Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 09:00
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe
-
Size
512KB
-
MD5
ed41a69b8fbfbdee0148eba63b9c6e01
-
SHA1
f67434b508c5eed439f835407e228e8502585786
-
SHA256
cc3e5058ac37e5db39fa7e4ea00e44ec20f06400a3ea2e4930da4cadf77b2546
-
SHA512
15ec8b4857834c9bff2eb44eec9e7791c8811f5568862ed0f263b54681e65c9f40c33bc33d62d3e98337e5466e29ebdea04a3a5b6c62f81c0410608c109edbca
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6k:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5t
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pepcxawfsv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pepcxawfsv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pepcxawfsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pepcxawfsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pepcxawfsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pepcxawfsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pepcxawfsv.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pepcxawfsv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3976 pepcxawfsv.exe 824 raeqchhxfiwjxbc.exe 3396 kwpjqyim.exe 4136 bxnycikautust.exe 1288 kwpjqyim.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pepcxawfsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pepcxawfsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pepcxawfsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pepcxawfsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pepcxawfsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pepcxawfsv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcdvodoz = "pepcxawfsv.exe" raeqchhxfiwjxbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jylitdjc = "raeqchhxfiwjxbc.exe" raeqchhxfiwjxbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bxnycikautust.exe" raeqchhxfiwjxbc.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: pepcxawfsv.exe File opened (read-only) \??\b: kwpjqyim.exe File opened (read-only) \??\m: kwpjqyim.exe File opened (read-only) \??\o: kwpjqyim.exe File opened (read-only) \??\q: kwpjqyim.exe File opened (read-only) \??\a: pepcxawfsv.exe File opened (read-only) \??\n: pepcxawfsv.exe File opened (read-only) \??\n: kwpjqyim.exe File opened (read-only) \??\m: pepcxawfsv.exe File opened (read-only) \??\t: pepcxawfsv.exe File opened (read-only) \??\u: pepcxawfsv.exe File opened (read-only) \??\n: kwpjqyim.exe File opened (read-only) \??\a: kwpjqyim.exe File opened (read-only) \??\g: kwpjqyim.exe File opened (read-only) \??\p: kwpjqyim.exe File opened (read-only) \??\k: pepcxawfsv.exe File opened (read-only) \??\q: pepcxawfsv.exe File opened (read-only) \??\s: pepcxawfsv.exe File opened (read-only) \??\r: kwpjqyim.exe File opened (read-only) \??\w: pepcxawfsv.exe File opened (read-only) \??\s: kwpjqyim.exe File opened (read-only) \??\x: kwpjqyim.exe File opened (read-only) \??\r: pepcxawfsv.exe File opened (read-only) \??\a: kwpjqyim.exe File opened (read-only) \??\g: kwpjqyim.exe File opened (read-only) \??\m: kwpjqyim.exe File opened (read-only) \??\j: kwpjqyim.exe File opened (read-only) \??\u: kwpjqyim.exe File opened (read-only) \??\k: kwpjqyim.exe File opened (read-only) \??\l: pepcxawfsv.exe File opened (read-only) \??\o: pepcxawfsv.exe File opened (read-only) \??\j: kwpjqyim.exe File opened (read-only) \??\r: kwpjqyim.exe File opened (read-only) \??\z: kwpjqyim.exe File opened (read-only) \??\h: kwpjqyim.exe File opened (read-only) \??\t: kwpjqyim.exe File opened (read-only) \??\j: pepcxawfsv.exe File opened (read-only) \??\z: pepcxawfsv.exe File opened (read-only) \??\l: kwpjqyim.exe File opened (read-only) \??\t: kwpjqyim.exe File opened (read-only) \??\i: kwpjqyim.exe File opened (read-only) \??\k: kwpjqyim.exe File opened (read-only) \??\z: kwpjqyim.exe File opened (read-only) \??\i: kwpjqyim.exe File opened (read-only) \??\q: kwpjqyim.exe File opened (read-only) \??\w: kwpjqyim.exe File opened (read-only) \??\x: pepcxawfsv.exe File opened (read-only) \??\v: kwpjqyim.exe File opened (read-only) \??\y: pepcxawfsv.exe File opened (read-only) \??\b: kwpjqyim.exe File opened (read-only) \??\x: kwpjqyim.exe File opened (read-only) \??\e: pepcxawfsv.exe File opened (read-only) \??\v: pepcxawfsv.exe File opened (read-only) \??\e: kwpjqyim.exe File opened (read-only) \??\l: kwpjqyim.exe File opened (read-only) \??\o: kwpjqyim.exe File opened (read-only) \??\p: kwpjqyim.exe File opened (read-only) \??\u: kwpjqyim.exe File opened (read-only) \??\y: kwpjqyim.exe File opened (read-only) \??\w: kwpjqyim.exe File opened (read-only) \??\b: pepcxawfsv.exe File opened (read-only) \??\i: pepcxawfsv.exe File opened (read-only) \??\s: kwpjqyim.exe File opened (read-only) \??\v: kwpjqyim.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pepcxawfsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pepcxawfsv.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2996-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023435-5.dat autoit_exe behavioral2/files/0x00090000000233d7-18.dat autoit_exe behavioral2/files/0x0007000000023436-28.dat autoit_exe behavioral2/files/0x0007000000023437-32.dat autoit_exe behavioral2/files/0x000800000002341e-69.dat autoit_exe behavioral2/files/0x0008000000023386-66.dat autoit_exe behavioral2/files/0x0007000000023450-80.dat autoit_exe behavioral2/files/0x0007000000023457-105.dat autoit_exe behavioral2/files/0x0007000000023457-109.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll pepcxawfsv.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kwpjqyim.exe File created C:\Windows\SysWOW64\pepcxawfsv.exe ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File created C:\Windows\SysWOW64\raeqchhxfiwjxbc.exe ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kwpjqyim.exe ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File created C:\Windows\SysWOW64\bxnycikautust.exe ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kwpjqyim.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kwpjqyim.exe File opened for modification C:\Windows\SysWOW64\pepcxawfsv.exe ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\raeqchhxfiwjxbc.exe ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File created C:\Windows\SysWOW64\kwpjqyim.exe ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bxnycikautust.exe ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kwpjqyim.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kwpjqyim.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kwpjqyim.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kwpjqyim.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kwpjqyim.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kwpjqyim.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kwpjqyim.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kwpjqyim.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kwpjqyim.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kwpjqyim.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kwpjqyim.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kwpjqyim.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kwpjqyim.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kwpjqyim.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kwpjqyim.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kwpjqyim.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kwpjqyim.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kwpjqyim.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kwpjqyim.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kwpjqyim.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kwpjqyim.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kwpjqyim.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kwpjqyim.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kwpjqyim.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kwpjqyim.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kwpjqyim.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kwpjqyim.exe File opened for modification C:\Windows\mydoc.rtf ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kwpjqyim.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kwpjqyim.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kwpjqyim.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language raeqchhxfiwjxbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kwpjqyim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxnycikautust.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kwpjqyim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pepcxawfsv.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B02D44EE39E852CFB9A2329CD7CB" ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F66BB6FE1B22DED27FD0D18A0F9060" ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pepcxawfsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pepcxawfsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pepcxawfsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FC8F482E82189142D72E7DE5BD97E637584366426246D690" ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC7781597DAB2B9C07CE0ED9434CA" ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pepcxawfsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pepcxawfsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pepcxawfsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C7D9D5083256D3476D177212CD87CF665DF" ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEFACCF913F29883083B3286EC3E99B08902FD42160333E2BD429B08A9" ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pepcxawfsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pepcxawfsv.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pepcxawfsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pepcxawfsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pepcxawfsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pepcxawfsv.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3556 WINWORD.EXE 3556 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 3396 kwpjqyim.exe 3396 kwpjqyim.exe 3396 kwpjqyim.exe 3396 kwpjqyim.exe 3396 kwpjqyim.exe 3396 kwpjqyim.exe 3396 kwpjqyim.exe 3396 kwpjqyim.exe 824 raeqchhxfiwjxbc.exe 824 raeqchhxfiwjxbc.exe 824 raeqchhxfiwjxbc.exe 824 raeqchhxfiwjxbc.exe 824 raeqchhxfiwjxbc.exe 824 raeqchhxfiwjxbc.exe 824 raeqchhxfiwjxbc.exe 824 raeqchhxfiwjxbc.exe 824 raeqchhxfiwjxbc.exe 824 raeqchhxfiwjxbc.exe 3976 pepcxawfsv.exe 3976 pepcxawfsv.exe 3976 pepcxawfsv.exe 3976 pepcxawfsv.exe 3976 pepcxawfsv.exe 3976 pepcxawfsv.exe 3976 pepcxawfsv.exe 3976 pepcxawfsv.exe 3976 pepcxawfsv.exe 3976 pepcxawfsv.exe 4136 bxnycikautust.exe 4136 bxnycikautust.exe 4136 bxnycikautust.exe 4136 bxnycikautust.exe 4136 bxnycikautust.exe 4136 bxnycikautust.exe 4136 bxnycikautust.exe 4136 bxnycikautust.exe 4136 bxnycikautust.exe 4136 bxnycikautust.exe 4136 bxnycikautust.exe 4136 bxnycikautust.exe 824 raeqchhxfiwjxbc.exe 824 raeqchhxfiwjxbc.exe 1288 kwpjqyim.exe 1288 kwpjqyim.exe 1288 kwpjqyim.exe 1288 kwpjqyim.exe 1288 kwpjqyim.exe 1288 kwpjqyim.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 3976 pepcxawfsv.exe 3976 pepcxawfsv.exe 3976 pepcxawfsv.exe 824 raeqchhxfiwjxbc.exe 824 raeqchhxfiwjxbc.exe 824 raeqchhxfiwjxbc.exe 3396 kwpjqyim.exe 3396 kwpjqyim.exe 3396 kwpjqyim.exe 4136 bxnycikautust.exe 4136 bxnycikautust.exe 4136 bxnycikautust.exe 1288 kwpjqyim.exe 1288 kwpjqyim.exe 1288 kwpjqyim.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 3976 pepcxawfsv.exe 3976 pepcxawfsv.exe 3976 pepcxawfsv.exe 824 raeqchhxfiwjxbc.exe 824 raeqchhxfiwjxbc.exe 824 raeqchhxfiwjxbc.exe 3396 kwpjqyim.exe 3396 kwpjqyim.exe 3396 kwpjqyim.exe 4136 bxnycikautust.exe 4136 bxnycikautust.exe 4136 bxnycikautust.exe 1288 kwpjqyim.exe 1288 kwpjqyim.exe 1288 kwpjqyim.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3556 WINWORD.EXE 3556 WINWORD.EXE 3556 WINWORD.EXE 3556 WINWORD.EXE 3556 WINWORD.EXE 3556 WINWORD.EXE 3556 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2996 wrote to memory of 3976 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 82 PID 2996 wrote to memory of 3976 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 82 PID 2996 wrote to memory of 3976 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 82 PID 2996 wrote to memory of 824 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 83 PID 2996 wrote to memory of 824 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 83 PID 2996 wrote to memory of 824 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 83 PID 2996 wrote to memory of 3396 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 84 PID 2996 wrote to memory of 3396 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 84 PID 2996 wrote to memory of 3396 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 84 PID 2996 wrote to memory of 4136 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 85 PID 2996 wrote to memory of 4136 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 85 PID 2996 wrote to memory of 4136 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 85 PID 2996 wrote to memory of 3556 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 86 PID 2996 wrote to memory of 3556 2996 ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe 86 PID 3976 wrote to memory of 1288 3976 pepcxawfsv.exe 88 PID 3976 wrote to memory of 1288 3976 pepcxawfsv.exe 88 PID 3976 wrote to memory of 1288 3976 pepcxawfsv.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed41a69b8fbfbdee0148eba63b9c6e01_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\pepcxawfsv.exepepcxawfsv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\kwpjqyim.exeC:\Windows\system32\kwpjqyim.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1288
-
-
-
C:\Windows\SysWOW64\raeqchhxfiwjxbc.exeraeqchhxfiwjxbc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:824
-
-
C:\Windows\SysWOW64\kwpjqyim.exekwpjqyim.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3396
-
-
C:\Windows\SysWOW64\bxnycikautust.exebxnycikautust.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4136
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3556
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD57e3ec48ac1e7ba59c6ae3bdbb5fe68cd
SHA13c71e581d1af4260c716fcbe2654aa91367c0fba
SHA2563c5bba190cc2fac4069c6c94affb43dfa528ba77e77f833848e34189f44f2e96
SHA512045edc56cdd6922c9174f4289fb3003a31be85794a69b114d49ab6de08584717030316fd8f7cf349732adf57cb25a3a63acfd9e0a82a8d76e580dd59ef64bdc6
-
Filesize
512KB
MD50a70a166215d086aae3e1af601d35a06
SHA1a7d5bc2c3974324fe0f2ad8b60860ae0483b0758
SHA256df5816462cfd251ada633a23b24f0838cf566b4da9dcc6816b6edc010d67ba43
SHA512c2d11e2f2e9aa15f47673f1107f2445eef2a540d7c12b4335d7f2d33846d2e19584b13fb192b4e20401c5fa026d6849de12cebb1b7bd4ab2a005336e04bc0cb8
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
267B
MD58410c954848192052f6d1a78d28f7086
SHA17e77c4cfd688a90531611a1dba6e973a8ad504e6
SHA256198b913e8c9e0c4b3141910660586abc5c6200ca9390fdd81a7219847676321d
SHA512f27f2cbfcff04f8d37f8d083596a5673b4b7b50c75788fe6f18a6e1e05dc771419fb7e9723907973461056769b8f189cbbaea33c70c085adb145dadcf1ca7134
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize674B
MD5ffafaa254d24f4428bbd9cf706c03057
SHA15fc68cf1652ed5f8da1ba5359c71d69dc12a6f46
SHA2565c58a3b050496d25d18745f38d12c966e6bc29dc7bf464b8eee16c85e94e0081
SHA512f3c5f743409829a197863648166a04ad7b2b9494723b925fca722f723e6a84bd44324f9b09092efcd5978740c362b120218e49730516c407c2192306daf6a115
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD55d8213662a8ad0e19a43f27cc07c5d00
SHA1505b7455c667ff7abf8d21e8c6dbc6c723214edb
SHA2561247701015ba18f167a42e2443a4f5d49c3a843d5a80620e6bed4ec6ffaa85fa
SHA5124d8f29df46ba7945c2de28d9c03119c758606bbb0b5163d464bc0c74be02bdb2a30b48ccb94064fdcedd97fc7c7c19109f1f2233bab85cffe0ea6cee408e0b95
-
Filesize
512KB
MD5c81963b7127438bab5fb7113a1966b50
SHA1b8118791e49e6704feb307ed7c7e8b4f5d7dfa0a
SHA2564c75c675e543fc8c887a4989fbc5881b3a22d5ba38ee719a34d60f16f79a0c89
SHA512eefe45c3dc4bae2cf688a4b8c12d76103a8b0d330b613409e67341633be8dedf34d05e254919c2509d64a0c8777e8bcbdb399ec1716ac2330ef9cfbf014b3c6f
-
Filesize
512KB
MD5064071712b69e73c973a7aa4d9b629e4
SHA1cace84c31b0efe7dafcb512d184f49c7f4f9eb76
SHA256abacd6c5ea0cb4cb44429347ca7dd06da5d0a2a56e230fb3f155ed0a40d22b56
SHA51203a773789a16ccab4e3b0e300d746d880c94368c5ba3f657e28be1bca356e8b85649da26fa450385b1d9a960b57c65dda7df089f40f8cdc8772cf1aa7c20cb9a
-
Filesize
512KB
MD53c8e5ec0518d65bda696c76f70bc08b6
SHA1fa19912b84dc946476730cc2e0c4277b431825d2
SHA25642d644bd21e38cc5d3627d0ba432ecd782942ce407d7960dea1638b31151774b
SHA5127a49e99ea24a258b5c737f2abc4a2c7e407ae1416f1138de07dccbd322680300a5d5fe2145a396d6adb1ca7f9afdfb32b26928fdfc9db6138dc553c7cb0aeb8b
-
Filesize
512KB
MD581dddb6bd8aa2b48665bf8416a258aac
SHA135f550fc25080f8ea9043686e1b44933423f57f8
SHA256bcb878936558121c3cc0de5b60e5707b329869f38b1e4af835349bb077e673a7
SHA512384839ba3701b3e04ada0ff288d064841e3600881e7ad354ed2d9e84a7989b0671e04c895c389b8182829ba04c71704be0bfbc30ae07cef8d42446d09f6c962f
-
Filesize
512KB
MD52a4adb0c09e200a4ac764cf42e81e604
SHA10b9bd19a5738506906e270acc5ef812352ad38f5
SHA25641a0da3a46df62b19904602e0fc8fc5f9d79a3c9fa5239fa84dfad23c99e88c3
SHA512639c8fb0b2265123e0a388b35d1c12cec56f766a85f0b56c2ab87816002de0b9b06004eddce2e7957fc07d8fe897789607f24cb8ce98a67ab08fb9c3b01aec80
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5af1744bdf3af389d6a32c32d2e64e95c
SHA1172e9e632d9cf97470d0f722e93de889c6b50948
SHA256eb7e29f05abd24064273c43d260148d13a797786848f5e428b1b3a5f443a3bff
SHA512d7050ae07c4ab876324cba01f90e96b1b5cca45fb0ffb660bcb97842b758bed666baef047dca65e60b8d90cf173bd447afdaf16069bd0e1e19d1c168e3b63459
-
Filesize
512KB
MD579622753d3c8950d612cfb3150a5b085
SHA1ae7c3d8def827ad2a2b1bcbb1703ba89b8fa055e
SHA2567a3bfc530b93aa8daacc043019e26067a61ce794b118b91deaa8a7219829a534
SHA51238af99cb3bd6fb5f12d349503307ad0ebaceb05b634e0fb4aa9aed88f86729df44b61b95d29a8c44007c513de654cf690784e0f831e33db182390f515809961b