Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 00:52
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe
-
Size
512KB
-
MD5
eec30249636d1d381a4e8d8be3cbb0bf
-
SHA1
45eaefc277c8c6b980744dd22b6d01723641df43
-
SHA256
5b9a4f433a71634b0d206139a6a86c15765a9300d6718700a27ad8667c660bfd
-
SHA512
7fddc9f387a1758fe68e7eb1dd723e57b8b12058762bbdd1556705fbbe40315ca91d757ab46607a86889df0a5053b988278a9ad55d082619c1f0e408c25b3143
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6l:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5K
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ngxtgqyxru.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ngxtgqyxru.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ngxtgqyxru.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ngxtgqyxru.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ngxtgqyxru.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ngxtgqyxru.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ngxtgqyxru.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ngxtgqyxru.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 392 ngxtgqyxru.exe 2456 owognpzqbfgkuqr.exe 1572 oorecyxe.exe 4944 dhfpgrnbprdoy.exe 4516 oorecyxe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ngxtgqyxru.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ngxtgqyxru.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ngxtgqyxru.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ngxtgqyxru.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ngxtgqyxru.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ngxtgqyxru.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gozjlvqa = "owognpzqbfgkuqr.exe" owognpzqbfgkuqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dhfpgrnbprdoy.exe" owognpzqbfgkuqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\casvineb = "ngxtgqyxru.exe" owognpzqbfgkuqr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: ngxtgqyxru.exe File opened (read-only) \??\m: ngxtgqyxru.exe File opened (read-only) \??\e: oorecyxe.exe File opened (read-only) \??\w: oorecyxe.exe File opened (read-only) \??\x: oorecyxe.exe File opened (read-only) \??\a: oorecyxe.exe File opened (read-only) \??\i: oorecyxe.exe File opened (read-only) \??\a: oorecyxe.exe File opened (read-only) \??\i: oorecyxe.exe File opened (read-only) \??\z: oorecyxe.exe File opened (read-only) \??\k: oorecyxe.exe File opened (read-only) \??\y: oorecyxe.exe File opened (read-only) \??\x: ngxtgqyxru.exe File opened (read-only) \??\l: oorecyxe.exe File opened (read-only) \??\j: oorecyxe.exe File opened (read-only) \??\t: ngxtgqyxru.exe File opened (read-only) \??\b: ngxtgqyxru.exe File opened (read-only) \??\w: ngxtgqyxru.exe File opened (read-only) \??\b: oorecyxe.exe File opened (read-only) \??\r: oorecyxe.exe File opened (read-only) \??\s: oorecyxe.exe File opened (read-only) \??\n: ngxtgqyxru.exe File opened (read-only) \??\p: oorecyxe.exe File opened (read-only) \??\p: oorecyxe.exe File opened (read-only) \??\q: oorecyxe.exe File opened (read-only) \??\o: ngxtgqyxru.exe File opened (read-only) \??\p: ngxtgqyxru.exe File opened (read-only) \??\g: oorecyxe.exe File opened (read-only) \??\j: oorecyxe.exe File opened (read-only) \??\e: oorecyxe.exe File opened (read-only) \??\o: oorecyxe.exe File opened (read-only) \??\l: ngxtgqyxru.exe File opened (read-only) \??\v: oorecyxe.exe File opened (read-only) \??\y: oorecyxe.exe File opened (read-only) \??\t: oorecyxe.exe File opened (read-only) \??\z: oorecyxe.exe File opened (read-only) \??\x: oorecyxe.exe File opened (read-only) \??\y: ngxtgqyxru.exe File opened (read-only) \??\m: oorecyxe.exe File opened (read-only) \??\q: oorecyxe.exe File opened (read-only) \??\r: oorecyxe.exe File opened (read-only) \??\s: oorecyxe.exe File opened (read-only) \??\l: oorecyxe.exe File opened (read-only) \??\m: oorecyxe.exe File opened (read-only) \??\o: oorecyxe.exe File opened (read-only) \??\u: oorecyxe.exe File opened (read-only) \??\n: oorecyxe.exe File opened (read-only) \??\z: ngxtgqyxru.exe File opened (read-only) \??\s: ngxtgqyxru.exe File opened (read-only) \??\i: ngxtgqyxru.exe File opened (read-only) \??\k: ngxtgqyxru.exe File opened (read-only) \??\t: oorecyxe.exe File opened (read-only) \??\h: oorecyxe.exe File opened (read-only) \??\u: oorecyxe.exe File opened (read-only) \??\e: ngxtgqyxru.exe File opened (read-only) \??\n: oorecyxe.exe File opened (read-only) \??\a: ngxtgqyxru.exe File opened (read-only) \??\j: ngxtgqyxru.exe File opened (read-only) \??\q: ngxtgqyxru.exe File opened (read-only) \??\h: oorecyxe.exe File opened (read-only) \??\b: oorecyxe.exe File opened (read-only) \??\v: oorecyxe.exe File opened (read-only) \??\k: oorecyxe.exe File opened (read-only) \??\g: ngxtgqyxru.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ngxtgqyxru.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ngxtgqyxru.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3352-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000002346b-5.dat autoit_exe behavioral2/files/0x0009000000023411-18.dat autoit_exe behavioral2/files/0x000700000002346f-24.dat autoit_exe behavioral2/files/0x0007000000023470-32.dat autoit_exe behavioral2/files/0x0008000000023458-63.dat autoit_exe behavioral2/files/0x0007000000023493-100.dat autoit_exe behavioral2/files/0x0007000000023493-102.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ngxtgqyxru.exe eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ngxtgqyxru.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe oorecyxe.exe File opened for modification C:\Windows\SysWOW64\oorecyxe.exe eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe File created C:\Windows\SysWOW64\dhfpgrnbprdoy.exe eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dhfpgrnbprdoy.exe eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe oorecyxe.exe File created C:\Windows\SysWOW64\ngxtgqyxru.exe eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe File created C:\Windows\SysWOW64\owognpzqbfgkuqr.exe eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\owognpzqbfgkuqr.exe eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe File created C:\Windows\SysWOW64\oorecyxe.exe eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe oorecyxe.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oorecyxe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oorecyxe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal oorecyxe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oorecyxe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oorecyxe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oorecyxe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oorecyxe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oorecyxe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal oorecyxe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oorecyxe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oorecyxe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal oorecyxe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oorecyxe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oorecyxe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oorecyxe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal oorecyxe.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe oorecyxe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe oorecyxe.exe File opened for modification C:\Windows\mydoc.rtf eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe oorecyxe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe oorecyxe.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe oorecyxe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe oorecyxe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe oorecyxe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe oorecyxe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe oorecyxe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe oorecyxe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe oorecyxe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe oorecyxe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe oorecyxe.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe oorecyxe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe oorecyxe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe oorecyxe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngxtgqyxru.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language owognpzqbfgkuqr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oorecyxe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dhfpgrnbprdoy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oorecyxe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ngxtgqyxru.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ngxtgqyxru.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B15A4497399853CDB9A2339DD7B8" eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FF8F4826826A9146D65A7DE2BDEFE632584567436331D69D" eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ngxtgqyxru.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ngxtgqyxru.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ngxtgqyxru.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ngxtgqyxru.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ngxtgqyxru.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ngxtgqyxru.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F26BB4FF6722DED279D0A08A7C9113" eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ngxtgqyxru.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ngxtgqyxru.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ngxtgqyxru.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAF9CAF962F1E7837E3A4181EA3E90B08D028B43160332E2CB459A09A8" eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ngxtgqyxru.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342C7F9D2182206A4477D1772F2DD67CF565DC" eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC67E1491DAB1B8C87FE2EC9F34C8" eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4756 WINWORD.EXE 4756 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 392 ngxtgqyxru.exe 392 ngxtgqyxru.exe 392 ngxtgqyxru.exe 392 ngxtgqyxru.exe 392 ngxtgqyxru.exe 392 ngxtgqyxru.exe 392 ngxtgqyxru.exe 392 ngxtgqyxru.exe 392 ngxtgqyxru.exe 392 ngxtgqyxru.exe 2456 owognpzqbfgkuqr.exe 2456 owognpzqbfgkuqr.exe 2456 owognpzqbfgkuqr.exe 2456 owognpzqbfgkuqr.exe 2456 owognpzqbfgkuqr.exe 2456 owognpzqbfgkuqr.exe 2456 owognpzqbfgkuqr.exe 2456 owognpzqbfgkuqr.exe 1572 oorecyxe.exe 1572 oorecyxe.exe 1572 oorecyxe.exe 1572 oorecyxe.exe 1572 oorecyxe.exe 1572 oorecyxe.exe 1572 oorecyxe.exe 1572 oorecyxe.exe 4944 dhfpgrnbprdoy.exe 4944 dhfpgrnbprdoy.exe 4944 dhfpgrnbprdoy.exe 4944 dhfpgrnbprdoy.exe 4944 dhfpgrnbprdoy.exe 4944 dhfpgrnbprdoy.exe 4944 dhfpgrnbprdoy.exe 4944 dhfpgrnbprdoy.exe 4944 dhfpgrnbprdoy.exe 4944 dhfpgrnbprdoy.exe 4944 dhfpgrnbprdoy.exe 4944 dhfpgrnbprdoy.exe 2456 owognpzqbfgkuqr.exe 2456 owognpzqbfgkuqr.exe 2456 owognpzqbfgkuqr.exe 2456 owognpzqbfgkuqr.exe 4944 dhfpgrnbprdoy.exe 4944 dhfpgrnbprdoy.exe 4944 dhfpgrnbprdoy.exe 4944 dhfpgrnbprdoy.exe 4516 oorecyxe.exe 4516 oorecyxe.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 392 ngxtgqyxru.exe 392 ngxtgqyxru.exe 392 ngxtgqyxru.exe 2456 owognpzqbfgkuqr.exe 2456 owognpzqbfgkuqr.exe 2456 owognpzqbfgkuqr.exe 1572 oorecyxe.exe 4944 dhfpgrnbprdoy.exe 1572 oorecyxe.exe 4944 dhfpgrnbprdoy.exe 1572 oorecyxe.exe 4944 dhfpgrnbprdoy.exe 4516 oorecyxe.exe 4516 oorecyxe.exe 4516 oorecyxe.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 392 ngxtgqyxru.exe 392 ngxtgqyxru.exe 392 ngxtgqyxru.exe 2456 owognpzqbfgkuqr.exe 2456 owognpzqbfgkuqr.exe 2456 owognpzqbfgkuqr.exe 1572 oorecyxe.exe 4944 dhfpgrnbprdoy.exe 1572 oorecyxe.exe 4944 dhfpgrnbprdoy.exe 1572 oorecyxe.exe 4944 dhfpgrnbprdoy.exe 4516 oorecyxe.exe 4516 oorecyxe.exe 4516 oorecyxe.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4756 WINWORD.EXE 4756 WINWORD.EXE 4756 WINWORD.EXE 4756 WINWORD.EXE 4756 WINWORD.EXE 4756 WINWORD.EXE 4756 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3352 wrote to memory of 392 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 82 PID 3352 wrote to memory of 392 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 82 PID 3352 wrote to memory of 392 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 82 PID 3352 wrote to memory of 2456 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 83 PID 3352 wrote to memory of 2456 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 83 PID 3352 wrote to memory of 2456 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 83 PID 3352 wrote to memory of 1572 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 84 PID 3352 wrote to memory of 1572 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 84 PID 3352 wrote to memory of 1572 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 84 PID 3352 wrote to memory of 4944 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 85 PID 3352 wrote to memory of 4944 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 85 PID 3352 wrote to memory of 4944 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 85 PID 3352 wrote to memory of 4756 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 86 PID 3352 wrote to memory of 4756 3352 eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe 86 PID 392 wrote to memory of 4516 392 ngxtgqyxru.exe 88 PID 392 wrote to memory of 4516 392 ngxtgqyxru.exe 88 PID 392 wrote to memory of 4516 392 ngxtgqyxru.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eec30249636d1d381a4e8d8be3cbb0bf_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\ngxtgqyxru.exengxtgqyxru.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\oorecyxe.exeC:\Windows\system32\oorecyxe.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4516
-
-
-
C:\Windows\SysWOW64\owognpzqbfgkuqr.exeowognpzqbfgkuqr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2456
-
-
C:\Windows\SysWOW64\oorecyxe.exeoorecyxe.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1572
-
-
C:\Windows\SysWOW64\dhfpgrnbprdoy.exedhfpgrnbprdoy.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4944
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4756
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD56759330e534aa306f8ef0af87a828260
SHA1db8a51772b492b5a1a9aa2f949082e363f1e39bc
SHA2567021b4d78ce4f33c022fbd5058e4069f91104932b19812708d0cc0ad728b24da
SHA512a9b2dd351eaf908158b9a45dec045be12e8dce4314b4d093e2d2051c4aee765ce4513dac2b1de48bfabc8b79563619203dc41f56f28b3e1c67bc0591d30b33e5
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
329B
MD54c4fe60cb4a3bd9d94e3da49ec84c73c
SHA11bf354daf9018129e603b7f3b5296171cb67b736
SHA256fa08f45311f8f5091d09555feb918ed5f3dfea494525e855a666c03850cc0845
SHA5127307598e1d7d6301b0161e0f6b70361061086fe34cc8020d54cc42c44f7abde1bded5db3ddacd54f68237088cbe57fc67ea280fc903d9054df348359a358b7d0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5ee18d59db14c2a3dcdd13efc4ca63d27
SHA1024b2f27d871da46917df8dc6bd502d18a01dac2
SHA2568b98ea06bedae2c5de3ebecabfe8e95d1ece2c302ab80ce371868574f9b848a8
SHA5120ba7a688e208279eee2cadac286ed1ff48fcdd15ba9034a348b6d74731280ed41ddb63f184e99d4f3a847b5736c17a53cbc24129c78276265214a81144ca66b2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5c5e808ee007aec9792a6070b3052f0d2
SHA18ef9ca963d10aaf711ca27d7e887e859ab553517
SHA256396e99d593b3dd0f9b7be45f5905df3abb317d847fc2d420eb0dd379e1aa26c4
SHA512c74148516131b204cc451fd276001a6124cad358d4a3f7ff579d91a23547f482abd9ac7a61cc42f54e66aa2848da3ee67146b4eb5864c37929f6fa8537964c38
-
Filesize
512KB
MD557e0b489881863a87b18b66133d95d14
SHA1a3569cd367104271511ddd102f0f8f9078284f3b
SHA256aedc0549c7c673ba7d3ed02c4cf899475af84a12d3abfe752666ad1680ef6d7d
SHA51296bab5715e65d4f49567a831dc66575d06092757a140df6403bc50488fb4cca93444849aca2fb77cf9075524598a86b2c1c15bf587de7159b5d60b176e3df947
-
Filesize
512KB
MD57080589dea6f8d3979c30491f2fc1782
SHA10b489d701c03c664ab1bd2526fa7053c3e34ea86
SHA2565a265eb6b5524344e1ce972e3c44b40f4a75bb1fb23bd6a589c818d1836a0e05
SHA512cacd5c725381e88545c085a983ed967afb7cfcdbab7228c4cba4a41a430e03c9f6c9dbbb9847f8689fda557a0fe8673d508c4071d94463501dfa91be2376f266
-
Filesize
512KB
MD5dad5c79c0629d134b5bc3e26001f57cf
SHA1e85bad54906be38a90a8c200a11d0b80665616dd
SHA256e8b8b308bbc6c90b68255fe089a3f6974948635263097d783ef0a82f6fbf59c7
SHA51269d2e8837006317f7f4d535040b06b565afc7a428c89c76588e146770edc537812d259f5da2ef2ec183111a7917c0a102033baf6887903e43d8340c8d827e4c3
-
Filesize
512KB
MD53b65120db91aebb7c508b8a05b1b7fba
SHA1edf4edb89777fac0ef80a89f7a4634eb57aa7bf8
SHA256b091ed8700a6a573535c9318bf59980179c9514c340f3494880dcfd4cd398b54
SHA5129d971b9c64c3692f5da3fec7baa7f1e27d062139e350fc96f8eaca4a15608cc7e4ab21a4447edb298f3108747e6c62b6d97641c385dd05a34ec8fb458e9707ff
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5b4b13b82a8b20ebd09c39fc51e3dce30
SHA1d7473f4a3073854fc8f828222c4a0b71cd94c07d
SHA25613ad0a99e74d546d65e366bc566028c97caa42dc3daf82c419b93db22ee913b2
SHA512e5ca84439afc83dd633de7d475b40aae14ee005272c482aca5682e3a4af99304b3190be9713ba000a3564b8fd3a05971c0eba963a97cb0ab57ee312ca14b3f6c
-
Filesize
512KB
MD55ac499cbc5fa395abea124a8a2afe3ba
SHA1e087ece591dde22f809f3be6a05c0df40c915586
SHA25624dbbb36d8fa834a430d3e419793ea962d9f8f874ce41a1ecd355f3dac79c747
SHA512fe3379b7c7e0b0a55c3a3a728c17ec3228cc162c51cc517c479e962bf8de9505acfec59389aa6ebfaf1d52a8ef758df8a9a4b4566497d7411ca79fa3a12d5aea