjhg.exe File opened (read-only) \??\v: haiypnhjhg.exe File opened (read-only) \??\w: haiypnhjhg.exe File opened (read-only) \??\i: vvcufoii.exe File opened (read-only) \??\y: vvcufoii.exe File opened (read-only) \??\o: haiypnhjhg.exe File opened (read-only) \??\k: vvcufoii.exe File opened (read-only) \??\l: vvcufoii.exe File opened (read-only) \??\w: vvcufoii.exe File opened (read-only) \??\h: haiypnhjhg.exe File opened (read-only) \??\r: haiypnhjhg.exe File opened (read-only) \??\h: vvcufoii.exe File opened (read-only) \??\p: vvcufoii.exe File opened (read-only) \??\l: vvcufoii.exe File opened (read-only) \??\e: haiypnhjhg.exe File opened (read-only) \??\k: haiypnhjhg.exe File opened (read-only) \??\x: vvcufoii.exe File opened (read-only) \??\z: vvcufoii.exe File opened (read-only) \??\g: vvcufoii.exe File opened (read-only) \??\r: vvcufoii.exe File opened (read-only) \??\g: vvcufoii.exe File opened (read-only) \??\n: vvcufoii.exe File opened (read-only) \??\s: haiypnhjhg.exe File opened (read-only) \??\a: vvcufoii.exe File opened (read-only) \??\t: haiypnhjhg.exe File opened (read-only) \??\j: vvcufoii.exe File opened (read-only) \??\m: vvcufoii.exe File opened (read-only) \??\b: vvcufoii.exe File opened (read-only) \??\o: vvcufoii.exe File opened (read-only) \??\q: vvcufoii.exe File opened (read-only) \??\t: vvcufoii.exe File opened (read-only) \??\b: haiypnhjhg.exe File opened (read-only) \??\o: vvcufoii.exe File opened (read-only) \??\j: vvcufoii.exe File opened (read-only) \??\k: vvcufoii.exe File opened (read-only) \??\j: haiypnhjhg.exe File opened (read-only) \??\n: vvcufoii.exe File opened (read-only) \??\q: vvcufoii.exe File opened (read-only) \??\p: haiypnhjhg.exe File opened (read-only) \??\x: haiypnhjhg.exe File opened (read-only) \??\q: haiypnhjhg.exe File opened (read-only) \??\t: vvcufoii.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" haiypnhjhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" haiypnhjhg.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2320-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023454-5.dat autoit_exe behavioral2/files/0x000b00000002344c-18.dat autoit_exe behavioral2/files/0x0007000000023455-24.dat autoit_exe behavioral2/files/0x0007000000023456-32.dat autoit_exe behavioral2/files/0x000800000002343c-73.dat autoit_exe behavioral2/files/0x0007000000023470-85.dat autoit_exe behavioral2/files/0x000b0000000234af-499.dat autoit_exe behavioral2/files/0x000b0000000234af-576.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\haiypnhjhg.exe eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pmjwyhcefzqoswr.exe eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File created C:\Windows\SysWOW64\vvcufoii.exe eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wbimgjrxrgnte.exe eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vvcufoii.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vvcufoii.exe File opened for modification C:\Windows\SysWOW64\haiypnhjhg.exe eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File created C:\Windows\SysWOW64\pmjwyhcefzqoswr.exe eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vvcufoii.exe eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File created C:\Windows\SysWOW64\wbimgjrxrgnte.exe eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll haiypnhjhg.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vvcufoii.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vvcufoii.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vvcufoii.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vvcufoii.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vvcufoii.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vvcufoii.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vvcufoii.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vvcufoii.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vvcufoii.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vvcufoii.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vvcufoii.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vvcufoii.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vvcufoii.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vvcufoii.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vvcufoii.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vvcufoii.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vvcufoii.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vvcufoii.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vvcufoii.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vvcufoii.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vvcufoii.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vvcufoii.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vvcufoii.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vvcufoii.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vvcufoii.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vvcufoii.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vvcufoii.exe File opened for modification C:\Windows\mydoc.rtf eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vvcufoii.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vvcufoii.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vvcufoii.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vvcufoii.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wbimgjrxrgnte.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvcufoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haiypnhjhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvcufoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pmjwyhcefzqoswr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C799C2082566D4576A5702E2CAD7D8664DE" eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C70F1596DBBEB8C17FE6ECE537C8" eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" haiypnhjhg.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFFFC4829851C9146D72D7E97BCE5E630594067326243D791" eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat haiypnhjhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs haiypnhjhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" haiypnhjhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" haiypnhjhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B02C4794389853C8BADD329CD7CF" eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668B6FF1D22DAD173D0A68B099010" eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh haiypnhjhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" haiypnhjhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" haiypnhjhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5FAB9F967F2E784793B3286983994B08903FE42690349E2CD45E709A8" eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" haiypnhjhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc haiypnhjhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf haiypnhjhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg haiypnhjhg.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1840 WINWORD.EXE 1840 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 3796 vvcufoii.exe 3796 vvcufoii.exe 3796 vvcufoii.exe 3796 vvcufoii.exe 3796 vvcufoii.exe 3796 vvcufoii.exe 3796 vvcufoii.exe 3796 vvcufoii.exe 3708 haiypnhjhg.exe 3708 haiypnhjhg.exe 3708 haiypnhjhg.exe 3708 haiypnhjhg.exe 3708 haiypnhjhg.exe 3476 pmjwyhcefzqoswr.exe 3708 haiypnhjhg.exe 3476 pmjwyhcefzqoswr.exe 3708 haiypnhjhg.exe 3708 haiypnhjhg.exe 3476 pmjwyhcefzqoswr.exe 3476 pmjwyhcefzqoswr.exe 3708 haiypnhjhg.exe 3476 pmjwyhcefzqoswr.exe 3708 haiypnhjhg.exe 3476 pmjwyhcefzqoswr.exe 3476 pmjwyhcefzqoswr.exe 3476 pmjwyhcefzqoswr.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 3476 pmjwyhcefzqoswr.exe 3476 pmjwyhcefzqoswr.exe 3476 pmjwyhcefzqoswr.exe 3476 pmjwyhcefzqoswr.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 736 vvcufoii.exe 736 vvcufoii.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 3796 vvcufoii.exe 3796 vvcufoii.exe 3796 vvcufoii.exe 3708 haiypnhjhg.exe 3708 haiypnhjhg.exe 3708 haiypnhjhg.exe 3476 pmjwyhcefzqoswr.exe 3476 pmjwyhcefzqoswr.exe 3476 pmjwyhcefzqoswr.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 736 vvcufoii.exe 736 vvcufoii.exe 736 vvcufoii.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 3796 vvcufoii.exe 3796 vvcufoii.exe 3796 vvcufoii.exe 3708 haiypnhjhg.exe 3708 haiypnhjhg.exe 3708 haiypnhjhg.exe 3476 pmjwyhcefzqoswr.exe 3476 pmjwyhcefzqoswr.exe 3476 pmjwyhcefzqoswr.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 3948 wbimgjrxrgnte.exe 736 vvcufoii.exe 736 vvcufoii.exe 736 vvcufoii.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2320 wrote to memory of 3708 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 82 PID 2320 wrote to memory of 3708 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 82 PID 2320 wrote to memory of 3708 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 82 PID 2320 wrote to memory of 3476 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 83 PID 2320 wrote to memory of 3476 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 83 PID 2320 wrote to memory of 3476 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 83 PID 2320 wrote to memory of 3796 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 84 PID 2320 wrote to memory of 3796 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 84 PID 2320 wrote to memory of 3796 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 84 PID 2320 wrote to memory of 3948 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 85 PID 2320 wrote to memory of 3948 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 85 PID 2320 wrote to memory of 3948 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 85 PID 2320 wrote to memory of 1840 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 86 PID 2320 wrote to memory of 1840 2320 eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe 86 PID 3708 wrote to memory of 736 3708 haiypnhjhg.exe 88 PID 3708 wrote to memory of 736 3708 haiypnhjhg.exe 88 PID 3708 wrote to memory of 736 3708 haiypnhjhg.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eeae49ada7ea91c10c6b3ad8c17efb23_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\haiypnhjhg.exehaiypnhjhg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\vvcufoii.exeC:\Windows\system32\vvcufoii.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:736
-
-
-
C:\Windows\SysWOW64\pmjwyhcefzqoswr.exepmjwyhcefzqoswr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3476
-
-
C:\Windows\SysWOW64\vvcufoii.exevvcufoii.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3796
-
-
C:\Windows\SysWOW64\wbimgjrxrgnte.exewbimgjrxrgnte.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3948
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1840
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5d81a2e1f36863540583db78d3095b9f6
SHA195d18fcf24a60ab8395e78a6f76ed96d71c804e9
SHA25677cbb04a0bb4937c21c6fb906a8a9de7354984d253c4858bf0718f93acf40c60
SHA512f3d6015d1d8b9cce8e0df6376ba894ec98b41854c75ddcf9ff986ebe1dd3494e47bb45fe9f09707733f4ca34c3df2bd82c542f4c089957c4e4a4c0d8570c3c8d
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
251B
MD50f5e186860211edae9a3ddbdc690de50
SHA1a3f227f0ba832573d66313c879e5a6d850a0d663
SHA256871a352c9d455cc33d146ea14a8644f20aba6ebdda018e0658ffaf20b3018d31
SHA5122a837f63939d794c121334421312f988a834e780e5cc04fb0c8f71e89b5c2cb081924472a9597ed6f6f1c2c49ce375e4a7f6e117aa4aeb42339c8ce25e1390c7
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5c32b0885c3ccf34955dbccafb9236d46
SHA1f3682229813ab3776c83098257f51861bc703b87
SHA25686cbb995bd74da46c0713228ce1de699a9098dc318ede13f90b93c7d503ba145
SHA512b4a15f2d77fb944adfe66b34ad949f79bbb8f5ccd5988214a125e3fe8e7ed4be5f2ff9ee860a117424cf37b515efd99a0b9321788c662e355b5dad96e2d4a1ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5e69bc2c54a744a6233a23fc11ff9e95b
SHA193713530b14e6a05a3e8757d213200bc1e76d5eb
SHA2569b6fbe6f423dfa9b746414377eed1e7e168ef6348792c12258de1ac88b28c0fc
SHA5122636cddb835e65a1837eb4b57d337e6c7a547fef388ee72183e355f5fd976f785443e3d0d68dbd9ecd54cb7b9d67505a1d85cec03b2cb039f271a186f93b5e32
-
Filesize
512KB
MD5b21e172b7747315452e8c9c00d1029e9
SHA1b134c2db9035e10f1e04dfa01dcdf31209ecb023
SHA25629a9ebb2c9d37ba18c821656e45f48b70e0d81e238d1849f90885a0325973519
SHA51214a2777951ae18d79e39c64c9bbb6e8b31e42e892ba069c593c44137b913ae3570ff09b8aeb00cdab891e429675b9bfa278f5120ee00046ae70c649df24b944e
-
Filesize
512KB
MD56e93ab44dec8d7e2a52728a719ba62f2
SHA1716f75bc968b07f512a0a408005f1877f47e19ec
SHA256c2f15b02ab0d04558481233084ad490522ca0c126cbeee91dac402a8d39748b6
SHA512e66c5516fd3f282f2970df1c17835fc59f8ddb3a30c275339afda1eef8c095111c2e4b3734ee523b87ae6460ad90b4c6db3edac32aa182ac4f8a33eb42bfe106
-
Filesize
512KB
MD5d304d053b52cc0f8502b18b6789e63a6
SHA11429b50178e14d75b2e342e58a2a136c03e38953
SHA25683352a61613b405064a9f90b670733835d5555b5afa24183a3304bc5521d5c49
SHA512955c027361cfcad3fad64cc991bbe1a275a46aa05a8262e81122649089a533091a2e55b218db0f23b18855303c1170c6146e8c7bb247abbdb5cf6a209b97f4aa
-
Filesize
512KB
MD597c03887133204a86f14112ccd42d982
SHA102d474c2798b21e04c3df668cb22f96fa22176b6
SHA2568767d872266a75afdf5a3c32372b437f9c7bcf66124cb152e791d2a51578ecee
SHA5129c69cb29ca291ccbd6e5b5282c842fe19d5949874007894398a06b1d789fbfbf17ba54b14430d3c638fdbd559e2b16c7dd17eae82dffe6bce040451c91911ff7
-
Filesize
512KB
MD5b4b7265052bbc8a56d0c9ee7d4d2b14d
SHA132de03daca9a817f6191e9b2e8eeeb0ddfbad1cb
SHA2561539fccd2ba329a9664826b0f83436045ba966578dcbc4f5316a3491fdc9b233
SHA512854973d787a0c6b70bfeee5b138ce3ab17e3ce871e1ff7385ac8e33ab08ffe343390f85c46ca39890fb6667f62da0bba69d48d889ffa905aa1cf80d626252f98
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD58448821fdf2e03f04b38e9de9402e89c
SHA14269cf64e5b4b17d0c086c6381f6f3fa4dcef648
SHA256dbb339c14ce9528689de176739bb3414475826421b55455839562a86c87527b7
SHA5120b5c6ca0fde0a8f07624ffe0cc067718cbf418ed1534bdb3a6d92eca25f5fcbfe0d7fd02893add7977e6cf0dc4f7914b43b134e3103ba4053fc7c31fe6e2187f
-
Filesize
512KB
MD5d214315bed48b350af244c5805b92bf4
SHA150580bb003657ef119374fb464f338f2d0ea8dbe
SHA256fa006e127e167046b69ed6414580527de532cdba3be91d4270d71ca8e3b6a9b7
SHA5120b5f587e7114a3096bcad687aa2df66fcbeb5e3b835a167299344991d43d1de726b468815e9397c06ff0b6ab0c6b1e4d3dec86f1bb98571513b37d0f1ec52ea0