Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 04:53
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe
-
Size
512KB
-
MD5
ece0e35c5e3a58f57e6f2d499f4384c9
-
SHA1
ac0beb39aff1aeaba29c84cb891dd275f314871b
-
SHA256
ac32589d99e936882436a58246f3f4c0dd64de5791ac54444545248812842846
-
SHA512
01a1aa3871a3d24d481fb7f35af3382bdbb5254b11cf90d5bb767b5927e75f82f1bb0f69244063c8cdb2f351074f2a975f466cc3af5d1b4b3fab2c0e4467a93e
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" viecpegufz.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" viecpegufz.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" viecpegufz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" viecpegufz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" viecpegufz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" viecpegufz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" viecpegufz.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" viecpegufz.exe -
Executes dropped EXE 5 IoCs
pid Process 3052 viecpegufz.exe 2880 fjbgdmwflazgiqr.exe 2692 ybnjtqqu.exe 2176 uszddrxqhfeak.exe 2568 ybnjtqqu.exe -
Loads dropped DLL 5 IoCs
pid Process 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 3052 viecpegufz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" viecpegufz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" viecpegufz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" viecpegufz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" viecpegufz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" viecpegufz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" viecpegufz.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ixvxpuee = "viecpegufz.exe" fjbgdmwflazgiqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awgqiuxl = "fjbgdmwflazgiqr.exe" fjbgdmwflazgiqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "uszddrxqhfeak.exe" fjbgdmwflazgiqr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: ybnjtqqu.exe File opened (read-only) \??\q: viecpegufz.exe File opened (read-only) \??\w: viecpegufz.exe File opened (read-only) \??\b: ybnjtqqu.exe File opened (read-only) \??\z: ybnjtqqu.exe File opened (read-only) \??\p: ybnjtqqu.exe File opened (read-only) \??\b: ybnjtqqu.exe File opened (read-only) \??\t: ybnjtqqu.exe File opened (read-only) \??\g: viecpegufz.exe File opened (read-only) \??\p: viecpegufz.exe File opened (read-only) \??\t: viecpegufz.exe File opened (read-only) \??\m: viecpegufz.exe File opened (read-only) \??\s: viecpegufz.exe File opened (read-only) \??\x: ybnjtqqu.exe File opened (read-only) \??\y: ybnjtqqu.exe File opened (read-only) \??\a: ybnjtqqu.exe File opened (read-only) \??\p: ybnjtqqu.exe File opened (read-only) \??\n: viecpegufz.exe File opened (read-only) \??\m: ybnjtqqu.exe File opened (read-only) \??\o: ybnjtqqu.exe File opened (read-only) \??\g: ybnjtqqu.exe File opened (read-only) \??\o: ybnjtqqu.exe File opened (read-only) \??\x: viecpegufz.exe File opened (read-only) \??\z: ybnjtqqu.exe File opened (read-only) \??\n: ybnjtqqu.exe File opened (read-only) \??\w: ybnjtqqu.exe File opened (read-only) \??\i: ybnjtqqu.exe File opened (read-only) \??\q: ybnjtqqu.exe File opened (read-only) \??\a: viecpegufz.exe File opened (read-only) \??\y: ybnjtqqu.exe File opened (read-only) \??\e: ybnjtqqu.exe File opened (read-only) \??\j: viecpegufz.exe File opened (read-only) \??\l: viecpegufz.exe File opened (read-only) \??\q: ybnjtqqu.exe File opened (read-only) \??\v: ybnjtqqu.exe File opened (read-only) \??\k: viecpegufz.exe File opened (read-only) \??\o: viecpegufz.exe File opened (read-only) \??\v: viecpegufz.exe File opened (read-only) \??\r: ybnjtqqu.exe File opened (read-only) \??\j: ybnjtqqu.exe File opened (read-only) \??\r: ybnjtqqu.exe File opened (read-only) \??\l: ybnjtqqu.exe File opened (read-only) \??\l: ybnjtqqu.exe File opened (read-only) \??\e: viecpegufz.exe File opened (read-only) \??\x: ybnjtqqu.exe File opened (read-only) \??\g: ybnjtqqu.exe File opened (read-only) \??\s: ybnjtqqu.exe File opened (read-only) \??\h: viecpegufz.exe File opened (read-only) \??\a: ybnjtqqu.exe File opened (read-only) \??\i: ybnjtqqu.exe File opened (read-only) \??\t: ybnjtqqu.exe File opened (read-only) \??\e: ybnjtqqu.exe File opened (read-only) \??\m: ybnjtqqu.exe File opened (read-only) \??\b: viecpegufz.exe File opened (read-only) \??\i: viecpegufz.exe File opened (read-only) \??\r: viecpegufz.exe File opened (read-only) \??\h: ybnjtqqu.exe File opened (read-only) \??\k: ybnjtqqu.exe File opened (read-only) \??\u: viecpegufz.exe File opened (read-only) \??\y: viecpegufz.exe File opened (read-only) \??\n: ybnjtqqu.exe File opened (read-only) \??\h: ybnjtqqu.exe File opened (read-only) \??\u: ybnjtqqu.exe File opened (read-only) \??\v: ybnjtqqu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" viecpegufz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" viecpegufz.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2724-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x00060000000186a9-5.dat autoit_exe behavioral1/files/0x000a000000012262-17.dat autoit_exe behavioral1/files/0x00060000000186b7-28.dat autoit_exe behavioral1/files/0x00050000000186bd-38.dat autoit_exe behavioral1/files/0x0005000000018f8e-70.dat autoit_exe behavioral1/files/0x0005000000018f94-77.dat autoit_exe behavioral1/files/0x0005000000018f9e-87.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\uszddrxqhfeak.exe ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll viecpegufz.exe File opened for modification C:\Windows\SysWOW64\ybnjtqqu.exe ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe File created C:\Windows\SysWOW64\uszddrxqhfeak.exe ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe File created C:\Windows\SysWOW64\viecpegufz.exe ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\viecpegufz.exe ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe File created C:\Windows\SysWOW64\fjbgdmwflazgiqr.exe ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fjbgdmwflazgiqr.exe ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe File created C:\Windows\SysWOW64\ybnjtqqu.exe ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ybnjtqqu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ybnjtqqu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ybnjtqqu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ybnjtqqu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ybnjtqqu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ybnjtqqu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ybnjtqqu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ybnjtqqu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ybnjtqqu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ybnjtqqu.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ybnjtqqu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ybnjtqqu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ybnjtqqu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ybnjtqqu.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language viecpegufz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fjbgdmwflazgiqr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ybnjtqqu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uszddrxqhfeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ybnjtqqu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAFABEF916F1E783743B35819C3997B0FA028A4262033EE1BE459A09A8" ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" viecpegufz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg viecpegufz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" viecpegufz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452C089C2C83256D4576D570212DDB7DF165AA" ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B12847E039E852CAB9D333EDD4B8" ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78168C4FF1D22D0D10BD1D28A7C9116" ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh viecpegufz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc viecpegufz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FCFF4F2A856E913CD65A7E9DBC97E14359416742633FD79F" ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C70F15E5DBC5B8CD7FE1EC9634BE" ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat viecpegufz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" viecpegufz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf viecpegufz.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" viecpegufz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" viecpegufz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs viecpegufz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" viecpegufz.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2476 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 3052 viecpegufz.exe 3052 viecpegufz.exe 3052 viecpegufz.exe 3052 viecpegufz.exe 3052 viecpegufz.exe 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 2880 fjbgdmwflazgiqr.exe 2880 fjbgdmwflazgiqr.exe 2880 fjbgdmwflazgiqr.exe 2880 fjbgdmwflazgiqr.exe 2880 fjbgdmwflazgiqr.exe 2692 ybnjtqqu.exe 2692 ybnjtqqu.exe 2692 ybnjtqqu.exe 2692 ybnjtqqu.exe 2568 ybnjtqqu.exe 2568 ybnjtqqu.exe 2568 ybnjtqqu.exe 2568 ybnjtqqu.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2880 fjbgdmwflazgiqr.exe 2880 fjbgdmwflazgiqr.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2880 fjbgdmwflazgiqr.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2880 fjbgdmwflazgiqr.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2880 fjbgdmwflazgiqr.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2880 fjbgdmwflazgiqr.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2880 fjbgdmwflazgiqr.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2880 fjbgdmwflazgiqr.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2880 fjbgdmwflazgiqr.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2880 fjbgdmwflazgiqr.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2880 fjbgdmwflazgiqr.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2880 fjbgdmwflazgiqr.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 3052 viecpegufz.exe 3052 viecpegufz.exe 3052 viecpegufz.exe 2880 fjbgdmwflazgiqr.exe 2880 fjbgdmwflazgiqr.exe 2880 fjbgdmwflazgiqr.exe 2692 ybnjtqqu.exe 2692 ybnjtqqu.exe 2692 ybnjtqqu.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2568 ybnjtqqu.exe 2568 ybnjtqqu.exe 2568 ybnjtqqu.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 3052 viecpegufz.exe 3052 viecpegufz.exe 3052 viecpegufz.exe 2880 fjbgdmwflazgiqr.exe 2880 fjbgdmwflazgiqr.exe 2880 fjbgdmwflazgiqr.exe 2692 ybnjtqqu.exe 2692 ybnjtqqu.exe 2692 ybnjtqqu.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2176 uszddrxqhfeak.exe 2568 ybnjtqqu.exe 2568 ybnjtqqu.exe 2568 ybnjtqqu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2476 WINWORD.EXE 2476 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2724 wrote to memory of 3052 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 30 PID 2724 wrote to memory of 3052 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 30 PID 2724 wrote to memory of 3052 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 30 PID 2724 wrote to memory of 3052 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 30 PID 2724 wrote to memory of 2880 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 31 PID 2724 wrote to memory of 2880 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 31 PID 2724 wrote to memory of 2880 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 31 PID 2724 wrote to memory of 2880 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 31 PID 2724 wrote to memory of 2692 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 32 PID 2724 wrote to memory of 2692 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 32 PID 2724 wrote to memory of 2692 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 32 PID 2724 wrote to memory of 2692 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 32 PID 2724 wrote to memory of 2176 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 33 PID 2724 wrote to memory of 2176 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 33 PID 2724 wrote to memory of 2176 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 33 PID 2724 wrote to memory of 2176 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 33 PID 3052 wrote to memory of 2568 3052 viecpegufz.exe 34 PID 3052 wrote to memory of 2568 3052 viecpegufz.exe 34 PID 3052 wrote to memory of 2568 3052 viecpegufz.exe 34 PID 3052 wrote to memory of 2568 3052 viecpegufz.exe 34 PID 2724 wrote to memory of 2476 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 35 PID 2724 wrote to memory of 2476 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 35 PID 2724 wrote to memory of 2476 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 35 PID 2724 wrote to memory of 2476 2724 ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe 35 PID 2476 wrote to memory of 2020 2476 WINWORD.EXE 37 PID 2476 wrote to memory of 2020 2476 WINWORD.EXE 37 PID 2476 wrote to memory of 2020 2476 WINWORD.EXE 37 PID 2476 wrote to memory of 2020 2476 WINWORD.EXE 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ece0e35c5e3a58f57e6f2d499f4384c9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\viecpegufz.exeviecpegufz.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\ybnjtqqu.exeC:\Windows\system32\ybnjtqqu.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2568
-
-
-
C:\Windows\SysWOW64\fjbgdmwflazgiqr.exefjbgdmwflazgiqr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2880
-
-
C:\Windows\SysWOW64\ybnjtqqu.exeybnjtqqu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2692
-
-
C:\Windows\SysWOW64\uszddrxqhfeak.exeuszddrxqhfeak.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2176
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2020
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD54a0a5df6d842df7d381fd922bbf3122a
SHA1a537bb20c0981a73a526f0fd8ebc4ff8ddf2fa98
SHA25604bf82ef3c1dcbaeb7a9a04425a9fa1ab65df327f22daee57955f2871f638708
SHA512b9f0874a1bc95a3d0b7b6c9706926527d3f51f6c89eaee671ef50597c632be89281f3b9943d1db3885e1e8f87fea8873c2b6256b5966f8d993d5abaf4cec7f0b
-
Filesize
19KB
MD5f7807bef223590a05fc48a3d2237d12c
SHA190447781a9236fff82bfee210bbd03a1961c6e38
SHA2560b23005c8f303b6745eaa5d400c884626ac1b43b1cdc9aeec536a19ad74d4603
SHA51270042a5ff5945bc7bfb532366144ec09fdcac389d233774676deacf304ae98eed18b3b023e7b04442d4ffeb32da040b77eaff4c9375dabc4db1269fff05a9fda
-
Filesize
512KB
MD53fe0726b7867c9b613c229dec69de7bc
SHA1c2d1c2745c3367390cab864a56d59b2115e004b6
SHA256d9b5431c1ecad14cbfe9d3f72879568f68f85b62efb00f376d29e0f9da01dc60
SHA512a8aaf4c6cd0c19b9b7eda20229340a84163786323b56d02f49f8b6a67ccd1d501d9ff0c4ca9d1dc2b3bcdad80ca9e37912c38575722e5a33ff9572b5caaecf8c
-
Filesize
512KB
MD5a2943c4e41e2b80a4cfbe44b6515f7d6
SHA1d2419128582e9b1260cc0cef2d95d52cb06b07bb
SHA25673136689516336ef27178a1952df049394b4106cb07ad25bab13efa5ee55ae5c
SHA512975e1d8492ba67fb41f423f164e5829ea14982cf9cef0271dd357de3d758f76df4281f324fa59ffa718df3b65dd151a6721871789817d68d83ec53b6126302b2
-
Filesize
512KB
MD55feb1c640ae43d89cf48715cccb38161
SHA15c25b7d61d763ff0b6de9522176a8d58aee6cb91
SHA25618b6558d4643787e4c71d9c006b6464a0056aaec0de100d374a1702a99adf84f
SHA512aba101ab42193ca9574e3a0d1e19d7463b270fc7c0ac93c3583d66cbcaa1c51f3d9e4e0c78175255c238f2292d2e4c98c17a27806e2a40191b94ece3c77630a5
-
Filesize
512KB
MD59f036cb24c85a20537ac8f84e9bc480a
SHA19d792e3472aba983c32aa360c10a7a43fb96f7b3
SHA256063ca9e03f6dd72a1483c767ffee20a5a31ec9dc68b310378bb84c809e98d198
SHA512c399611a882cbcf5c6f882af82cbd76d0e8bf46b421aae28698c23bb782e8426921c37b2d489b4e6aca3e24eee3092bfece19f04d466b1fba2b670e2ab4ef088
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5498277f6d9623df245d34cb2cb0811c8
SHA1f9002f8c8f490872a8611b296c299c8c298e60a3
SHA25636fb592c5c05de1cc7e4f754f2687cb86fc3728c582f80635ec87194f0dd1a55
SHA5126220c112c757922a9d0afcbf85893f99364be633954840679de670da665070e46d3dcb3bcaa28456819d2a8890866c2f0a22ef9ba739377caec3598675acad55
-
Filesize
512KB
MD50acdc2f24a519caa42da48950daadc48
SHA14ecb89f628a2d267632dc2d138c54d9c89d7719c
SHA25668b5b428cfa2d700be13381cd80f82afb67bbc4addcd9b0c1dce3e6b414aaa21
SHA512b84329eca1d3eb6ccfe0f481980431b1c14a5e17d3168a9e9e987512d8a3229f4d095c25cc115e3020635e8269ac3cab69abd69c060861c0e14fe3cb160607d7