Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 06:35
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe
-
Size
512KB
-
MD5
ed06643a0af08af627c7ef2038523c6b
-
SHA1
a034292ab885b32549a99d8600d9f12c5175d0b7
-
SHA256
1cd080d3274d833629c0c12073dad92026609136335c4f3b11abbc7f3949d21e
-
SHA512
c77a31bea10aa5d85a6184e7b47aaae1f5faf152de28559ce5e0f91e0702a1fc4ed5bf1e543e60a9529cdd35be65f50aa9abd5d896c964700b438d443d03e1c1
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj68:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5T
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" xvgiujxrmv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xvgiujxrmv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xvgiujxrmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xvgiujxrmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" xvgiujxrmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xvgiujxrmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xvgiujxrmv.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xvgiujxrmv.exe -
Executes dropped EXE 5 IoCs
pid Process 2112 xvgiujxrmv.exe 2656 dsnmgunlwlhqdfb.exe 2496 hicvrijp.exe 2184 gjnshujvkbpzk.exe 2776 hicvrijp.exe -
Loads dropped DLL 5 IoCs
pid Process 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 2112 xvgiujxrmv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" xvgiujxrmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xvgiujxrmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" xvgiujxrmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xvgiujxrmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xvgiujxrmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xvgiujxrmv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ejfvooyj = "xvgiujxrmv.exe" dsnmgunlwlhqdfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jwdgdmzw = "dsnmgunlwlhqdfb.exe" dsnmgunlwlhqdfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gjnshujvkbpzk.exe" dsnmgunlwlhqdfb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: xvgiujxrmv.exe File opened (read-only) \??\y: xvgiujxrmv.exe File opened (read-only) \??\z: hicvrijp.exe File opened (read-only) \??\a: hicvrijp.exe File opened (read-only) \??\j: hicvrijp.exe File opened (read-only) \??\r: xvgiujxrmv.exe File opened (read-only) \??\a: hicvrijp.exe File opened (read-only) \??\i: hicvrijp.exe File opened (read-only) \??\q: hicvrijp.exe File opened (read-only) \??\q: hicvrijp.exe File opened (read-only) \??\a: xvgiujxrmv.exe File opened (read-only) \??\k: hicvrijp.exe File opened (read-only) \??\s: hicvrijp.exe File opened (read-only) \??\v: hicvrijp.exe File opened (read-only) \??\o: hicvrijp.exe File opened (read-only) \??\g: hicvrijp.exe File opened (read-only) \??\m: hicvrijp.exe File opened (read-only) \??\r: hicvrijp.exe File opened (read-only) \??\h: xvgiujxrmv.exe File opened (read-only) \??\u: xvgiujxrmv.exe File opened (read-only) \??\v: xvgiujxrmv.exe File opened (read-only) \??\g: hicvrijp.exe File opened (read-only) \??\h: hicvrijp.exe File opened (read-only) \??\b: hicvrijp.exe File opened (read-only) \??\n: hicvrijp.exe File opened (read-only) \??\w: hicvrijp.exe File opened (read-only) \??\i: hicvrijp.exe File opened (read-only) \??\l: hicvrijp.exe File opened (read-only) \??\u: hicvrijp.exe File opened (read-only) \??\s: hicvrijp.exe File opened (read-only) \??\n: xvgiujxrmv.exe File opened (read-only) \??\z: xvgiujxrmv.exe File opened (read-only) \??\h: hicvrijp.exe File opened (read-only) \??\n: hicvrijp.exe File opened (read-only) \??\y: hicvrijp.exe File opened (read-only) \??\p: hicvrijp.exe File opened (read-only) \??\x: hicvrijp.exe File opened (read-only) \??\t: xvgiujxrmv.exe File opened (read-only) \??\x: xvgiujxrmv.exe File opened (read-only) \??\e: hicvrijp.exe File opened (read-only) \??\g: xvgiujxrmv.exe File opened (read-only) \??\q: xvgiujxrmv.exe File opened (read-only) \??\w: xvgiujxrmv.exe File opened (read-only) \??\k: hicvrijp.exe File opened (read-only) \??\b: xvgiujxrmv.exe File opened (read-only) \??\i: xvgiujxrmv.exe File opened (read-only) \??\k: xvgiujxrmv.exe File opened (read-only) \??\s: xvgiujxrmv.exe File opened (read-only) \??\t: hicvrijp.exe File opened (read-only) \??\u: hicvrijp.exe File opened (read-only) \??\o: hicvrijp.exe File opened (read-only) \??\p: hicvrijp.exe File opened (read-only) \??\e: xvgiujxrmv.exe File opened (read-only) \??\j: xvgiujxrmv.exe File opened (read-only) \??\p: xvgiujxrmv.exe File opened (read-only) \??\v: hicvrijp.exe File opened (read-only) \??\z: hicvrijp.exe File opened (read-only) \??\l: hicvrijp.exe File opened (read-only) \??\t: hicvrijp.exe File opened (read-only) \??\b: hicvrijp.exe File opened (read-only) \??\m: xvgiujxrmv.exe File opened (read-only) \??\y: hicvrijp.exe File opened (read-only) \??\r: hicvrijp.exe File opened (read-only) \??\j: hicvrijp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" xvgiujxrmv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" xvgiujxrmv.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1960-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000800000001739a-5.dat autoit_exe behavioral1/files/0x0007000000012117-20.dat autoit_exe behavioral1/files/0x00080000000173aa-26.dat autoit_exe behavioral1/files/0x00070000000173fb-33.dat autoit_exe behavioral1/files/0x000900000001747b-62.dat autoit_exe behavioral1/files/0x000800000001748f-68.dat autoit_exe behavioral1/files/0x0005000000019273-78.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\gjnshujvkbpzk.exe ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gjnshujvkbpzk.exe ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xvgiujxrmv.exe ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe File created C:\Windows\SysWOW64\hicvrijp.exe ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hicvrijp.exe ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll xvgiujxrmv.exe File created C:\Windows\SysWOW64\xvgiujxrmv.exe ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe File created C:\Windows\SysWOW64\dsnmgunlwlhqdfb.exe ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dsnmgunlwlhqdfb.exe ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hicvrijp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hicvrijp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hicvrijp.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hicvrijp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal hicvrijp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal hicvrijp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hicvrijp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hicvrijp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal hicvrijp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal hicvrijp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hicvrijp.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hicvrijp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hicvrijp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hicvrijp.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xvgiujxrmv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dsnmgunlwlhqdfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hicvrijp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gjnshujvkbpzk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hicvrijp.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat xvgiujxrmv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf xvgiujxrmv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" xvgiujxrmv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC70F15E6DAC7B8C07CE9EC9437CE" ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg xvgiujxrmv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8F9CEF963F194830C3A4486EE39E4B38802F843600238E1CA42E608A8" ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B1584794389D52CCBAA2329FD4BF" ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFF8D482E82129130D65B7DE6BC92E146594566476234D79F" ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc xvgiujxrmv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" xvgiujxrmv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs xvgiujxrmv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322D7E9C5583566D4276A1772E2DDC7D8365DF" ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F46BC6FE1D22DED27FD0A18B099160" ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh xvgiujxrmv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" xvgiujxrmv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" xvgiujxrmv.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" xvgiujxrmv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" xvgiujxrmv.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2728 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 2112 xvgiujxrmv.exe 2112 xvgiujxrmv.exe 2112 xvgiujxrmv.exe 2112 xvgiujxrmv.exe 2112 xvgiujxrmv.exe 2496 hicvrijp.exe 2496 hicvrijp.exe 2496 hicvrijp.exe 2496 hicvrijp.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2656 dsnmgunlwlhqdfb.exe 2656 dsnmgunlwlhqdfb.exe 2656 dsnmgunlwlhqdfb.exe 2656 dsnmgunlwlhqdfb.exe 2656 dsnmgunlwlhqdfb.exe 2776 hicvrijp.exe 2776 hicvrijp.exe 2776 hicvrijp.exe 2776 hicvrijp.exe 2656 dsnmgunlwlhqdfb.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2656 dsnmgunlwlhqdfb.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2656 dsnmgunlwlhqdfb.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2656 dsnmgunlwlhqdfb.exe 2656 dsnmgunlwlhqdfb.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2656 dsnmgunlwlhqdfb.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2656 dsnmgunlwlhqdfb.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2656 dsnmgunlwlhqdfb.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2656 dsnmgunlwlhqdfb.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2656 dsnmgunlwlhqdfb.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2656 dsnmgunlwlhqdfb.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2656 dsnmgunlwlhqdfb.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 2112 xvgiujxrmv.exe 2112 xvgiujxrmv.exe 2112 xvgiujxrmv.exe 2496 hicvrijp.exe 2496 hicvrijp.exe 2496 hicvrijp.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2656 dsnmgunlwlhqdfb.exe 2184 gjnshujvkbpzk.exe 2656 dsnmgunlwlhqdfb.exe 2656 dsnmgunlwlhqdfb.exe 2776 hicvrijp.exe 2776 hicvrijp.exe 2776 hicvrijp.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 2112 xvgiujxrmv.exe 2112 xvgiujxrmv.exe 2112 xvgiujxrmv.exe 2496 hicvrijp.exe 2496 hicvrijp.exe 2496 hicvrijp.exe 2184 gjnshujvkbpzk.exe 2184 gjnshujvkbpzk.exe 2656 dsnmgunlwlhqdfb.exe 2184 gjnshujvkbpzk.exe 2656 dsnmgunlwlhqdfb.exe 2656 dsnmgunlwlhqdfb.exe 2776 hicvrijp.exe 2776 hicvrijp.exe 2776 hicvrijp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2728 WINWORD.EXE 2728 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2112 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2112 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2112 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2112 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2656 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 31 PID 1960 wrote to memory of 2656 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 31 PID 1960 wrote to memory of 2656 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 31 PID 1960 wrote to memory of 2656 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 31 PID 1960 wrote to memory of 2496 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 32 PID 1960 wrote to memory of 2496 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 32 PID 1960 wrote to memory of 2496 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 32 PID 1960 wrote to memory of 2496 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 32 PID 1960 wrote to memory of 2184 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 33 PID 1960 wrote to memory of 2184 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 33 PID 1960 wrote to memory of 2184 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 33 PID 1960 wrote to memory of 2184 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 33 PID 2112 wrote to memory of 2776 2112 xvgiujxrmv.exe 34 PID 2112 wrote to memory of 2776 2112 xvgiujxrmv.exe 34 PID 2112 wrote to memory of 2776 2112 xvgiujxrmv.exe 34 PID 2112 wrote to memory of 2776 2112 xvgiujxrmv.exe 34 PID 1960 wrote to memory of 2728 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 35 PID 1960 wrote to memory of 2728 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 35 PID 1960 wrote to memory of 2728 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 35 PID 1960 wrote to memory of 2728 1960 ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe 35 PID 2728 wrote to memory of 1652 2728 WINWORD.EXE 38 PID 2728 wrote to memory of 1652 2728 WINWORD.EXE 38 PID 2728 wrote to memory of 1652 2728 WINWORD.EXE 38 PID 2728 wrote to memory of 1652 2728 WINWORD.EXE 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed06643a0af08af627c7ef2038523c6b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\xvgiujxrmv.exexvgiujxrmv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\hicvrijp.exeC:\Windows\system32\hicvrijp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2776
-
-
-
C:\Windows\SysWOW64\dsnmgunlwlhqdfb.exedsnmgunlwlhqdfb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2656
-
-
C:\Windows\SysWOW64\hicvrijp.exehicvrijp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2496
-
-
C:\Windows\SysWOW64\gjnshujvkbpzk.exegjnshujvkbpzk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2184
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1652
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5b8d2c925b09cf5f54ad8001ddcf044d1
SHA1a05387723c8e7da0f05f205addecd056f5a6a488
SHA256e46b0d56bcc5b7dc4d3acaa496ebd885440790aac2c80b57ea07e20fe8a1c845
SHA512daff4ce4ee889aa1db6f52c90ccec577927b24c2bbc13fdef19f2312f396f32d4531057ecf0199a7d254c8f6d559132cbbba7cdde1f868a2a874051b4c67ea5f
-
Filesize
512KB
MD5dcd1a387926f7ccd11b907832ad5e956
SHA1bf4454291d8a68407844805ccffefdbc47dd3851
SHA256f109aa5d51de974189b6a47ee58c39fc0e66df66df5a388824cfbe89b5c8d2c1
SHA512cdbf2931f6fd1830588e230b8bdd39754a00374f06e77fc4cc1ad767eaf9d81eb006b7d0f2b1e15d1d5e95ca02c6357be94a908854578ca085efb9de0d2bdec5
-
Filesize
512KB
MD589c7e7d992066aa8edf147b0598e8aaf
SHA1fb377955c6d0f3075b45c8ebdcd96c68e81a311a
SHA25630f94bb0b00999c23863aef466126fd4bc74cce0f2945588a721fb508ddd5a83
SHA5124464fd9472a7e008e0133d9868252796632449d7d4ad1ddbead42aee698802c2d0b3b23c7010cc109dff3a463e66028de1730f9fc49624ba6cedaa45ec5a549b
-
Filesize
19KB
MD557b7caabe9d6d8b412cf127964a6ae81
SHA1041612c3f3316c6be60ed00db7187099e0630107
SHA256d3a3805df325bd8ff827e26eb2964a966a3c73f913cd45f15a580a33196efbc0
SHA5125cba95c8155b01707d10f67404a7557333f4c68fb30c4e6b6708c47805ac7015ed5d12c265a3e5cbba36fdc42ac60055b5049bec12574df8704a312603264bb0
-
Filesize
512KB
MD5a2f8a404a7161fbacead2a9fe641b7eb
SHA10f8f8c8eaa8f73196d48741d1d1d41a4cf3d7a04
SHA256afdd62304534e7a8e66d62dbcc9e66762aeccff33080efd29e7ab5ca66bb5b61
SHA5120780a5aa2037620722996ce828fbb319cb243fb9b0318a7f7aefe5ac6c07c240b760a2193e7e8835a896def26db8db64788414b2d7d16ef2bf298e1227b3cf15
-
Filesize
512KB
MD5f8f9cbf0a5e840c1557a82ba0a7db029
SHA16686892b697a20013fc2c10087203a954ce41d87
SHA2569d1a7b86f1914d0d6ae8bdd0ab525e00398ae7c6418a3b58f4de4413dac3e2a0
SHA5127c03896044f834cf9deb6b31a02c45b5c77273334fc0c44b10300dbd4637bf113bddfe036722820c6b26e58484ac5d3134b3e07c51e13496c184a0f2cc0b6819
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5f5ca0ec3b1a2a025c2c3708ea6fe3a5a
SHA16b9b441dbeba670817dab33b438b2d68e7aee960
SHA25665ccce086e7f1656ac02592eb1f3a8d88c46ca42ef12cec55175ed1145edef29
SHA5125ba2d9309e5a2d412164e75ba0f8d99b30538ee1fea1802e074b929fd14d1e386dd012262b22f612ee831dd1a2f19f544864cedccc38efdcec19015519b772b1
-
Filesize
512KB
MD579c0277329007923a69efc7b5cdc2a98
SHA122f2ca415be275244865a89276740758f758a424
SHA256d6f53ef77795b1ac13e1f9221377d70fc9161b233c0516c11f7d8ee763ca7543
SHA51201f874a337b4fd9cec62ced2bda1a1d1580cf6f049e55b390add89731ef933a4505f0afd431ac97bf7f53832401be3be39b7b20865a4873e09b79d4d3bffc3a1