Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 04:02
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
150 seconds
General
-
Target
ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe
-
Size
512KB
-
MD5
ecceb41546351e4d9090d43c5c275d17
-
SHA1
07bbf29f0fc664a01653fbe2b1f235489e0f6773
-
SHA256
4851e662cd08c5b5956c02d036308d96c6fdedff447a5d5eac8323351af60f18
-
SHA512
7e4c03668f9d14c76a0a12f0d5d4bc65f780d43b412c746f25472bb05ebc17cca5e70ca15e2ad8aad9b3c43c88ef4431a1c1777512340f076b7a0e37edb9ff24
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6h:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Y
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" yywxttzzgt.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yywxttzzgt.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yywxttzzgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yywxttzzgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yywxttzzgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yywxttzzgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yywxttzzgt.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yywxttzzgt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4296 yywxttzzgt.exe 3764 ntwimrdhmbvmeqr.exe 2220 dhrfugtz.exe 768 raxhhfcdokvod.exe 2044 dhrfugtz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yywxttzzgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yywxttzzgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yywxttzzgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" yywxttzzgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yywxttzzgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yywxttzzgt.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ijoggvxg = "yywxttzzgt.exe" ntwimrdhmbvmeqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vbumomzs = "ntwimrdhmbvmeqr.exe" ntwimrdhmbvmeqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "raxhhfcdokvod.exe" ntwimrdhmbvmeqr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: dhrfugtz.exe File opened (read-only) \??\p: dhrfugtz.exe File opened (read-only) \??\n: yywxttzzgt.exe File opened (read-only) \??\w: yywxttzzgt.exe File opened (read-only) \??\e: dhrfugtz.exe File opened (read-only) \??\u: dhrfugtz.exe File opened (read-only) \??\v: dhrfugtz.exe File opened (read-only) \??\b: dhrfugtz.exe File opened (read-only) \??\r: dhrfugtz.exe File opened (read-only) \??\w: dhrfugtz.exe File opened (read-only) \??\k: yywxttzzgt.exe File opened (read-only) \??\v: yywxttzzgt.exe File opened (read-only) \??\n: dhrfugtz.exe File opened (read-only) \??\k: dhrfugtz.exe File opened (read-only) \??\v: dhrfugtz.exe File opened (read-only) \??\y: dhrfugtz.exe File opened (read-only) \??\u: yywxttzzgt.exe File opened (read-only) \??\j: dhrfugtz.exe File opened (read-only) \??\o: dhrfugtz.exe File opened (read-only) \??\g: yywxttzzgt.exe File opened (read-only) \??\l: yywxttzzgt.exe File opened (read-only) \??\y: yywxttzzgt.exe File opened (read-only) \??\m: dhrfugtz.exe File opened (read-only) \??\l: dhrfugtz.exe File opened (read-only) \??\a: yywxttzzgt.exe File opened (read-only) \??\e: yywxttzzgt.exe File opened (read-only) \??\h: yywxttzzgt.exe File opened (read-only) \??\q: yywxttzzgt.exe File opened (read-only) \??\i: dhrfugtz.exe File opened (read-only) \??\t: dhrfugtz.exe File opened (read-only) \??\j: yywxttzzgt.exe File opened (read-only) \??\a: dhrfugtz.exe File opened (read-only) \??\h: dhrfugtz.exe File opened (read-only) \??\p: dhrfugtz.exe File opened (read-only) \??\e: dhrfugtz.exe File opened (read-only) \??\s: yywxttzzgt.exe File opened (read-only) \??\j: dhrfugtz.exe File opened (read-only) \??\y: dhrfugtz.exe File opened (read-only) \??\k: dhrfugtz.exe File opened (read-only) \??\s: dhrfugtz.exe File opened (read-only) \??\m: yywxttzzgt.exe File opened (read-only) \??\o: yywxttzzgt.exe File opened (read-only) \??\t: yywxttzzgt.exe File opened (read-only) \??\o: dhrfugtz.exe File opened (read-only) \??\z: dhrfugtz.exe File opened (read-only) \??\i: yywxttzzgt.exe File opened (read-only) \??\p: yywxttzzgt.exe File opened (read-only) \??\z: yywxttzzgt.exe File opened (read-only) \??\h: dhrfugtz.exe File opened (read-only) \??\q: dhrfugtz.exe File opened (read-only) \??\m: dhrfugtz.exe File opened (read-only) \??\q: dhrfugtz.exe File opened (read-only) \??\r: dhrfugtz.exe File opened (read-only) \??\w: dhrfugtz.exe File opened (read-only) \??\x: dhrfugtz.exe File opened (read-only) \??\i: dhrfugtz.exe File opened (read-only) \??\r: yywxttzzgt.exe File opened (read-only) \??\z: dhrfugtz.exe File opened (read-only) \??\x: yywxttzzgt.exe File opened (read-only) \??\b: dhrfugtz.exe File opened (read-only) \??\l: dhrfugtz.exe File opened (read-only) \??\a: dhrfugtz.exe File opened (read-only) \??\u: dhrfugtz.exe File opened (read-only) \??\b: yywxttzzgt.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" yywxttzzgt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" yywxttzzgt.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2764-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000002344a-5.dat autoit_exe behavioral2/files/0x00090000000233f6-18.dat autoit_exe behavioral2/files/0x000700000002344c-26.dat autoit_exe behavioral2/files/0x000700000002344d-31.dat autoit_exe behavioral2/files/0x000700000002345a-57.dat autoit_exe behavioral2/files/0x000700000002345b-63.dat autoit_exe behavioral2/files/0x000700000002346b-90.dat autoit_exe behavioral2/files/0x000800000002346f-108.dat autoit_exe behavioral2/files/0x000800000002346f-113.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll yywxttzzgt.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dhrfugtz.exe File opened for modification C:\Windows\SysWOW64\yywxttzzgt.exe ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dhrfugtz.exe ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe File created C:\Windows\SysWOW64\raxhhfcdokvod.exe ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\raxhhfcdokvod.exe ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dhrfugtz.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dhrfugtz.exe File created C:\Windows\SysWOW64\ntwimrdhmbvmeqr.exe ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ntwimrdhmbvmeqr.exe ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dhrfugtz.exe File created C:\Windows\SysWOW64\yywxttzzgt.exe ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe File created C:\Windows\SysWOW64\dhrfugtz.exe ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dhrfugtz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dhrfugtz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dhrfugtz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dhrfugtz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dhrfugtz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dhrfugtz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dhrfugtz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dhrfugtz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dhrfugtz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dhrfugtz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dhrfugtz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dhrfugtz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dhrfugtz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dhrfugtz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dhrfugtz.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dhrfugtz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dhrfugtz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dhrfugtz.exe File opened for modification C:\Windows\mydoc.rtf ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dhrfugtz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dhrfugtz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dhrfugtz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dhrfugtz.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dhrfugtz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dhrfugtz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dhrfugtz.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dhrfugtz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dhrfugtz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dhrfugtz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dhrfugtz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dhrfugtz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dhrfugtz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yywxttzzgt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntwimrdhmbvmeqr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dhrfugtz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language raxhhfcdokvod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dhrfugtz.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat yywxttzzgt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" yywxttzzgt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" yywxttzzgt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" yywxttzzgt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC60814E7DAB6B8CB7CE9EC9437CA" ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" yywxttzzgt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf yywxttzzgt.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7816BC6FE6B21DFD20ED1A88B0E9114" ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh yywxttzzgt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc yywxttzzgt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" yywxttzzgt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg yywxttzzgt.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B15B4497399D52CBBAD533EAD4CC" ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBF9B0FE6AF190837D3A43869F3999B0F9028F4215034FE1CB459A09A8" ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FFF94F2885199130D7217D96BD90E13D593566416331D790" ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" yywxttzzgt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs yywxttzzgt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352D089D5582576D4177D477552DAD7DF265DD" ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5024 WINWORD.EXE 5024 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 4296 yywxttzzgt.exe 4296 yywxttzzgt.exe 4296 yywxttzzgt.exe 4296 yywxttzzgt.exe 4296 yywxttzzgt.exe 4296 yywxttzzgt.exe 4296 yywxttzzgt.exe 4296 yywxttzzgt.exe 4296 yywxttzzgt.exe 4296 yywxttzzgt.exe 3764 ntwimrdhmbvmeqr.exe 3764 ntwimrdhmbvmeqr.exe 3764 ntwimrdhmbvmeqr.exe 3764 ntwimrdhmbvmeqr.exe 3764 ntwimrdhmbvmeqr.exe 3764 ntwimrdhmbvmeqr.exe 3764 ntwimrdhmbvmeqr.exe 3764 ntwimrdhmbvmeqr.exe 2220 dhrfugtz.exe 2220 dhrfugtz.exe 2220 dhrfugtz.exe 2220 dhrfugtz.exe 2220 dhrfugtz.exe 2220 dhrfugtz.exe 2220 dhrfugtz.exe 2220 dhrfugtz.exe 3764 ntwimrdhmbvmeqr.exe 3764 ntwimrdhmbvmeqr.exe 768 raxhhfcdokvod.exe 768 raxhhfcdokvod.exe 768 raxhhfcdokvod.exe 768 raxhhfcdokvod.exe 768 raxhhfcdokvod.exe 768 raxhhfcdokvod.exe 768 raxhhfcdokvod.exe 768 raxhhfcdokvod.exe 768 raxhhfcdokvod.exe 768 raxhhfcdokvod.exe 768 raxhhfcdokvod.exe 768 raxhhfcdokvod.exe 2044 dhrfugtz.exe 2044 dhrfugtz.exe 2044 dhrfugtz.exe 2044 dhrfugtz.exe 2044 dhrfugtz.exe 2044 dhrfugtz.exe 2044 dhrfugtz.exe 2044 dhrfugtz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 4296 yywxttzzgt.exe 4296 yywxttzzgt.exe 4296 yywxttzzgt.exe 3764 ntwimrdhmbvmeqr.exe 3764 ntwimrdhmbvmeqr.exe 3764 ntwimrdhmbvmeqr.exe 2220 dhrfugtz.exe 2220 dhrfugtz.exe 768 raxhhfcdokvod.exe 2220 dhrfugtz.exe 768 raxhhfcdokvod.exe 768 raxhhfcdokvod.exe 2044 dhrfugtz.exe 2044 dhrfugtz.exe 2044 dhrfugtz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 4296 yywxttzzgt.exe 4296 yywxttzzgt.exe 4296 yywxttzzgt.exe 3764 ntwimrdhmbvmeqr.exe 3764 ntwimrdhmbvmeqr.exe 3764 ntwimrdhmbvmeqr.exe 2220 dhrfugtz.exe 2220 dhrfugtz.exe 2220 dhrfugtz.exe 768 raxhhfcdokvod.exe 768 raxhhfcdokvod.exe 768 raxhhfcdokvod.exe 2044 dhrfugtz.exe 2044 dhrfugtz.exe 2044 dhrfugtz.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 5024 WINWORD.EXE 5024 WINWORD.EXE 5024 WINWORD.EXE 5024 WINWORD.EXE 5024 WINWORD.EXE 5024 WINWORD.EXE 5024 WINWORD.EXE 5024 WINWORD.EXE 5024 WINWORD.EXE 5024 WINWORD.EXE 5024 WINWORD.EXE 5024 WINWORD.EXE 5024 WINWORD.EXE 5024 WINWORD.EXE 5024 WINWORD.EXE 5024 WINWORD.EXE 5024 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2764 wrote to memory of 4296 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 82 PID 2764 wrote to memory of 4296 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 82 PID 2764 wrote to memory of 4296 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 82 PID 2764 wrote to memory of 3764 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 83 PID 2764 wrote to memory of 3764 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 83 PID 2764 wrote to memory of 3764 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 83 PID 2764 wrote to memory of 2220 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 84 PID 2764 wrote to memory of 2220 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 84 PID 2764 wrote to memory of 2220 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 84 PID 2764 wrote to memory of 768 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 85 PID 2764 wrote to memory of 768 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 85 PID 2764 wrote to memory of 768 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 85 PID 4296 wrote to memory of 2044 4296 yywxttzzgt.exe 86 PID 4296 wrote to memory of 2044 4296 yywxttzzgt.exe 86 PID 4296 wrote to memory of 2044 4296 yywxttzzgt.exe 86 PID 2764 wrote to memory of 5024 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 87 PID 2764 wrote to memory of 5024 2764 ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ecceb41546351e4d9090d43c5c275d17_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\yywxttzzgt.exeyywxttzzgt.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\dhrfugtz.exeC:\Windows\system32\dhrfugtz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2044
-
-
-
C:\Windows\SysWOW64\ntwimrdhmbvmeqr.exentwimrdhmbvmeqr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3764
-
-
C:\Windows\SysWOW64\dhrfugtz.exedhrfugtz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2220
-
-
C:\Windows\SysWOW64\raxhhfcdokvod.exeraxhhfcdokvod.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:768
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5024
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5ee31db7bbf35f1669e7fdca6c2963e67
SHA16d40754b34623277996365730afe217375835283
SHA25669ec13f1c6f0a2e87e38b64b4117e266d2e0aad6118c78a87e0570fa77c762f3
SHA51263d829263e49fa828d82867f50a4f747a19abf2a95d05cb471697ade43a3ff9859f557da6eef76ece212f4f3c2a904f96e2e51036a3ce07804e158472a86eafe
-
Filesize
512KB
MD5f224bf2cb29f2920eb8876fa2eae4427
SHA128f7fd532694d7950070d1697c2a56cda0994b24
SHA256ccf396162859edc1e02da2406de2714e97f7eeb57ef43ccd01024e03e77b80da
SHA512f416c2ab19cb8cf32c92893768399526532330239bfa46cb09eedf7208c84016ec008e95015a3f897d5cdfbbb664c4437119a49998828c6553cee5f77cab495b
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
242B
MD5c7b62057c6586cfc9550a21458ea961e
SHA1c1d1ac4162f9a42c7afa29b93c849a11ca485143
SHA256ec275f35602f4db21ca9caae0f596ada8bd1251e499b4643c0592a087c82aff0
SHA5128b8a0e7e29cd44a69627986562f91d73388cc3314f083eb301f17912b57a7c157514778e7b2324c2574118fbabc8ffc87f7a2e9047ad37c65ef263f0c3af3b76
-
Filesize
18KB
MD57c88b1a17de1fb86953b6d45c80c3c4f
SHA17d6f1b05fce945959dfc12e8b225965b4a0d6f02
SHA2564fbfc30fae23812ce527eed7b6adbb8866525876e0384fc48fb0b7e12c0b3741
SHA51226dcb6961dc59515c69e376d8c9be1ef3631f34060991eee077e2136034b456b7c4722fc9316151f0861c6bb4a945113715ebb5be671e278c3507ce3b34654d5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize24B
MD54fcb2a3ee025e4a10d21e1b154873fe2
SHA157658e2fa594b7d0b99d02e041d0f3418e58856b
SHA25690bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA5124e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize679B
MD582bece35bd40ba0d6fe45a5556744b4a
SHA1a385944fb1756baa79cfbc74e45a23cc15d71e48
SHA256c981d7e6d2cb263cf2518fe0380f521dab2ae277d20fab7fc5ad2c31fa3b6ba2
SHA5128aa3a2443f9a0896c23f8f9e9e6b55fe341df5ac9a7d814193ffa8b1fcfb59b5a4622b5df747f600ae2e26336345befb269b5047fde7ae6eb362eb2b43cb3e70
-
Filesize
512KB
MD5e8e0ede7a1620ec382d326c52901aa26
SHA186eff8fc1e9ee64d9ea6ce8c38b0bdbee6a5244e
SHA256e531a8cccf0c703a7759dd1d5d6155a9176d5c839bd390da52a13b2729d8ffb6
SHA5120bafdb7d90c2f24239e43d0ca362eb797b2f7a2c68cace39c715e881cc39ad6e2d6e800aae819e4e397c34fa38bc43c9914685c8f6b6eecdab55b06e72069476
-
Filesize
512KB
MD503231c819e772c2cf236d753af444973
SHA1244137c2b93432d7544cd18151c347df39976d7e
SHA2562190d576772d709e7ce3b04c5236fe90c781d61dc9bf31ad63727c7b5b5cde40
SHA51250563f10bf3358d28778c12dfc670e577767ac9aeb3838f9a936b574c65f17772112916f00190167b38f29156fb16730ee99e452e6be45ce5b50937999f4a0b4
-
Filesize
512KB
MD5599151d263e3a7ae9662fd17968cec37
SHA1f63496ac4cd38056040ded2cdbbe7bdf3669a0cc
SHA256390b098cd1e26fc10223c2f5d123a84e902d3580495944cfbcac47ae4ee5822e
SHA51254ed2bc3b95b066da114020aeb3746933c91ba647b8e69e233ba23d525da08b8b381e0dfcd8793ca752ddf44456455b55987b95dcd58eb3a2e7f935dfff35c79
-
Filesize
512KB
MD5e37c6525165b2bc95be0f4853f1fbe52
SHA1299724873d447b254aa91ab3898df4381b8ec818
SHA2565f27777fa7542b5981934ec90c165de5063c09898ef0e8dabdfd319103eca68c
SHA51273e23e18ff98819340026527326e0e8e3081f8b9d31e25cdf54b3e12d71df4bf726a1595fb9d28a2f5665558fde5a6359c73f3ad3ecab3ed7595330b01462440
-
Filesize
512KB
MD5cefe3ffe9302d1d4714e257428a0d7cc
SHA1628364c99209929e081c3d6b65955a6387b6e74f
SHA25600e13a6931945aecf7156594ce06f23356c1ee12df33a70b536b49128ab0de4a
SHA51285c21b737bc2def78179222c13fe7962ed5e754f66e2a1b5181b94a2f76b94e2adfceb66f4864d9c4d672c3285f6071e5d8591462ee060b5ac9c4fc5d6c99235
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5e110c92ed89f91fbf2d815e2ecb5432a
SHA1fb8e918df4a539c4ea642a0459aa381388400476
SHA25629302814d01dcc2d74ddb68654972a20c6919941c35a7d996e5a6c1be12e7739
SHA512cbdd95720511570c8bf7d196d5280c9b8a2a83fd6dd60ae8828a6c36c6ccba08c6a12224b9e17844f59e2e8e60eb4cab4fb3c3a7181e8878e8e0bfc9cf1bde98
-
Filesize
512KB
MD5a4fb4c07667901289af401f93290e79f
SHA196b9cf690d6e8fe3a2c63762551a9b3859a02928
SHA256483f196ed0e80d8663aa8479168892ba38fe7d9416b587802eba69f468e20a5b
SHA51230674ad2339e0b9fdc407b1e1a0c0024c16ca3c3e24e1a783bedcc7176b7f17ca4e115ce12aa4854ca8c7a9d97faf9cd43c6f8e316b5618c2b38c024527e3f6b