Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 10:05
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe
-
Size
512KB
-
MD5
ed5be467fe9b39c8cfd60794a1803589
-
SHA1
d2270031b8aeb622ef8bb5fc9f9b452e927d51f1
-
SHA256
ca3a2601643725cbf673a87574f41b5114bbbb03928d7489627f5de9da93caba
-
SHA512
941c498af7c2a660df27c6eb65507ec7cc03b231b35dc618d6ad238136da31053b44faeb3dd98a1dfdb87098abac022bf62eef9b740f966e8d9602e2986901c6
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5i
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" leyhdtuvsm.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" leyhdtuvsm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" leyhdtuvsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" leyhdtuvsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" leyhdtuvsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" leyhdtuvsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" leyhdtuvsm.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" leyhdtuvsm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3012 leyhdtuvsm.exe 564 sqsaiqbvjwlouty.exe 3804 zhippatw.exe 2660 pkxdcknujfjxi.exe 1224 zhippatw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" leyhdtuvsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" leyhdtuvsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" leyhdtuvsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" leyhdtuvsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" leyhdtuvsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" leyhdtuvsm.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jmoxmmqc = "leyhdtuvsm.exe" sqsaiqbvjwlouty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xjyqwdyo = "sqsaiqbvjwlouty.exe" sqsaiqbvjwlouty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pkxdcknujfjxi.exe" sqsaiqbvjwlouty.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: zhippatw.exe File opened (read-only) \??\n: zhippatw.exe File opened (read-only) \??\i: zhippatw.exe File opened (read-only) \??\r: zhippatw.exe File opened (read-only) \??\x: zhippatw.exe File opened (read-only) \??\k: zhippatw.exe File opened (read-only) \??\v: leyhdtuvsm.exe File opened (read-only) \??\l: zhippatw.exe File opened (read-only) \??\s: zhippatw.exe File opened (read-only) \??\m: leyhdtuvsm.exe File opened (read-only) \??\x: leyhdtuvsm.exe File opened (read-only) \??\h: zhippatw.exe File opened (read-only) \??\w: zhippatw.exe File opened (read-only) \??\n: leyhdtuvsm.exe File opened (read-only) \??\e: zhippatw.exe File opened (read-only) \??\z: zhippatw.exe File opened (read-only) \??\u: zhippatw.exe File opened (read-only) \??\z: leyhdtuvsm.exe File opened (read-only) \??\p: zhippatw.exe File opened (read-only) \??\u: zhippatw.exe File opened (read-only) \??\b: zhippatw.exe File opened (read-only) \??\l: zhippatw.exe File opened (read-only) \??\m: zhippatw.exe File opened (read-only) \??\o: zhippatw.exe File opened (read-only) \??\q: zhippatw.exe File opened (read-only) \??\u: leyhdtuvsm.exe File opened (read-only) \??\g: zhippatw.exe File opened (read-only) \??\o: zhippatw.exe File opened (read-only) \??\w: leyhdtuvsm.exe File opened (read-only) \??\r: leyhdtuvsm.exe File opened (read-only) \??\t: leyhdtuvsm.exe File opened (read-only) \??\a: zhippatw.exe File opened (read-only) \??\j: zhippatw.exe File opened (read-only) \??\b: leyhdtuvsm.exe File opened (read-only) \??\j: leyhdtuvsm.exe File opened (read-only) \??\j: zhippatw.exe File opened (read-only) \??\y: zhippatw.exe File opened (read-only) \??\e: leyhdtuvsm.exe File opened (read-only) \??\a: zhippatw.exe File opened (read-only) \??\v: zhippatw.exe File opened (read-only) \??\k: leyhdtuvsm.exe File opened (read-only) \??\p: leyhdtuvsm.exe File opened (read-only) \??\t: zhippatw.exe File opened (read-only) \??\y: zhippatw.exe File opened (read-only) \??\l: leyhdtuvsm.exe File opened (read-only) \??\h: leyhdtuvsm.exe File opened (read-only) \??\n: zhippatw.exe File opened (read-only) \??\s: zhippatw.exe File opened (read-only) \??\t: zhippatw.exe File opened (read-only) \??\a: leyhdtuvsm.exe File opened (read-only) \??\i: zhippatw.exe File opened (read-only) \??\w: zhippatw.exe File opened (read-only) \??\x: zhippatw.exe File opened (read-only) \??\g: zhippatw.exe File opened (read-only) \??\o: leyhdtuvsm.exe File opened (read-only) \??\s: leyhdtuvsm.exe File opened (read-only) \??\v: zhippatw.exe File opened (read-only) \??\i: leyhdtuvsm.exe File opened (read-only) \??\q: zhippatw.exe File opened (read-only) \??\e: zhippatw.exe File opened (read-only) \??\k: zhippatw.exe File opened (read-only) \??\p: zhippatw.exe File opened (read-only) \??\z: zhippatw.exe File opened (read-only) \??\y: leyhdtuvsm.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" leyhdtuvsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" leyhdtuvsm.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1116-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000234d9-6.dat autoit_exe behavioral2/files/0x0009000000023472-18.dat autoit_exe behavioral2/files/0x00070000000234dd-26.dat autoit_exe behavioral2/files/0x00070000000234de-32.dat autoit_exe behavioral2/files/0x00070000000234eb-74.dat autoit_exe behavioral2/files/0x00070000000234f5-78.dat autoit_exe behavioral2/files/0x00070000000234f6-84.dat autoit_exe behavioral2/files/0x00070000000234fc-106.dat autoit_exe behavioral2/files/0x00070000000234fc-115.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll leyhdtuvsm.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zhippatw.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zhippatw.exe File opened for modification C:\Windows\SysWOW64\leyhdtuvsm.exe ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe File created C:\Windows\SysWOW64\sqsaiqbvjwlouty.exe ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe File created C:\Windows\SysWOW64\zhippatw.exe ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe File created C:\Windows\SysWOW64\pkxdcknujfjxi.exe ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zhippatw.exe File created C:\Windows\SysWOW64\leyhdtuvsm.exe ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sqsaiqbvjwlouty.exe ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zhippatw.exe ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pkxdcknujfjxi.exe ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zhippatw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zhippatw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zhippatw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zhippatw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zhippatw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zhippatw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zhippatw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zhippatw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zhippatw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zhippatw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zhippatw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zhippatw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zhippatw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zhippatw.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zhippatw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zhippatw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zhippatw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zhippatw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zhippatw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zhippatw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zhippatw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zhippatw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zhippatw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zhippatw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zhippatw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zhippatw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zhippatw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zhippatw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zhippatw.exe File opened for modification C:\Windows\mydoc.rtf ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zhippatw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language leyhdtuvsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqsaiqbvjwlouty.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zhippatw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pkxdcknujfjxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zhippatw.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7806BB8FE6B22D0D27DD0A38B789110" ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat leyhdtuvsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" leyhdtuvsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" leyhdtuvsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFF8C4F28856E9142D72C7DE2BC93E141594167366236D79D" ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf leyhdtuvsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs leyhdtuvsm.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C67B1490DBC5B9BA7CE0EC9734C6" ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh leyhdtuvsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" leyhdtuvsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg leyhdtuvsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" leyhdtuvsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2C7D9D2083576A4177D477232DD87CF664AF" ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDF9CCFE11F19883793A4086993E97B0FC038843640349E2CB459D09A3" ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B15B47E738E252CEBAD333EAD4BE" ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" leyhdtuvsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc leyhdtuvsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" leyhdtuvsm.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4688 WINWORD.EXE 4688 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 3012 leyhdtuvsm.exe 3012 leyhdtuvsm.exe 3012 leyhdtuvsm.exe 3012 leyhdtuvsm.exe 3012 leyhdtuvsm.exe 3012 leyhdtuvsm.exe 3012 leyhdtuvsm.exe 3012 leyhdtuvsm.exe 3012 leyhdtuvsm.exe 3012 leyhdtuvsm.exe 564 sqsaiqbvjwlouty.exe 564 sqsaiqbvjwlouty.exe 564 sqsaiqbvjwlouty.exe 564 sqsaiqbvjwlouty.exe 564 sqsaiqbvjwlouty.exe 564 sqsaiqbvjwlouty.exe 564 sqsaiqbvjwlouty.exe 564 sqsaiqbvjwlouty.exe 564 sqsaiqbvjwlouty.exe 564 sqsaiqbvjwlouty.exe 3804 zhippatw.exe 3804 zhippatw.exe 3804 zhippatw.exe 3804 zhippatw.exe 3804 zhippatw.exe 3804 zhippatw.exe 3804 zhippatw.exe 3804 zhippatw.exe 2660 pkxdcknujfjxi.exe 2660 pkxdcknujfjxi.exe 2660 pkxdcknujfjxi.exe 2660 pkxdcknujfjxi.exe 2660 pkxdcknujfjxi.exe 2660 pkxdcknujfjxi.exe 2660 pkxdcknujfjxi.exe 2660 pkxdcknujfjxi.exe 2660 pkxdcknujfjxi.exe 2660 pkxdcknujfjxi.exe 2660 pkxdcknujfjxi.exe 2660 pkxdcknujfjxi.exe 1224 zhippatw.exe 1224 zhippatw.exe 1224 zhippatw.exe 1224 zhippatw.exe 1224 zhippatw.exe 1224 zhippatw.exe 1224 zhippatw.exe 1224 zhippatw.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 3012 leyhdtuvsm.exe 3012 leyhdtuvsm.exe 3012 leyhdtuvsm.exe 564 sqsaiqbvjwlouty.exe 564 sqsaiqbvjwlouty.exe 564 sqsaiqbvjwlouty.exe 2660 pkxdcknujfjxi.exe 3804 zhippatw.exe 2660 pkxdcknujfjxi.exe 3804 zhippatw.exe 2660 pkxdcknujfjxi.exe 3804 zhippatw.exe 1224 zhippatw.exe 1224 zhippatw.exe 1224 zhippatw.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 3012 leyhdtuvsm.exe 3012 leyhdtuvsm.exe 3012 leyhdtuvsm.exe 564 sqsaiqbvjwlouty.exe 564 sqsaiqbvjwlouty.exe 564 sqsaiqbvjwlouty.exe 2660 pkxdcknujfjxi.exe 3804 zhippatw.exe 2660 pkxdcknujfjxi.exe 3804 zhippatw.exe 2660 pkxdcknujfjxi.exe 3804 zhippatw.exe 1224 zhippatw.exe 1224 zhippatw.exe 1224 zhippatw.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4688 WINWORD.EXE 4688 WINWORD.EXE 4688 WINWORD.EXE 4688 WINWORD.EXE 4688 WINWORD.EXE 4688 WINWORD.EXE 4688 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1116 wrote to memory of 3012 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 81 PID 1116 wrote to memory of 3012 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 81 PID 1116 wrote to memory of 3012 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 81 PID 1116 wrote to memory of 564 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 82 PID 1116 wrote to memory of 564 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 82 PID 1116 wrote to memory of 564 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 82 PID 1116 wrote to memory of 3804 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 83 PID 1116 wrote to memory of 3804 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 83 PID 1116 wrote to memory of 3804 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 83 PID 1116 wrote to memory of 2660 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 84 PID 1116 wrote to memory of 2660 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 84 PID 1116 wrote to memory of 2660 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 84 PID 3012 wrote to memory of 1224 3012 leyhdtuvsm.exe 85 PID 3012 wrote to memory of 1224 3012 leyhdtuvsm.exe 85 PID 3012 wrote to memory of 1224 3012 leyhdtuvsm.exe 85 PID 1116 wrote to memory of 4688 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 86 PID 1116 wrote to memory of 4688 1116 ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed5be467fe9b39c8cfd60794a1803589_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\leyhdtuvsm.exeleyhdtuvsm.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\zhippatw.exeC:\Windows\system32\zhippatw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1224
-
-
-
C:\Windows\SysWOW64\sqsaiqbvjwlouty.exesqsaiqbvjwlouty.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:564
-
-
C:\Windows\SysWOW64\zhippatw.exezhippatw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3804
-
-
C:\Windows\SysWOW64\pkxdcknujfjxi.exepkxdcknujfjxi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2660
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4688
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD52cf3e07e892e6879163953e1d404b246
SHA1c88e0822af23480f201ccf55acb8768412a8effc
SHA256d7b3f97f88f967d8c708872557463705d2b47804a08e316e5e48a4c49f53c5b9
SHA5122caa5835ff55084fb96ac273756061e84f0c0054c44f6cdea161f8287730d1c8aede65769f74ee25b0038d66324a20bca868db36440ad9393ee97b24ada4ac36
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
429B
MD51faee55f5ada10257ca28d073359d14b
SHA167022b6c7ceec04850fea1f45dad701208ebad56
SHA256017b176136ba2be8fbd4e14924b01dab0d6f0c3c7af76e772af5275963dd4831
SHA512840593b8a9f78dbfe71e0a560a422787f2868d613af3a9d16ae22953842400189da4c1184eaafea53c3a0a66eef461f96f18d517948f1f3f6014957354ec2b07
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize4KB
MD535bdb1aba116836fbb0469f9905ee3bf
SHA18bf97c76d08ebb2b8971564e027b168881d8a73b
SHA256e25097bd8814bfd54d413c89f435efe19fc60fafdad2bd2360e25fb6bd4b548b
SHA512f973fe93fe03531e5b308623dd11c3cfa6c73af33d99004543e624ead38f9f986184868ad3dd08b4abee6faddd495797da1f4e9e38e49f4c4bd036e976f70db7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize5KB
MD5b0884d270f44cb4016ff444441f7ccd0
SHA13752e8a25eb9bfe359af5b17ccf5b867cef4bb75
SHA256987f0bb4fca2b9b67732c4780b30e1a352b656513b5bbfdb33133b59173890e3
SHA512fffc280027efa762a9c8250857cf027a8f6eb646bfffa68b28f6b28ec4590b0f1e912a0e8b5fa91816a34ab35498f54f0e987f4db9bb18f44cf462312c551929
-
Filesize
512KB
MD5a7c6cd23ed3d2cb2c94274e3c605e6a4
SHA1a9cdc4940c991335240af6f594b7c791d123afef
SHA256e5f85a6f2327b1f3557c7a5a2af026900b819a2c1d5c600bb9d63df026e42488
SHA5126d2e4ab27dd9525ab1f7d761bc38032a8070db6b5af6b87ec39829be184f47c55c2cdce582e94d62447cbcf9322fea884bee6bfa92f00a718a46b34962ec03aa
-
Filesize
512KB
MD5a52864fc28952cb2a50a39ac1d15d3cf
SHA1d0e0bc6f45a98926cec6d17b9dd895335b1d97e7
SHA256562282b06050ecb5cf9bc0b355573c2fe1daecda831591ab44d133ca3185a8bd
SHA512b2928f7ba212a7824eba7b8b5d8f47dd28b54f598f06300883fe93193f505259af642b1276ef2f22329f3bc36d8ea8c9767b673b82d7944c9e3ea6c884df3af1
-
Filesize
512KB
MD568e9768fa8a380f3be9ab61d94af97ce
SHA1714aa4d30894c4acfcc568b5aef6d0b820534ec3
SHA2567696e0f340d139932d888db21007e50800175cc0004ecbac822379fdb2e129f4
SHA51242ad4ce6d5d556a90343a8dc2c067b250ffc5d3d292e0246447b335e618a9f33cd70d7014c941481d7eec9b53621432bb676eef9b22a257379dcac97d58fe485
-
Filesize
512KB
MD53fdd82cc243d8187d2a953ef5793380d
SHA16ba614b88dba5e8be0277bf80030ae476a2e1f09
SHA2565e9d05fb3eac27e7affb29aebffa381b27bec29847b4c9d5287c4f7009ec66f3
SHA5129f4590798d1d09dc25d7735913a639b8a9c64b4e9839a7bfb765a1b1008d7ef781c49d33f6a50b4a2affa5ce402f95e870fb6f9fe57f2b8020eb604f374e92e9
-
Filesize
512KB
MD5937f6330cab8dcd696d117cd65e38e51
SHA188b62e4ac2ed588a316349b50c5a7d0aaa50b180
SHA256b2dc8212216b1609b88e54b2087ba7bc38fc6d7be96cc5b4e37f655e584414a2
SHA51222f950b77255c1c4cfd18a6de3d961a7c73cac8f45501ecc67d9dadec05644b5a2a25036af49cca670ec52eb7e0a1d7d36b0014aa44ae532a40953d9a9a658a9
-
Filesize
512KB
MD5b57700b6d63ee861da4c1537e4efa1ed
SHA19b5349a425389485e212e1a668ccd55a4c805dd8
SHA256a882a4c5e845689f4964da1349cfe0e005fc14ff373751abdbabf2fb9aaac360
SHA512c3b075b78d42cc086b68562087f70581ef93d8ef6940a5ea70f3fe10d7a4a613c3b7b3ac5cf29aa5dcbf01b35821357cb6b730e4e02ea026ca4d85e7b37b5331
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
17B
MD5c8fec35deab8cb9d9f4f57ab53a3acd7
SHA17161fe78ffe13ee6d311a8640823d06af3849770
SHA256b9ed0cc04133b77b78cdc4f81379ca4cd49aa579c5b68c28227941d4cd1f878b
SHA512e542113c4f230cb279c4bc7df27cf55bae436c1f55bfa3d68d88fe2275e5a186412b070d4bd7c1d4f54f0cd16dcc1c0fdb2b185b27a9c068565b13459659fbc2
-
Filesize
512KB
MD5f72a06a7e88f6f8acbeffb041e9af837
SHA19409b6467607b18c9709502f0294b0c7e909ff82
SHA256da83ba47e9c3a1b5a8ff85fe85a20708fa810bd2269f3adfefe0f1fd1904e85b
SHA512cc1f6aef573a7eab0aac31eea15fbe3f18eea884a15cd3cab2f6d70d83981e1d0b69e004f424078bce5f47a1eb979c7dfb10fafe510266c88edad35c4732a870
-
Filesize
512KB
MD5ca8d5a84b6356fac0e27cf89e2a88735
SHA19a586df523490620e98d7088b5f9e3f8c040228e
SHA25651246adaafd3a89a1327ced53ac866b2bc1661001cb3e069bc85f90fde36a1cc
SHA5129b68a52ac12f0039f8a9f64e0446703c4a80ac7f6cd893e2911bc4bb66b13d6491bae6619e8d358615df1c9cc079aa873512b4ca253284ab355de9cb143c3602