Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 20:29
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe
-
Size
512KB
-
MD5
ee5e6fea32f00c231e2ceb684d8c1585
-
SHA1
2334a9434d70723574a57d77f76974cb1b7fe70b
-
SHA256
e0b1f76c0c8328ca4b4eb476b18f95359e63165495987a3158865f8955f73518
-
SHA512
5febd2abff8c88da07e2e8365fe0d31be65c9ee7147c474261108a67c04632f95760e70cf178cfec1daabab2fde10b1d439bc0e02abc074c4780bb4529774e11
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6A:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5h
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ixfhanfbln.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ixfhanfbln.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ixfhanfbln.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ixfhanfbln.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ixfhanfbln.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ixfhanfbln.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ixfhanfbln.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ixfhanfbln.exe -
Executes dropped EXE 5 IoCs
pid Process 2916 ixfhanfbln.exe 2824 jhykesxeidjirft.exe 2352 bpzrziyw.exe 2680 xgbtqgrethikd.exe 2560 bpzrziyw.exe -
Loads dropped DLL 5 IoCs
pid Process 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2916 ixfhanfbln.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ixfhanfbln.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ixfhanfbln.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ixfhanfbln.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ixfhanfbln.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ixfhanfbln.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ixfhanfbln.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\daatrqgq = "ixfhanfbln.exe" jhykesxeidjirft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\febiectl = "jhykesxeidjirft.exe" jhykesxeidjirft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xgbtqgrethikd.exe" jhykesxeidjirft.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: bpzrziyw.exe File opened (read-only) \??\m: bpzrziyw.exe File opened (read-only) \??\q: bpzrziyw.exe File opened (read-only) \??\g: ixfhanfbln.exe File opened (read-only) \??\m: ixfhanfbln.exe File opened (read-only) \??\t: ixfhanfbln.exe File opened (read-only) \??\v: ixfhanfbln.exe File opened (read-only) \??\a: ixfhanfbln.exe File opened (read-only) \??\i: ixfhanfbln.exe File opened (read-only) \??\g: bpzrziyw.exe File opened (read-only) \??\t: bpzrziyw.exe File opened (read-only) \??\p: bpzrziyw.exe File opened (read-only) \??\y: bpzrziyw.exe File opened (read-only) \??\b: bpzrziyw.exe File opened (read-only) \??\h: ixfhanfbln.exe File opened (read-only) \??\o: ixfhanfbln.exe File opened (read-only) \??\u: ixfhanfbln.exe File opened (read-only) \??\z: ixfhanfbln.exe File opened (read-only) \??\u: bpzrziyw.exe File opened (read-only) \??\k: bpzrziyw.exe File opened (read-only) \??\s: ixfhanfbln.exe File opened (read-only) \??\w: ixfhanfbln.exe File opened (read-only) \??\u: bpzrziyw.exe File opened (read-only) \??\r: bpzrziyw.exe File opened (read-only) \??\e: bpzrziyw.exe File opened (read-only) \??\l: bpzrziyw.exe File opened (read-only) \??\v: bpzrziyw.exe File opened (read-only) \??\x: bpzrziyw.exe File opened (read-only) \??\e: ixfhanfbln.exe File opened (read-only) \??\n: ixfhanfbln.exe File opened (read-only) \??\a: bpzrziyw.exe File opened (read-only) \??\z: bpzrziyw.exe File opened (read-only) \??\l: bpzrziyw.exe File opened (read-only) \??\o: bpzrziyw.exe File opened (read-only) \??\b: ixfhanfbln.exe File opened (read-only) \??\j: ixfhanfbln.exe File opened (read-only) \??\y: ixfhanfbln.exe File opened (read-only) \??\q: bpzrziyw.exe File opened (read-only) \??\w: bpzrziyw.exe File opened (read-only) \??\j: bpzrziyw.exe File opened (read-only) \??\z: bpzrziyw.exe File opened (read-only) \??\o: bpzrziyw.exe File opened (read-only) \??\t: bpzrziyw.exe File opened (read-only) \??\n: bpzrziyw.exe File opened (read-only) \??\p: ixfhanfbln.exe File opened (read-only) \??\q: ixfhanfbln.exe File opened (read-only) \??\i: bpzrziyw.exe File opened (read-only) \??\m: bpzrziyw.exe File opened (read-only) \??\b: bpzrziyw.exe File opened (read-only) \??\h: bpzrziyw.exe File opened (read-only) \??\n: bpzrziyw.exe File opened (read-only) \??\r: bpzrziyw.exe File opened (read-only) \??\p: bpzrziyw.exe File opened (read-only) \??\y: bpzrziyw.exe File opened (read-only) \??\l: ixfhanfbln.exe File opened (read-only) \??\r: ixfhanfbln.exe File opened (read-only) \??\e: bpzrziyw.exe File opened (read-only) \??\i: bpzrziyw.exe File opened (read-only) \??\a: bpzrziyw.exe File opened (read-only) \??\k: ixfhanfbln.exe File opened (read-only) \??\j: bpzrziyw.exe File opened (read-only) \??\v: bpzrziyw.exe File opened (read-only) \??\x: bpzrziyw.exe File opened (read-only) \??\s: bpzrziyw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ixfhanfbln.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ixfhanfbln.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2652-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0008000000016d15-5.dat autoit_exe behavioral1/files/0x0063000000011c27-17.dat autoit_exe behavioral1/files/0x0008000000016d1f-27.dat autoit_exe behavioral1/files/0x0008000000016d30-38.dat autoit_exe behavioral1/files/0x0032000000016cf6-59.dat autoit_exe behavioral1/files/0x0007000000016da6-65.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\xgbtqgrethikd.exe ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe File created C:\Windows\SysWOW64\bpzrziyw.exe ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ixfhanfbln.exe ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe File created C:\Windows\SysWOW64\jhykesxeidjirft.exe ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jhykesxeidjirft.exe ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bpzrziyw.exe ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xgbtqgrethikd.exe ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ixfhanfbln.exe File created C:\Windows\SysWOW64\ixfhanfbln.exe ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bpzrziyw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal bpzrziyw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bpzrziyw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal bpzrziyw.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bpzrziyw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal bpzrziyw.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bpzrziyw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal bpzrziyw.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bpzrziyw.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bpzrziyw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bpzrziyw.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bpzrziyw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bpzrziyw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bpzrziyw.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhykesxeidjirft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpzrziyw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xgbtqgrethikd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpzrziyw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ixfhanfbln.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ixfhanfbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ixfhanfbln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ixfhanfbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ixfhanfbln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ixfhanfbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BB4FE1C22DCD172D1D68A7E906B" ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFFABCFE64F19283753A4281EC3994B0FD02F04362034BE2CC42E609D5" ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ixfhanfbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ixfhanfbln.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC67415E0DAB2B8C17CE7ECE534BE" ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ixfhanfbln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ixfhanfbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF9FFFB485D826E9040D7207E97BD93E6365930674E6335D790" ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B02A44E4389952C4BAA2339CD4BE" ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ixfhanfbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ixfhanfbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ixfhanfbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352D0B9C5683576A4676A570202CDC7D8264D7" ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3004 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2916 ixfhanfbln.exe 2916 ixfhanfbln.exe 2916 ixfhanfbln.exe 2916 ixfhanfbln.exe 2916 ixfhanfbln.exe 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2824 jhykesxeidjirft.exe 2824 jhykesxeidjirft.exe 2824 jhykesxeidjirft.exe 2824 jhykesxeidjirft.exe 2824 jhykesxeidjirft.exe 2352 bpzrziyw.exe 2352 bpzrziyw.exe 2352 bpzrziyw.exe 2352 bpzrziyw.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2560 bpzrziyw.exe 2560 bpzrziyw.exe 2560 bpzrziyw.exe 2560 bpzrziyw.exe 2824 jhykesxeidjirft.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2824 jhykesxeidjirft.exe 2824 jhykesxeidjirft.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2824 jhykesxeidjirft.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2824 jhykesxeidjirft.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2824 jhykesxeidjirft.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2824 jhykesxeidjirft.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2824 jhykesxeidjirft.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2824 jhykesxeidjirft.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2824 jhykesxeidjirft.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2824 jhykesxeidjirft.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2824 jhykesxeidjirft.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2916 ixfhanfbln.exe 2916 ixfhanfbln.exe 2916 ixfhanfbln.exe 2824 jhykesxeidjirft.exe 2824 jhykesxeidjirft.exe 2824 jhykesxeidjirft.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2352 bpzrziyw.exe 2352 bpzrziyw.exe 2352 bpzrziyw.exe 2560 bpzrziyw.exe 2560 bpzrziyw.exe 2560 bpzrziyw.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 2916 ixfhanfbln.exe 2916 ixfhanfbln.exe 2916 ixfhanfbln.exe 2824 jhykesxeidjirft.exe 2824 jhykesxeidjirft.exe 2824 jhykesxeidjirft.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2680 xgbtqgrethikd.exe 2352 bpzrziyw.exe 2352 bpzrziyw.exe 2352 bpzrziyw.exe 2560 bpzrziyw.exe 2560 bpzrziyw.exe 2560 bpzrziyw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3004 WINWORD.EXE 3004 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2652 wrote to memory of 2916 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2916 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2916 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2916 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2824 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 31 PID 2652 wrote to memory of 2824 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 31 PID 2652 wrote to memory of 2824 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 31 PID 2652 wrote to memory of 2824 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 31 PID 2652 wrote to memory of 2352 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 32 PID 2652 wrote to memory of 2352 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 32 PID 2652 wrote to memory of 2352 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 32 PID 2652 wrote to memory of 2352 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 32 PID 2652 wrote to memory of 2680 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 33 PID 2652 wrote to memory of 2680 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 33 PID 2652 wrote to memory of 2680 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 33 PID 2652 wrote to memory of 2680 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 33 PID 2916 wrote to memory of 2560 2916 ixfhanfbln.exe 34 PID 2916 wrote to memory of 2560 2916 ixfhanfbln.exe 34 PID 2916 wrote to memory of 2560 2916 ixfhanfbln.exe 34 PID 2916 wrote to memory of 2560 2916 ixfhanfbln.exe 34 PID 2652 wrote to memory of 3004 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 35 PID 2652 wrote to memory of 3004 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 35 PID 2652 wrote to memory of 3004 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 35 PID 2652 wrote to memory of 3004 2652 ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe 35 PID 3004 wrote to memory of 1656 3004 WINWORD.EXE 37 PID 3004 wrote to memory of 1656 3004 WINWORD.EXE 37 PID 3004 wrote to memory of 1656 3004 WINWORD.EXE 37 PID 3004 wrote to memory of 1656 3004 WINWORD.EXE 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ee5e6fea32f00c231e2ceb684d8c1585_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\ixfhanfbln.exeixfhanfbln.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\bpzrziyw.exeC:\Windows\system32\bpzrziyw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2560
-
-
-
C:\Windows\SysWOW64\jhykesxeidjirft.exejhykesxeidjirft.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2824
-
-
C:\Windows\SysWOW64\bpzrziyw.exebpzrziyw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2352
-
-
C:\Windows\SysWOW64\xgbtqgrethikd.exexgbtqgrethikd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1656
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD57f664334bce55cba4a963cba5955079e
SHA15843e68274c34ce6f59cda023ce001f743f462ab
SHA256f2786ed32a7d45561defe5c0b66059d1eb8d00b7d8523edb9ce055fed8ed1e49
SHA512b3d6f82ede84e3a3bfadf4c6e7ad358afbebfd32c4968faadbf664df1164bbb8c423800d3b30c0e0d0f8db63af2cce968a9182f0461500f01a27a3944cfef276
-
Filesize
512KB
MD516603b24d5ddc359ae4f6fc07cc67a56
SHA16428d568411c3cd42e0dd7c6fa48ac4a4db737e6
SHA2568fcb2b94f9f1d815693b89b3fbf0f67744ca2ddd62e07491446d8b9707bbf2cf
SHA512743de7f2a11dd03c99b09a842502a9cabdd123fd931ed842a7421bff38c5e30ae0e4573d0c5882fe487ec09008e02e5145dbef73d0f76afb904deddffea4de5e
-
Filesize
19KB
MD51646750b053bc39a8569fdc310035f63
SHA1d75032c4ff03b3a2b1ec3a4c1ff0ab084a5d65b2
SHA2561aed864d8aa50fab9824888f4e398ec0b4979a96ba42f881c7f8bb7840867c11
SHA512d30757643c061a596891e582bbe0d5ea23c8a3417e41e4f51bdb302af86721d9a76ed7ed6320d22d6e6d9c90dc51dec780f9955ad3753a40a931ded8611c6dd8
-
Filesize
512KB
MD520f2f7a841b82d424f11a78836d5ba81
SHA1a81e3849e3e22ff01f16ecae03f2c58665262ecf
SHA256291184c3977fa8192880a0b7511bd7578365599989a144d0bf74fc93cea0a925
SHA512a1c4967473bf1b8822174ec1ef94abeb655070686931c41937140a60653081c2193a90f9c525e90f23b16d3f136e82b6b8804e6f6ea7b3a6c328baff49888444
-
Filesize
512KB
MD5b308a2bbe92fedaf267749515c24e379
SHA12563264fc7c1a64b353c46bf52f64bcead2e5918
SHA2560dc41ab8218f9ac44183c797716c1e4b9d9443f491a1d94585b82ab36623011f
SHA5123134459f1c6fbd5600a2e15bd101206df37b5a6e7d7d4b9ed34659dd09327637c9c323b8f720ab1ca154d8c1e5c4b355c8d6f6ba4c835c8d1eba0d773ff13f9a
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5cb3c32afe266cb711fa0d5609fc99511
SHA1b88f8380ed3d3511d511b5a808482a326f567455
SHA256211bf650200945bc1bbb4512f4e65fa6bd26bc9da25b3337333e439d35c12685
SHA5124dfa1e9c33913480a1132ddece8f76b810e84ab9a78be8d6e1c0b438aab059ec22a69c65bded07b91ed3995faff8ecb5d94d7f687817d78fc363b7e5f86576f1
-
Filesize
512KB
MD5319c4df8879e252ecf6958d0824d5858
SHA172ffbf6df9e6f00168c5c3266eda56b454df6837
SHA2568991493cc4862e03a4f8ea3ba0d1ca991eb167c686fb7046267a9c245f88f207
SHA51239244fe57b86f34937e960293fc021e118705de457536ef4c807c83695aef436d339799c1c229b7e2d2ebebe393cdd0dc99b886076bd4613c6a03fbd1d3dc178