Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 15:12
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe
-
Size
512KB
-
MD5
eddc7fb220618debbd834bcd8af3eb48
-
SHA1
eab8235d004f92cb6405e8176c27f8ca874dd484
-
SHA256
672418c0e5acbfc1b2e0dd1afb1c98830df4536de7cb93a29fb5497397067ad4
-
SHA512
8b9bae819d4a87ff9487011b6077b06424e7c4ffadfbb8d370a582b92c9cd85972caaaa4f9033ec31342c507aea249fc681e23da5da0a1e0d582b23d7f8929e0
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6C:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" phqsenogtq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" phqsenogtq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" phqsenogtq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" phqsenogtq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" phqsenogtq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" phqsenogtq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" phqsenogtq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" phqsenogtq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2336 phqsenogtq.exe 1516 lfmbecuidqrazxj.exe 2636 htfcvsvh.exe 2796 zfgpiaiverwth.exe 1800 htfcvsvh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" phqsenogtq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" phqsenogtq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" phqsenogtq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" phqsenogtq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" phqsenogtq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" phqsenogtq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zpgkazrn = "phqsenogtq.exe" lfmbecuidqrazxj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lforhten = "lfmbecuidqrazxj.exe" lfmbecuidqrazxj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zfgpiaiverwth.exe" lfmbecuidqrazxj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: phqsenogtq.exe File opened (read-only) \??\e: htfcvsvh.exe File opened (read-only) \??\l: htfcvsvh.exe File opened (read-only) \??\p: htfcvsvh.exe File opened (read-only) \??\b: htfcvsvh.exe File opened (read-only) \??\k: htfcvsvh.exe File opened (read-only) \??\p: phqsenogtq.exe File opened (read-only) \??\q: phqsenogtq.exe File opened (read-only) \??\l: htfcvsvh.exe File opened (read-only) \??\o: htfcvsvh.exe File opened (read-only) \??\u: htfcvsvh.exe File opened (read-only) \??\i: htfcvsvh.exe File opened (read-only) \??\x: phqsenogtq.exe File opened (read-only) \??\z: phqsenogtq.exe File opened (read-only) \??\m: htfcvsvh.exe File opened (read-only) \??\h: htfcvsvh.exe File opened (read-only) \??\r: htfcvsvh.exe File opened (read-only) \??\x: htfcvsvh.exe File opened (read-only) \??\g: phqsenogtq.exe File opened (read-only) \??\n: phqsenogtq.exe File opened (read-only) \??\v: htfcvsvh.exe File opened (read-only) \??\e: htfcvsvh.exe File opened (read-only) \??\q: htfcvsvh.exe File opened (read-only) \??\v: htfcvsvh.exe File opened (read-only) \??\b: phqsenogtq.exe File opened (read-only) \??\r: phqsenogtq.exe File opened (read-only) \??\p: htfcvsvh.exe File opened (read-only) \??\a: phqsenogtq.exe File opened (read-only) \??\u: phqsenogtq.exe File opened (read-only) \??\w: htfcvsvh.exe File opened (read-only) \??\z: htfcvsvh.exe File opened (read-only) \??\m: htfcvsvh.exe File opened (read-only) \??\w: htfcvsvh.exe File opened (read-only) \??\k: phqsenogtq.exe File opened (read-only) \??\g: htfcvsvh.exe File opened (read-only) \??\l: phqsenogtq.exe File opened (read-only) \??\a: htfcvsvh.exe File opened (read-only) \??\y: phqsenogtq.exe File opened (read-only) \??\i: htfcvsvh.exe File opened (read-only) \??\i: phqsenogtq.exe File opened (read-only) \??\o: phqsenogtq.exe File opened (read-only) \??\o: htfcvsvh.exe File opened (read-only) \??\y: htfcvsvh.exe File opened (read-only) \??\h: phqsenogtq.exe File opened (read-only) \??\t: htfcvsvh.exe File opened (read-only) \??\h: htfcvsvh.exe File opened (read-only) \??\s: htfcvsvh.exe File opened (read-only) \??\s: htfcvsvh.exe File opened (read-only) \??\e: phqsenogtq.exe File opened (read-only) \??\a: htfcvsvh.exe File opened (read-only) \??\q: htfcvsvh.exe File opened (read-only) \??\j: htfcvsvh.exe File opened (read-only) \??\n: htfcvsvh.exe File opened (read-only) \??\t: htfcvsvh.exe File opened (read-only) \??\j: phqsenogtq.exe File opened (read-only) \??\t: phqsenogtq.exe File opened (read-only) \??\r: htfcvsvh.exe File opened (read-only) \??\v: phqsenogtq.exe File opened (read-only) \??\j: htfcvsvh.exe File opened (read-only) \??\k: htfcvsvh.exe File opened (read-only) \??\n: htfcvsvh.exe File opened (read-only) \??\y: htfcvsvh.exe File opened (read-only) \??\g: htfcvsvh.exe File opened (read-only) \??\u: htfcvsvh.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" phqsenogtq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" phqsenogtq.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2044-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000234db-5.dat autoit_exe behavioral2/files/0x00070000000234df-28.dat autoit_exe behavioral2/files/0x00070000000234e0-32.dat autoit_exe behavioral2/files/0x000900000002346e-19.dat autoit_exe behavioral2/files/0x00080000000234b5-66.dat autoit_exe behavioral2/files/0x00070000000234ed-72.dat autoit_exe behavioral2/files/0x00070000000234f9-81.dat autoit_exe behavioral2/files/0x0007000000023503-102.dat autoit_exe behavioral2/files/0x0007000000023503-104.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\htfcvsvh.exe eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll phqsenogtq.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe htfcvsvh.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe htfcvsvh.exe File created C:\Windows\SysWOW64\lfmbecuidqrazxj.exe eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zfgpiaiverwth.exe eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\phqsenogtq.exe eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\htfcvsvh.exe eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe htfcvsvh.exe File created C:\Windows\SysWOW64\phqsenogtq.exe eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lfmbecuidqrazxj.exe eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe File created C:\Windows\SysWOW64\zfgpiaiverwth.exe eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe htfcvsvh.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe htfcvsvh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal htfcvsvh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe htfcvsvh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe htfcvsvh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe htfcvsvh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe htfcvsvh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal htfcvsvh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal htfcvsvh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe htfcvsvh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe htfcvsvh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe htfcvsvh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe htfcvsvh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe htfcvsvh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal htfcvsvh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe htfcvsvh.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe htfcvsvh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe htfcvsvh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe htfcvsvh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe htfcvsvh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe htfcvsvh.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe htfcvsvh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe htfcvsvh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe htfcvsvh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe htfcvsvh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe htfcvsvh.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe htfcvsvh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe htfcvsvh.exe File opened for modification C:\Windows\mydoc.rtf eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe htfcvsvh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe htfcvsvh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe htfcvsvh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe htfcvsvh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phqsenogtq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfmbecuidqrazxj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htfcvsvh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zfgpiaiverwth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htfcvsvh.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B02E4793399A52C8B9D13393D7CE" eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFFF84827826A9131D75F7D9CBC92E137584566406243D79C" eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC60C15EDDBC0B8CC7FE0EDE234C7" eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" phqsenogtq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh phqsenogtq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" phqsenogtq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg phqsenogtq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" phqsenogtq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08068B5FE1A21AAD208D1A48B7B9164" eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat phqsenogtq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc phqsenogtq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf phqsenogtq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" phqsenogtq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" phqsenogtq.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C0B9D5782256A4276A570522CD97CF365D8" eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FAC9F960F1E083753B42819E3998B08B038A42110338E2C445E808A0" eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" phqsenogtq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs phqsenogtq.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3996 WINWORD.EXE 3996 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2336 phqsenogtq.exe 2336 phqsenogtq.exe 2336 phqsenogtq.exe 2336 phqsenogtq.exe 2336 phqsenogtq.exe 2336 phqsenogtq.exe 2336 phqsenogtq.exe 2336 phqsenogtq.exe 2336 phqsenogtq.exe 2336 phqsenogtq.exe 2796 zfgpiaiverwth.exe 2796 zfgpiaiverwth.exe 2796 zfgpiaiverwth.exe 2796 zfgpiaiverwth.exe 2796 zfgpiaiverwth.exe 2796 zfgpiaiverwth.exe 2796 zfgpiaiverwth.exe 2796 zfgpiaiverwth.exe 2796 zfgpiaiverwth.exe 2796 zfgpiaiverwth.exe 2796 zfgpiaiverwth.exe 2796 zfgpiaiverwth.exe 1516 lfmbecuidqrazxj.exe 1516 lfmbecuidqrazxj.exe 1516 lfmbecuidqrazxj.exe 1516 lfmbecuidqrazxj.exe 1516 lfmbecuidqrazxj.exe 1516 lfmbecuidqrazxj.exe 1516 lfmbecuidqrazxj.exe 1516 lfmbecuidqrazxj.exe 2636 htfcvsvh.exe 2636 htfcvsvh.exe 2636 htfcvsvh.exe 2636 htfcvsvh.exe 2636 htfcvsvh.exe 2636 htfcvsvh.exe 2636 htfcvsvh.exe 2636 htfcvsvh.exe 1516 lfmbecuidqrazxj.exe 1516 lfmbecuidqrazxj.exe 1800 htfcvsvh.exe 1800 htfcvsvh.exe 1800 htfcvsvh.exe 1800 htfcvsvh.exe 1800 htfcvsvh.exe 1800 htfcvsvh.exe 1800 htfcvsvh.exe 1800 htfcvsvh.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2336 phqsenogtq.exe 2336 phqsenogtq.exe 2336 phqsenogtq.exe 1516 lfmbecuidqrazxj.exe 1516 lfmbecuidqrazxj.exe 1516 lfmbecuidqrazxj.exe 2796 zfgpiaiverwth.exe 2796 zfgpiaiverwth.exe 2796 zfgpiaiverwth.exe 2636 htfcvsvh.exe 2636 htfcvsvh.exe 2636 htfcvsvh.exe 1800 htfcvsvh.exe 1800 htfcvsvh.exe 1800 htfcvsvh.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 2336 phqsenogtq.exe 2336 phqsenogtq.exe 2336 phqsenogtq.exe 1516 lfmbecuidqrazxj.exe 1516 lfmbecuidqrazxj.exe 1516 lfmbecuidqrazxj.exe 2796 zfgpiaiverwth.exe 2796 zfgpiaiverwth.exe 2796 zfgpiaiverwth.exe 2636 htfcvsvh.exe 2636 htfcvsvh.exe 2636 htfcvsvh.exe 1800 htfcvsvh.exe 1800 htfcvsvh.exe 1800 htfcvsvh.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3996 WINWORD.EXE 3996 WINWORD.EXE 3996 WINWORD.EXE 3996 WINWORD.EXE 3996 WINWORD.EXE 3996 WINWORD.EXE 3996 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2044 wrote to memory of 2336 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 82 PID 2044 wrote to memory of 2336 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 82 PID 2044 wrote to memory of 2336 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 82 PID 2044 wrote to memory of 1516 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 83 PID 2044 wrote to memory of 1516 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 83 PID 2044 wrote to memory of 1516 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 83 PID 2044 wrote to memory of 2636 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 84 PID 2044 wrote to memory of 2636 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 84 PID 2044 wrote to memory of 2636 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 84 PID 2044 wrote to memory of 2796 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 85 PID 2044 wrote to memory of 2796 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 85 PID 2044 wrote to memory of 2796 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 85 PID 2336 wrote to memory of 1800 2336 phqsenogtq.exe 86 PID 2336 wrote to memory of 1800 2336 phqsenogtq.exe 86 PID 2336 wrote to memory of 1800 2336 phqsenogtq.exe 86 PID 2044 wrote to memory of 3996 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 87 PID 2044 wrote to memory of 3996 2044 eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eddc7fb220618debbd834bcd8af3eb48_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\phqsenogtq.exephqsenogtq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\htfcvsvh.exeC:\Windows\system32\htfcvsvh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1800
-
-
-
C:\Windows\SysWOW64\lfmbecuidqrazxj.exelfmbecuidqrazxj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1516
-
-
C:\Windows\SysWOW64\htfcvsvh.exehtfcvsvh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2636
-
-
C:\Windows\SysWOW64\zfgpiaiverwth.exezfgpiaiverwth.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2796
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3996
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD50f2aaf9880a36bb623f6abd8723a6be4
SHA164b57c8d07f36d695ec6a0ca6710880a0db3a066
SHA256c0c6751948820870c0fce842d838997d39b7a4174a3e8b04f1e1a8d57ecb898d
SHA512614d315fae447885f6fc9b3cb8022872d2ed985d0cc77c5df1236c87172f432a3924e35be88706c4a30ef7868586dede8071e3bb77582990690b3ab96d804310
-
Filesize
512KB
MD519bba34ec9b2908c88b3f21c33351bbe
SHA1d3f1f21bc0f4f9e3485df1f146ebadcb74a6aba1
SHA256b51db37d5194b807368e5b9c8d4a9b72d748f593407373620c7de57f01794c4d
SHA512616c51616f63719ba09cc770c61e9dab0ab2451b0d83c70291d0d53428ff4bf257895175946d452569e877409af5b2ed8c19b0eb125fb64f9bc1dd239ba3a95e
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
400B
MD521a647d24a148fe28beeee124b17af35
SHA1821b1501f7809ea7c9f8671f6c3bba37c4c1da07
SHA256e89f7710fd7d5a112b2c0b7fa548843c9499a3c73af644ca69ac92bd5925ef74
SHA512b3aa833432846f87b9c93448db7b484c96a9d8c81964bef33a0e0d43a0c5ce17614f9c6cfeffc8f68f99957dc4fc4d277c4253c93e86bd9d783b660c3f04abf7
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5eb8aea72d51599eeb157572b4455bd27
SHA1c6a093b88387d1a9512b2dcc20aab96bfa749cef
SHA2569037479815e1f479fcda36ba2d5444f22960c120c50b01b8dbaea08a60335cb7
SHA512a83798ca09fc5dc9229492dcf2951f1e63284a7753db41b497e6400d920148e2f03de67d5bcc8af505e3785e8e4dc813a530bfbeac865064c3dde9f2045cab22
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD57af95c7889eaf64d364870b2130567ca
SHA1f0bb137e0a3efc9c4b3e13ef761547c9c55497ff
SHA256085e29253297f2745000175ce8864dea48c35d0b574a2013c15f65f653892dff
SHA5120a9a4a0d4ec525f703b3ef22781f5758310db8c48e21f36417b584389b60196d48feb542044880d4674c28d6aea342c26420362ff6b81af6817644559c68f2b0
-
Filesize
512KB
MD5d9648218f74ed86d4bbf421903225c6f
SHA15ecb075907717892c2741b8da9c720f53ec61a6d
SHA256cc4b403c5232e0d0da3aa8bd869fa40317859bf472cd2fc1cf9f784385a88ac5
SHA512976402b1b3318da0df2586c9b2a1cc721f14faf92e4e74e04c5e57a0c6dfe41cc7f38d42e7abec49c21e1ea76c3ee83a3527e73eb87caf0a820f97d830a872fa
-
Filesize
512KB
MD5c684bf9f5e066d8f56e6d03bb32ea697
SHA16db5ec64ebf4b9f893b5c5611e66ae8fd2c765df
SHA256644ef79a1d358919ec12828512cdd8c2f73adab274cc7da98c80c8cd556b7060
SHA5122059ace4252ecdcadeae14d823fe0d84cbf2d662542ab50155c4523960edf7358f835e419f589f13c8970b2969537892914df2ee492da97f329bd28e6d538d7d
-
Filesize
512KB
MD56f3badbc5435011828c637a0101719bf
SHA1381f5620871924fafc053962c3c9f15025f21495
SHA2560b7e1dbad87068e9e7db45ba3474f92a896a6626af6d4ad976be14898cc8f41a
SHA51236ead3fe2db342fe20301c01a1e09692fbc6ed48e73397d36e98781c216bf332cc26bf85e7599ff2fbfd96b9301ee57d15efc0041170ad3e62cce3a9abbfc570
-
Filesize
512KB
MD5021a9143df087de13a841831f1f5bb97
SHA1ac984883f2881b79972e8e6f03c6a16cec5b8d8c
SHA256d2791e62ca0ba05fe3a98f711960ff2fc2c0bd2bc0406ea224d78d93de790f26
SHA512b4e6392253460b59dab18605cbad45e09cb9622899e5f5e9fc4336112c4734262e86ae8bc7edc9d6bab608c41c88411308288b364e6964019dc47657fccbed15
-
Filesize
512KB
MD59d20c09fdc07c96f692292391e73bf05
SHA16d0fb00db979367b4a0e8b94064ba3815355e207
SHA25619fdf46cc0731258e11198570364842f091b2325156779d19f2a2df9a20ceb44
SHA512d19e5fb239db20a07ddc425fa575fb519c7ccc91a9d7da2f670aa6896388853a8320b85a541c2e791e79006e8a464b2f0c0a1a809131c3e7ec2c82262b988ffa
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD507f5f90eb596997f285d3fe2a7d9f93f
SHA1815c468410e7baf786ed0126faff314d1e538bb9
SHA256b40e06dca67cd5708c8a6143705bdb2a682737fdfaf7b1886b1167f3239983aa
SHA51210bffcbf258e09f2edb85e9e5cd199f3aae92abad9f0a71dc2082be67e92c267c66e789a1bb88f8651f1333ad604c1dcdedaa7dc2e6f222aa388b168517ee366
-
Filesize
512KB
MD56e0574b94d953285984fd66e58bf2e30
SHA1b72f9a60be81801ab9e5aa7320983a3381d80eb0
SHA256e1251c2bed1875f7186967b610497926beb1384620b384c0e490095c9408315f
SHA512047ad4519a12b3880dc635dad5c2a1acbc00bd0a674cb469e89fa27fe42b64ab115e67a994b6e0d872ce55fc7dce94a2c967ca10927f75f18b507159ead41757