Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 00:34
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe
-
Size
512KB
-
MD5
ec7e018e7d3f4282c2417a82f2c9e0b4
-
SHA1
585c4d967c406d5d94ed4b360b2f9d271f3efeb4
-
SHA256
744d72ae2940926a48fee94069b438e496e884a4ad16da851365de8917c7dec7
-
SHA512
164adfef8e844e3f029f61af77f004682780110c4cff6c46bee0e3158223f9953141c312d49bf64174c67cafecc1105424b8a82ddeb863e6213b19f506e01843
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6p:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5C
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" efdxkbvovt.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" efdxkbvovt.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" efdxkbvovt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" efdxkbvovt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" efdxkbvovt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" efdxkbvovt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" efdxkbvovt.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" efdxkbvovt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1276 efdxkbvovt.exe 4956 sggedzsukmutrls.exe 5076 kfhhldpl.exe 3976 uqlrlfhewjrlp.exe 2564 kfhhldpl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" efdxkbvovt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" efdxkbvovt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" efdxkbvovt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" efdxkbvovt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" efdxkbvovt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" efdxkbvovt.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjybrhvf = "efdxkbvovt.exe" sggedzsukmutrls.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gnruqxqc = "sggedzsukmutrls.exe" sggedzsukmutrls.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "uqlrlfhewjrlp.exe" sggedzsukmutrls.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: efdxkbvovt.exe File opened (read-only) \??\a: kfhhldpl.exe File opened (read-only) \??\a: kfhhldpl.exe File opened (read-only) \??\i: kfhhldpl.exe File opened (read-only) \??\b: efdxkbvovt.exe File opened (read-only) \??\z: efdxkbvovt.exe File opened (read-only) \??\j: kfhhldpl.exe File opened (read-only) \??\k: kfhhldpl.exe File opened (read-only) \??\j: kfhhldpl.exe File opened (read-only) \??\j: efdxkbvovt.exe File opened (read-only) \??\o: efdxkbvovt.exe File opened (read-only) \??\s: efdxkbvovt.exe File opened (read-only) \??\o: kfhhldpl.exe File opened (read-only) \??\n: efdxkbvovt.exe File opened (read-only) \??\t: kfhhldpl.exe File opened (read-only) \??\v: kfhhldpl.exe File opened (read-only) \??\i: kfhhldpl.exe File opened (read-only) \??\v: efdxkbvovt.exe File opened (read-only) \??\l: kfhhldpl.exe File opened (read-only) \??\z: kfhhldpl.exe File opened (read-only) \??\n: kfhhldpl.exe File opened (read-only) \??\p: kfhhldpl.exe File opened (read-only) \??\h: efdxkbvovt.exe File opened (read-only) \??\y: kfhhldpl.exe File opened (read-only) \??\k: kfhhldpl.exe File opened (read-only) \??\z: kfhhldpl.exe File opened (read-only) \??\y: efdxkbvovt.exe File opened (read-only) \??\y: kfhhldpl.exe File opened (read-only) \??\o: kfhhldpl.exe File opened (read-only) \??\u: kfhhldpl.exe File opened (read-only) \??\x: kfhhldpl.exe File opened (read-only) \??\x: kfhhldpl.exe File opened (read-only) \??\g: kfhhldpl.exe File opened (read-only) \??\q: kfhhldpl.exe File opened (read-only) \??\w: kfhhldpl.exe File opened (read-only) \??\m: kfhhldpl.exe File opened (read-only) \??\r: efdxkbvovt.exe File opened (read-only) \??\s: kfhhldpl.exe File opened (read-only) \??\m: efdxkbvovt.exe File opened (read-only) \??\m: kfhhldpl.exe File opened (read-only) \??\u: kfhhldpl.exe File opened (read-only) \??\h: kfhhldpl.exe File opened (read-only) \??\w: kfhhldpl.exe File opened (read-only) \??\l: efdxkbvovt.exe File opened (read-only) \??\q: kfhhldpl.exe File opened (read-only) \??\t: kfhhldpl.exe File opened (read-only) \??\g: efdxkbvovt.exe File opened (read-only) \??\k: efdxkbvovt.exe File opened (read-only) \??\u: efdxkbvovt.exe File opened (read-only) \??\e: kfhhldpl.exe File opened (read-only) \??\g: kfhhldpl.exe File opened (read-only) \??\l: kfhhldpl.exe File opened (read-only) \??\r: kfhhldpl.exe File opened (read-only) \??\r: kfhhldpl.exe File opened (read-only) \??\t: efdxkbvovt.exe File opened (read-only) \??\b: kfhhldpl.exe File opened (read-only) \??\e: efdxkbvovt.exe File opened (read-only) \??\w: efdxkbvovt.exe File opened (read-only) \??\x: efdxkbvovt.exe File opened (read-only) \??\h: kfhhldpl.exe File opened (read-only) \??\n: kfhhldpl.exe File opened (read-only) \??\b: kfhhldpl.exe File opened (read-only) \??\s: kfhhldpl.exe File opened (read-only) \??\a: efdxkbvovt.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" efdxkbvovt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" efdxkbvovt.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1972-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023428-5.dat autoit_exe behavioral2/files/0x0008000000023424-19.dat autoit_exe behavioral2/files/0x0007000000023429-28.dat autoit_exe behavioral2/files/0x000700000002342a-29.dat autoit_exe behavioral2/files/0x000800000002332c-66.dat autoit_exe behavioral2/files/0x0008000000023413-72.dat autoit_exe behavioral2/files/0x0007000000023444-81.dat autoit_exe behavioral2/files/0x000700000002344e-99.dat autoit_exe behavioral2/files/0x000700000002344e-102.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kfhhldpl.exe File opened for modification C:\Windows\SysWOW64\efdxkbvovt.exe ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe File created C:\Windows\SysWOW64\uqlrlfhewjrlp.exe ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll efdxkbvovt.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kfhhldpl.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kfhhldpl.exe File created C:\Windows\SysWOW64\sggedzsukmutrls.exe ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe File created C:\Windows\SysWOW64\kfhhldpl.exe ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kfhhldpl.exe ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uqlrlfhewjrlp.exe ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sggedzsukmutrls.exe ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe File created C:\Windows\SysWOW64\efdxkbvovt.exe ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kfhhldpl.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kfhhldpl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kfhhldpl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kfhhldpl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kfhhldpl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kfhhldpl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kfhhldpl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kfhhldpl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kfhhldpl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kfhhldpl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kfhhldpl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kfhhldpl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kfhhldpl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kfhhldpl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kfhhldpl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kfhhldpl.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kfhhldpl.exe File opened for modification C:\Windows\mydoc.rtf ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kfhhldpl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kfhhldpl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kfhhldpl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kfhhldpl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kfhhldpl.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kfhhldpl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kfhhldpl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kfhhldpl.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kfhhldpl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kfhhldpl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kfhhldpl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kfhhldpl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kfhhldpl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kfhhldpl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kfhhldpl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efdxkbvovt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sggedzsukmutrls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kfhhldpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uqlrlfhewjrlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kfhhldpl.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" efdxkbvovt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFACAF96AF1E583743A4B81983E94B0FB02F94214023DE2CC42EC09A9" ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FCF9482C82139134D7217D9DBD93E635593666456332D6EB" ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc efdxkbvovt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" efdxkbvovt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" efdxkbvovt.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B12C47E639EA53B9BAD633EED7CA" ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh efdxkbvovt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg efdxkbvovt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC67F14E0DBBEB9BC7F95EC9F34CA" ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs efdxkbvovt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" efdxkbvovt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" efdxkbvovt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf efdxkbvovt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" efdxkbvovt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462C7E9C2D82576A3776D277202CAA7CF165DD" ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F36BC6FF6D21DAD172D0A68B7F9117" ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat efdxkbvovt.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3316 WINWORD.EXE 3316 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 4956 sggedzsukmutrls.exe 4956 sggedzsukmutrls.exe 4956 sggedzsukmutrls.exe 4956 sggedzsukmutrls.exe 4956 sggedzsukmutrls.exe 4956 sggedzsukmutrls.exe 4956 sggedzsukmutrls.exe 4956 sggedzsukmutrls.exe 4956 sggedzsukmutrls.exe 4956 sggedzsukmutrls.exe 5076 kfhhldpl.exe 5076 kfhhldpl.exe 5076 kfhhldpl.exe 5076 kfhhldpl.exe 5076 kfhhldpl.exe 5076 kfhhldpl.exe 5076 kfhhldpl.exe 5076 kfhhldpl.exe 1276 efdxkbvovt.exe 1276 efdxkbvovt.exe 1276 efdxkbvovt.exe 1276 efdxkbvovt.exe 1276 efdxkbvovt.exe 1276 efdxkbvovt.exe 1276 efdxkbvovt.exe 1276 efdxkbvovt.exe 1276 efdxkbvovt.exe 1276 efdxkbvovt.exe 3976 uqlrlfhewjrlp.exe 3976 uqlrlfhewjrlp.exe 3976 uqlrlfhewjrlp.exe 3976 uqlrlfhewjrlp.exe 3976 uqlrlfhewjrlp.exe 3976 uqlrlfhewjrlp.exe 3976 uqlrlfhewjrlp.exe 3976 uqlrlfhewjrlp.exe 3976 uqlrlfhewjrlp.exe 3976 uqlrlfhewjrlp.exe 3976 uqlrlfhewjrlp.exe 3976 uqlrlfhewjrlp.exe 4956 sggedzsukmutrls.exe 4956 sggedzsukmutrls.exe 3976 uqlrlfhewjrlp.exe 3976 uqlrlfhewjrlp.exe 3976 uqlrlfhewjrlp.exe 3976 uqlrlfhewjrlp.exe 4956 sggedzsukmutrls.exe 4956 sggedzsukmutrls.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 4956 sggedzsukmutrls.exe 1276 efdxkbvovt.exe 4956 sggedzsukmutrls.exe 1276 efdxkbvovt.exe 4956 sggedzsukmutrls.exe 1276 efdxkbvovt.exe 5076 kfhhldpl.exe 3976 uqlrlfhewjrlp.exe 5076 kfhhldpl.exe 3976 uqlrlfhewjrlp.exe 5076 kfhhldpl.exe 3976 uqlrlfhewjrlp.exe 2564 kfhhldpl.exe 2564 kfhhldpl.exe 2564 kfhhldpl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 4956 sggedzsukmutrls.exe 1276 efdxkbvovt.exe 4956 sggedzsukmutrls.exe 1276 efdxkbvovt.exe 4956 sggedzsukmutrls.exe 1276 efdxkbvovt.exe 5076 kfhhldpl.exe 3976 uqlrlfhewjrlp.exe 5076 kfhhldpl.exe 3976 uqlrlfhewjrlp.exe 5076 kfhhldpl.exe 3976 uqlrlfhewjrlp.exe 2564 kfhhldpl.exe 2564 kfhhldpl.exe 2564 kfhhldpl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3316 WINWORD.EXE 3316 WINWORD.EXE 3316 WINWORD.EXE 3316 WINWORD.EXE 3316 WINWORD.EXE 3316 WINWORD.EXE 3316 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1972 wrote to memory of 1276 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 82 PID 1972 wrote to memory of 1276 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 82 PID 1972 wrote to memory of 1276 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 82 PID 1972 wrote to memory of 4956 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 83 PID 1972 wrote to memory of 4956 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 83 PID 1972 wrote to memory of 4956 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 83 PID 1972 wrote to memory of 5076 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 84 PID 1972 wrote to memory of 5076 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 84 PID 1972 wrote to memory of 5076 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 84 PID 1972 wrote to memory of 3976 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 85 PID 1972 wrote to memory of 3976 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 85 PID 1972 wrote to memory of 3976 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 85 PID 1972 wrote to memory of 3316 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 86 PID 1972 wrote to memory of 3316 1972 ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe 86 PID 1276 wrote to memory of 2564 1276 efdxkbvovt.exe 88 PID 1276 wrote to memory of 2564 1276 efdxkbvovt.exe 88 PID 1276 wrote to memory of 2564 1276 efdxkbvovt.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ec7e018e7d3f4282c2417a82f2c9e0b4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\efdxkbvovt.exeefdxkbvovt.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\kfhhldpl.exeC:\Windows\system32\kfhhldpl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2564
-
-
-
C:\Windows\SysWOW64\sggedzsukmutrls.exesggedzsukmutrls.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4956
-
-
C:\Windows\SysWOW64\kfhhldpl.exekfhhldpl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5076
-
-
C:\Windows\SysWOW64\uqlrlfhewjrlp.exeuqlrlfhewjrlp.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3976
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3316
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5b8430fc14ece191a870b9298efa35c52
SHA10fd11f739144016cfcfab0648cb0781b103f7cd6
SHA256f1fa8d9c94c304ce962c93049599e53315b9826cefda1437bb297874879de083
SHA512ffbf2b47c660affae788934f88442b8a5a5ea99aa97cdd0f64dc821a17bfad310f3508b3c2f99025b39a86b275a1c5ac1373bb00d906c5d3d5b915809926ac64
-
Filesize
512KB
MD527a8e8dc110b9395446e5d0f5dbaaa77
SHA13b0ebc3a2aaf70590cc02f0ba5e7713ebf5a904e
SHA256bdb563e93eff18b61ed774e72d6f9ec8ceb82ea1c8dd20e0c333120f038e1efe
SHA512c72d0e864d2c40ed4a0a8809f3a13b4a3085ace7fe93c0ea38ada2270e68cfd73a346127e21847196465af0a3526d42a3fc63bd31bc89d7400725c71cab81a92
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
361B
MD5d976cb351f1110704f97b661c39319e4
SHA1a0a4edd6203799701b7bdd9fc24da02ce49c4c84
SHA256dcf059551f1c91818807c49ea58f65c777aba5762cdbef4168d519f1b592df1e
SHA5121cec1585c2d06c6ca1a625888d4403b20d0815c63fcb958658a87bfc89adebb8d065879d5704b3b53af235316e445a437e56f290dfe7568e66bacf90006abbe6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD59935da226d3a256f669328f18dca3a41
SHA13c9a97601941f15bd097588ab83fe26e6fa24d11
SHA256e2ecfbd9dd7ede23617193db355bc3353412c19376782e973b877059c32c90f0
SHA512c0c9d60ed26a91be1622475f363659435276c1127c6715e766e6af3f0b571835f71aca1d1cb21b6887f2472ae9210d9a52f89b7297f435f5e5b7c9d5e9cb0385
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5ad7bb631ebac4fb03de3c82cadcbf0c7
SHA13c31289c15404f0a7b6692705f5a02e266e474a2
SHA256409a518df2aa14e31b5fe913e3ef05521ea2a7d0668aaa832982906f8e633cc7
SHA51220558db9eac97446cf59aaecc8bf113d3f4aee67a1bc5f7edcf8786f2402d958117a1de51bcdf989f67f5ab6175cb105ead0853fa45169c8b190238129d356ed
-
Filesize
512KB
MD5b15935a49916896eb0c4d5f8d3a51522
SHA1ff0048c19a2295df1842f21b7ac95db6025cf23e
SHA256ee29bcef56a8c50ae5abcc2ac87b6a78964d02b6511d6be34fa1aa2e24929990
SHA51274bdf4e0ce32967f0e7a9bf12b8b390a16a51529a03b813f61994f1bfc6e510c654bd69ec6bbc6489403acdedfdbf40a5038c6ff7d006760ec7a302484aac520
-
Filesize
512KB
MD5c723228789245bdce294459a913e68c6
SHA100455cf37fe717436af894b4f3341b9943fea31d
SHA25640efad761747ad3d811c924c8cf8baa17488a5f21c894f382c920ef4e55cc136
SHA51270da8c11a58fb0474245d0b5055aaf8a79c94bd376f4f467c34823cf24cf8f32660cc98ced1140250c168eca71e25e5298bdda60837fdd319358172152b9605a
-
Filesize
512KB
MD54a24271eb2fa259a1cec77d248632371
SHA13073e32df123d189e26a779977f6b3c2a951d5d9
SHA25642ef6dfe6c2ce5c32ed52f30cb8a893449746735726f2a3e03f5c7663e52c66f
SHA51245660863404f1e0e6c102fddf3d25dc0f6f76815c35aee5e4ef94a04330283d51c73f9714cfd5b645cb523f6ba9b3e849d5b88f35decfb296f37a220318bc9b2
-
Filesize
512KB
MD59be20acb904b01a9cbcf749a90253f1b
SHA160a4080b94c8b2a53628bb7358b5bd82639f5ffd
SHA2563d6a285a069795b51ae551375841e053b43eca55157f9bb2026d7ed0de929fa1
SHA512846e8d70a03eec7c82e6bc80ac09c5a13483276a765889ecce4a875d7bfcac764b9a703a56cf8289c4d364aee2994dc74402e67b266df0e2ce3e8ff849aba15b
-
Filesize
512KB
MD533b72867b8d0d490d35d1b3f3e92ad1d
SHA1d1e268abe8fcc470c89752c2dd5a0171683eb1dc
SHA256c2d4f33d662c59b2722180ccffd94b384cf7985e832530c0139f3f86da8fa93e
SHA512fa7fec230854fbf366042c58fcf9dfbf545f2acc9782ce136a7ac0cc1e54659872382475100b9be208290cf1bc2ae5a455dae7159982cf8f6e2657e14446bc63
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5a53fd383a993fef5013c6815989eadf3
SHA1b5f8b808b45e58f0fa15a756228fb6e119703b85
SHA256136183ec220b8ce7b1d8e1ce5045c0ad5d0e991efe95d89dfe8704dd123f8f5e
SHA512c2a7c799c80b1088b8e9ec1b04d85485cc55437194d0588f8c9bba5c63b92c23461355323eca741a213d8fbd10c08ce653dab6a02d13a648dedd65008c401e19
-
Filesize
512KB
MD5b86523258a862857373e0fb88e831d9b
SHA1dafd7f48761a2a153ff9cfb791d6b934fcf4c640
SHA25634dcd02f88884546e191074a55488319fbaf20b5acb018971fbae5c0dce4c1a6
SHA512470cd430a25b7e544755de0f149278f9a60ceeeb83bff6a5a2111cd786e7cd7609c1364f90c4bb234c8ce1b71093ccfe85fc55be0ebf89c830acaf14d219f016