Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 07:54
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe
-
Size
512KB
-
MD5
ed254ea31781627675347fa45354dd1b
-
SHA1
eec3e7cca8a07cfece6b1e53614d6cc965580629
-
SHA256
1e0c8b666e9a71c2272d7265be04a8b12aa76517ba4d1536feeaf9f4fbf43211
-
SHA512
73b2b0c2824442fbd3c62447a33fc539efcd495a62b9679ec457d50aae401a0446adfd4909e47f2cf116dc8e949e88501a3ff74ca7ff11fd43ece3e45e026fad
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6B:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5M
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avzrsuqwdn.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avzrsuqwdn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" avzrsuqwdn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" avzrsuqwdn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" avzrsuqwdn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" avzrsuqwdn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" avzrsuqwdn.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" avzrsuqwdn.exe -
Executes dropped EXE 5 IoCs
pid Process 2808 avzrsuqwdn.exe 2732 oktwpupestqbobp.exe 2264 gjzjlpxs.exe 2904 uwobjxcjaqlbv.exe 2616 gjzjlpxs.exe -
Loads dropped DLL 5 IoCs
pid Process 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2808 avzrsuqwdn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" avzrsuqwdn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" avzrsuqwdn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" avzrsuqwdn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" avzrsuqwdn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" avzrsuqwdn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" avzrsuqwdn.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ubcyxvfj = "avzrsuqwdn.exe" oktwpupestqbobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\izqrqzdv = "oktwpupestqbobp.exe" oktwpupestqbobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "uwobjxcjaqlbv.exe" oktwpupestqbobp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: gjzjlpxs.exe File opened (read-only) \??\a: avzrsuqwdn.exe File opened (read-only) \??\h: avzrsuqwdn.exe File opened (read-only) \??\q: avzrsuqwdn.exe File opened (read-only) \??\u: avzrsuqwdn.exe File opened (read-only) \??\w: avzrsuqwdn.exe File opened (read-only) \??\a: gjzjlpxs.exe File opened (read-only) \??\n: gjzjlpxs.exe File opened (read-only) \??\s: avzrsuqwdn.exe File opened (read-only) \??\s: gjzjlpxs.exe File opened (read-only) \??\z: avzrsuqwdn.exe File opened (read-only) \??\i: avzrsuqwdn.exe File opened (read-only) \??\v: avzrsuqwdn.exe File opened (read-only) \??\h: gjzjlpxs.exe File opened (read-only) \??\s: gjzjlpxs.exe File opened (read-only) \??\t: gjzjlpxs.exe File opened (read-only) \??\g: gjzjlpxs.exe File opened (read-only) \??\p: gjzjlpxs.exe File opened (read-only) \??\q: gjzjlpxs.exe File opened (read-only) \??\u: gjzjlpxs.exe File opened (read-only) \??\e: avzrsuqwdn.exe File opened (read-only) \??\o: avzrsuqwdn.exe File opened (read-only) \??\l: gjzjlpxs.exe File opened (read-only) \??\b: avzrsuqwdn.exe File opened (read-only) \??\o: gjzjlpxs.exe File opened (read-only) \??\q: gjzjlpxs.exe File opened (read-only) \??\x: gjzjlpxs.exe File opened (read-only) \??\n: gjzjlpxs.exe File opened (read-only) \??\x: gjzjlpxs.exe File opened (read-only) \??\y: gjzjlpxs.exe File opened (read-only) \??\v: gjzjlpxs.exe File opened (read-only) \??\m: avzrsuqwdn.exe File opened (read-only) \??\p: avzrsuqwdn.exe File opened (read-only) \??\t: avzrsuqwdn.exe File opened (read-only) \??\y: avzrsuqwdn.exe File opened (read-only) \??\k: gjzjlpxs.exe File opened (read-only) \??\b: gjzjlpxs.exe File opened (read-only) \??\i: gjzjlpxs.exe File opened (read-only) \??\j: gjzjlpxs.exe File opened (read-only) \??\o: gjzjlpxs.exe File opened (read-only) \??\l: avzrsuqwdn.exe File opened (read-only) \??\r: avzrsuqwdn.exe File opened (read-only) \??\m: gjzjlpxs.exe File opened (read-only) \??\v: gjzjlpxs.exe File opened (read-only) \??\h: gjzjlpxs.exe File opened (read-only) \??\z: gjzjlpxs.exe File opened (read-only) \??\k: avzrsuqwdn.exe File opened (read-only) \??\e: gjzjlpxs.exe File opened (read-only) \??\g: gjzjlpxs.exe File opened (read-only) \??\i: gjzjlpxs.exe File opened (read-only) \??\j: gjzjlpxs.exe File opened (read-only) \??\t: gjzjlpxs.exe File opened (read-only) \??\y: gjzjlpxs.exe File opened (read-only) \??\b: gjzjlpxs.exe File opened (read-only) \??\j: avzrsuqwdn.exe File opened (read-only) \??\e: gjzjlpxs.exe File opened (read-only) \??\p: gjzjlpxs.exe File opened (read-only) \??\r: gjzjlpxs.exe File opened (read-only) \??\k: gjzjlpxs.exe File opened (read-only) \??\n: avzrsuqwdn.exe File opened (read-only) \??\a: gjzjlpxs.exe File opened (read-only) \??\z: gjzjlpxs.exe File opened (read-only) \??\m: gjzjlpxs.exe File opened (read-only) \??\r: gjzjlpxs.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" avzrsuqwdn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" avzrsuqwdn.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2088-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x00080000000161f6-5.dat autoit_exe behavioral1/files/0x000700000001211a-17.dat autoit_exe behavioral1/files/0x00080000000161f6-23.dat autoit_exe behavioral1/files/0x0008000000016307-28.dat autoit_exe behavioral1/files/0x000800000001658c-39.dat autoit_exe behavioral1/files/0x0008000000016c84-68.dat autoit_exe behavioral1/files/0x0007000000016c62-66.dat autoit_exe behavioral1/files/0x00080000000173da-74.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\avzrsuqwdn.exe ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe File created C:\Windows\SysWOW64\uwobjxcjaqlbv.exe ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uwobjxcjaqlbv.exe ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll avzrsuqwdn.exe File created C:\Windows\SysWOW64\avzrsuqwdn.exe ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe File created C:\Windows\SysWOW64\oktwpupestqbobp.exe ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\oktwpupestqbobp.exe ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe File created C:\Windows\SysWOW64\gjzjlpxs.exe ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gjzjlpxs.exe ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe gjzjlpxs.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe gjzjlpxs.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe gjzjlpxs.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe gjzjlpxs.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal gjzjlpxs.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal gjzjlpxs.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe gjzjlpxs.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe gjzjlpxs.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe gjzjlpxs.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal gjzjlpxs.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe gjzjlpxs.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe gjzjlpxs.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe gjzjlpxs.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal gjzjlpxs.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avzrsuqwdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oktwpupestqbobp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gjzjlpxs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uwobjxcjaqlbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gjzjlpxs.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" avzrsuqwdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg avzrsuqwdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B12044E439E853B9B9D2339DD4C5" ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FCFB482F85139132D62F7D96BDE7E133584667346345D6E9" ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB7FE6722D1D178D1A88A7F9160" ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" avzrsuqwdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" avzrsuqwdn.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C77B14E3DBC0B9BC7F97EDE537CF" ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh avzrsuqwdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" avzrsuqwdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs avzrsuqwdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422D7E9D2382226D3F77D577272DD97DF364D7" ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFABFFE10F2E784093A44819B3994B38C03F04269033BE1B8429B09D1" ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc avzrsuqwdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" avzrsuqwdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat avzrsuqwdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf avzrsuqwdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" avzrsuqwdn.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1728 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2808 avzrsuqwdn.exe 2808 avzrsuqwdn.exe 2808 avzrsuqwdn.exe 2808 avzrsuqwdn.exe 2808 avzrsuqwdn.exe 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2732 oktwpupestqbobp.exe 2732 oktwpupestqbobp.exe 2732 oktwpupestqbobp.exe 2732 oktwpupestqbobp.exe 2264 gjzjlpxs.exe 2264 gjzjlpxs.exe 2264 gjzjlpxs.exe 2264 gjzjlpxs.exe 2732 oktwpupestqbobp.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2616 gjzjlpxs.exe 2616 gjzjlpxs.exe 2616 gjzjlpxs.exe 2616 gjzjlpxs.exe 2732 oktwpupestqbobp.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2732 oktwpupestqbobp.exe 2732 oktwpupestqbobp.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2732 oktwpupestqbobp.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2732 oktwpupestqbobp.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2732 oktwpupestqbobp.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2732 oktwpupestqbobp.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2732 oktwpupestqbobp.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2732 oktwpupestqbobp.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2732 oktwpupestqbobp.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2732 oktwpupestqbobp.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2732 oktwpupestqbobp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2808 avzrsuqwdn.exe 2808 avzrsuqwdn.exe 2808 avzrsuqwdn.exe 2732 oktwpupestqbobp.exe 2732 oktwpupestqbobp.exe 2732 oktwpupestqbobp.exe 2264 gjzjlpxs.exe 2264 gjzjlpxs.exe 2264 gjzjlpxs.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2616 gjzjlpxs.exe 2616 gjzjlpxs.exe 2616 gjzjlpxs.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 2808 avzrsuqwdn.exe 2808 avzrsuqwdn.exe 2808 avzrsuqwdn.exe 2732 oktwpupestqbobp.exe 2732 oktwpupestqbobp.exe 2732 oktwpupestqbobp.exe 2264 gjzjlpxs.exe 2264 gjzjlpxs.exe 2264 gjzjlpxs.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2904 uwobjxcjaqlbv.exe 2616 gjzjlpxs.exe 2616 gjzjlpxs.exe 2616 gjzjlpxs.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1728 WINWORD.EXE 1728 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2808 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 30 PID 2088 wrote to memory of 2808 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 30 PID 2088 wrote to memory of 2808 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 30 PID 2088 wrote to memory of 2808 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 30 PID 2088 wrote to memory of 2732 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 31 PID 2088 wrote to memory of 2732 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 31 PID 2088 wrote to memory of 2732 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 31 PID 2088 wrote to memory of 2732 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 31 PID 2088 wrote to memory of 2264 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 32 PID 2088 wrote to memory of 2264 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 32 PID 2088 wrote to memory of 2264 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 32 PID 2088 wrote to memory of 2264 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 32 PID 2088 wrote to memory of 2904 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 33 PID 2088 wrote to memory of 2904 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 33 PID 2088 wrote to memory of 2904 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 33 PID 2088 wrote to memory of 2904 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 33 PID 2808 wrote to memory of 2616 2808 avzrsuqwdn.exe 34 PID 2808 wrote to memory of 2616 2808 avzrsuqwdn.exe 34 PID 2808 wrote to memory of 2616 2808 avzrsuqwdn.exe 34 PID 2808 wrote to memory of 2616 2808 avzrsuqwdn.exe 34 PID 2088 wrote to memory of 1728 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 35 PID 2088 wrote to memory of 1728 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 35 PID 2088 wrote to memory of 1728 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 35 PID 2088 wrote to memory of 1728 2088 ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe 35 PID 1728 wrote to memory of 2588 1728 WINWORD.EXE 37 PID 1728 wrote to memory of 2588 1728 WINWORD.EXE 37 PID 1728 wrote to memory of 2588 1728 WINWORD.EXE 37 PID 1728 wrote to memory of 2588 1728 WINWORD.EXE 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed254ea31781627675347fa45354dd1b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\avzrsuqwdn.exeavzrsuqwdn.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\gjzjlpxs.exeC:\Windows\system32\gjzjlpxs.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2616
-
-
-
C:\Windows\SysWOW64\oktwpupestqbobp.exeoktwpupestqbobp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2732
-
-
C:\Windows\SysWOW64\gjzjlpxs.exegjzjlpxs.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2264
-
-
C:\Windows\SysWOW64\uwobjxcjaqlbv.exeuwobjxcjaqlbv.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2588
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD56feca4b20d162a1546b261f49e84da44
SHA15cddd778b3be6d92e48746e5e142987fa09cce42
SHA256298bf76009c2dbfe002de5bd9a878371e364c7372a1150f70035260c97ef1e35
SHA51219d8a53fcc1a7d30826bdd4830c926b9a16289d7fb0cd3a7b7682d5f10e2123a0edd8f88e17a795cd55c5a0acb7509f7a4e7ff414bf0514e01528c92e5cf82cb
-
Filesize
512KB
MD50cf4fa95b5b845b2957ce659a47e8d7d
SHA1100e286b09503d1948dd668cdd7f862739edca99
SHA256bf68ab8ffbd6447d8a047252eb11a6644491bc2b26669f38b214d50705b08246
SHA5125159a2aeb92e244633e39f018878aa1708b44cd5fa1853c3ee46e06b46a8396f8481beed3aac50018105b2a7b7cf23ac8e4161265b6b8a22c72ce0c7c22f00cf
-
Filesize
19KB
MD55b4b1f7d36f57982df88df737b3befa4
SHA16d00d90c1de17d6916ad38b96a7f885e7adf651c
SHA25682dbd70ebf0350e70a0d3c40afe35a3ef0ae2faa93386c0d4bbba2b03f636d6f
SHA51284a0caa39b374bcddb9f58be62c8c698f461faf6f76469ea2528537c6859273ba836ddaae97a0ff6f247429ed6ed80682d606e15ef8943e0b7ff79f5091f001f
-
Filesize
512KB
MD5ed254ea31781627675347fa45354dd1b
SHA1eec3e7cca8a07cfece6b1e53614d6cc965580629
SHA2561e0c8b666e9a71c2272d7265be04a8b12aa76517ba4d1536feeaf9f4fbf43211
SHA51273b2b0c2824442fbd3c62447a33fc539efcd495a62b9679ec457d50aae401a0446adfd4909e47f2cf116dc8e949e88501a3ff74ca7ff11fd43ece3e45e026fad
-
Filesize
512KB
MD5a49c090549a5a0344e8caff5105a4007
SHA1c2eac885b354671bd32f2527b7c5b91ebd1dab91
SHA25695fd9081207e4b06d144080e476cfed16b808ce6e52e548d7bb61705e6544560
SHA5121ae6ceceb24e55451053db7c01b1cb1c17d90f4667e42d508ec0b1f3d62d162c8ec6f99fc90687b65b7cf206c229e798552a5e729013462604410b282df31658
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5fcb532d1ac3790b31ce28751eb43007f
SHA17def8574865c39fb247d3547b4a714d1a89af3e1
SHA256efdeda89dfedf5b06ba98a320b146347e10888ed14688b21ad9ef4a4f13d7469
SHA51275725cf2b4d565b2da0774c02e2a709d10267a4c45a4d94466a4498c7fccd35311ccb10b1f554cddb654fb63cfa6592d5e4570d38e1209333a19eaad80bae15e
-
Filesize
512KB
MD5a2ffa0775bda8c444c1416048b864f26
SHA17b8d0c44f1aed3abb544d76df78379178a7e297f
SHA256589d422c029146ed79d0cc646a2d6eb088b7a1b9324e87fb15aedf6546c3156d
SHA512f5ff4e0720ea1487915f75eb016cf3be609694acda1e614945432fc86020712f2ee6c386e22ead1c762c3592a0cd0d798780ebf5abf6d94bdfaa6cdfb74f8b98
-
Filesize
512KB
MD5d613a88a2f4cff809dae87f046a4f7bc
SHA1f0a193015a2a6e0e352992d405b7024ec5578a62
SHA25633cc797e2acb28bb7063ed9dedbbdc8ddd1e7e49d80f133a81a96cd8942386e7
SHA512905d435f3533f9b425232b96c69851300da196dcff0c7c561cad18813ff6f84aa6de7414a8d1d20c104589fa5b94d1a42b8f4ae876ccbf90b45d8f3d9b5cca6d
-
Filesize
512KB
MD57d290ee0190d6f60205bcaa419553c55
SHA1a9f44109be1c20d7542c97b766883e79c6c0cda2
SHA2564af4b595b5b27adf3337f9bd7a80a2fecaab8ba440127dca5df92878a414ed4c
SHA512d3ff8f7d9e435d5e02119d128172c4e4f5a5cf9f4651a2bc39d6b8069d6794f8753ae61fc0b52d36d74365bdb717e1b9bd9fb927080941c54a238bddf397bd18