Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 05:59
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
150 seconds
General
-
Target
f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe
-
Size
512KB
-
MD5
f557e23fbaea06dd8d1346e9860dc6b4
-
SHA1
84a168ee2c1e2666cd875f0665b4c0129ba14182
-
SHA256
5fd71f2dbaa454af5af5f6153ce00832188b2b559092309c9e790655634c4eeb
-
SHA512
ae74292424ea93dd0a50bb99158b114c6b1e3b167704e1b965043bdfa0309a444d35d42d258fc9d74755738b2241f9cae76a6a605280c98f3eeff33260f5fe3d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5p
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" jeixnbtsji.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jeixnbtsji.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jeixnbtsji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jeixnbtsji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jeixnbtsji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jeixnbtsji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" jeixnbtsji.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jeixnbtsji.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1624 jeixnbtsji.exe 3400 vjvuhktqbcsbcni.exe 3656 qouswdxi.exe 2412 nxhuxbmbbkxzw.exe 2116 qouswdxi.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jeixnbtsji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jeixnbtsji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jeixnbtsji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" jeixnbtsji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jeixnbtsji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" jeixnbtsji.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cvlynwrz = "vjvuhktqbcsbcni.exe" vjvuhktqbcsbcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nxhuxbmbbkxzw.exe" vjvuhktqbcsbcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oqcphybs = "jeixnbtsji.exe" vjvuhktqbcsbcni.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: qouswdxi.exe File opened (read-only) \??\h: qouswdxi.exe File opened (read-only) \??\u: qouswdxi.exe File opened (read-only) \??\n: jeixnbtsji.exe File opened (read-only) \??\r: qouswdxi.exe File opened (read-only) \??\m: qouswdxi.exe File opened (read-only) \??\j: jeixnbtsji.exe File opened (read-only) \??\t: jeixnbtsji.exe File opened (read-only) \??\v: qouswdxi.exe File opened (read-only) \??\j: qouswdxi.exe File opened (read-only) \??\m: qouswdxi.exe File opened (read-only) \??\o: jeixnbtsji.exe File opened (read-only) \??\y: jeixnbtsji.exe File opened (read-only) \??\p: qouswdxi.exe File opened (read-only) \??\u: qouswdxi.exe File opened (read-only) \??\z: qouswdxi.exe File opened (read-only) \??\y: qouswdxi.exe File opened (read-only) \??\w: jeixnbtsji.exe File opened (read-only) \??\i: qouswdxi.exe File opened (read-only) \??\o: qouswdxi.exe File opened (read-only) \??\w: qouswdxi.exe File opened (read-only) \??\r: jeixnbtsji.exe File opened (read-only) \??\n: qouswdxi.exe File opened (read-only) \??\z: qouswdxi.exe File opened (read-only) \??\w: qouswdxi.exe File opened (read-only) \??\s: qouswdxi.exe File opened (read-only) \??\x: qouswdxi.exe File opened (read-only) \??\x: jeixnbtsji.exe File opened (read-only) \??\t: qouswdxi.exe File opened (read-only) \??\i: qouswdxi.exe File opened (read-only) \??\l: qouswdxi.exe File opened (read-only) \??\q: qouswdxi.exe File opened (read-only) \??\e: jeixnbtsji.exe File opened (read-only) \??\b: qouswdxi.exe File opened (read-only) \??\l: qouswdxi.exe File opened (read-only) \??\k: qouswdxi.exe File opened (read-only) \??\i: jeixnbtsji.exe File opened (read-only) \??\a: qouswdxi.exe File opened (read-only) \??\s: jeixnbtsji.exe File opened (read-only) \??\y: qouswdxi.exe File opened (read-only) \??\b: qouswdxi.exe File opened (read-only) \??\t: qouswdxi.exe File opened (read-only) \??\x: qouswdxi.exe File opened (read-only) \??\m: jeixnbtsji.exe File opened (read-only) \??\p: jeixnbtsji.exe File opened (read-only) \??\k: jeixnbtsji.exe File opened (read-only) \??\r: qouswdxi.exe File opened (read-only) \??\z: jeixnbtsji.exe File opened (read-only) \??\g: qouswdxi.exe File opened (read-only) \??\j: qouswdxi.exe File opened (read-only) \??\g: qouswdxi.exe File opened (read-only) \??\g: jeixnbtsji.exe File opened (read-only) \??\h: jeixnbtsji.exe File opened (read-only) \??\h: qouswdxi.exe File opened (read-only) \??\o: qouswdxi.exe File opened (read-only) \??\a: qouswdxi.exe File opened (read-only) \??\v: qouswdxi.exe File opened (read-only) \??\a: jeixnbtsji.exe File opened (read-only) \??\u: jeixnbtsji.exe File opened (read-only) \??\v: jeixnbtsji.exe File opened (read-only) \??\b: jeixnbtsji.exe File opened (read-only) \??\l: jeixnbtsji.exe File opened (read-only) \??\q: qouswdxi.exe File opened (read-only) \??\s: qouswdxi.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" jeixnbtsji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" jeixnbtsji.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2596-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002349c-5.dat autoit_exe behavioral2/files/0x000700000002349d-25.dat autoit_exe behavioral2/files/0x000700000002349e-31.dat autoit_exe behavioral2/files/0x000a000000023494-19.dat autoit_exe behavioral2/files/0x00070000000234aa-68.dat autoit_exe behavioral2/files/0x00070000000234ab-74.dat autoit_exe behavioral2/files/0x00070000000234b8-83.dat autoit_exe behavioral2/files/0x00090000000234bb-110.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\jeixnbtsji.exe f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jeixnbtsji.exe f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe File created C:\Windows\SysWOW64\vjvuhktqbcsbcni.exe f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vjvuhktqbcsbcni.exe f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe File created C:\Windows\SysWOW64\nxhuxbmbbkxzw.exe f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll jeixnbtsji.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qouswdxi.exe File created C:\Windows\SysWOW64\qouswdxi.exe f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qouswdxi.exe f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\nxhuxbmbbkxzw.exe f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qouswdxi.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qouswdxi.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qouswdxi.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qouswdxi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qouswdxi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qouswdxi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qouswdxi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qouswdxi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qouswdxi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qouswdxi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qouswdxi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qouswdxi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qouswdxi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qouswdxi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qouswdxi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qouswdxi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qouswdxi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qouswdxi.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qouswdxi.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qouswdxi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qouswdxi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qouswdxi.exe File opened for modification C:\Windows\mydoc.rtf f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qouswdxi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qouswdxi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qouswdxi.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qouswdxi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qouswdxi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qouswdxi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qouswdxi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qouswdxi.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qouswdxi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qouswdxi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qouswdxi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qouswdxi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jeixnbtsji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvuhktqbcsbcni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qouswdxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nxhuxbmbbkxzw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qouswdxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC70C1597DBB2B8CA7FE3ECE737BC" f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc jeixnbtsji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs jeixnbtsji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFC8F4828826D9030D75A7DE7BDEFE1305935664F6234D6EA" f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" jeixnbtsji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf jeixnbtsji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302C7D9C2082576A3276D277222DDD7D8464AB" f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768B4FE6722D8D278D1A78A7B9010" f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" jeixnbtsji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh jeixnbtsji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" jeixnbtsji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg jeixnbtsji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFABEFE6BF2E583783B4A819F3E90B08D028C4212033BE1CD42EE08A3" f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB15A4492389A52C9BAD6339DD7CF" f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat jeixnbtsji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" jeixnbtsji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" jeixnbtsji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" jeixnbtsji.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4196 WINWORD.EXE 4196 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 3400 vjvuhktqbcsbcni.exe 3400 vjvuhktqbcsbcni.exe 3400 vjvuhktqbcsbcni.exe 3400 vjvuhktqbcsbcni.exe 3400 vjvuhktqbcsbcni.exe 3400 vjvuhktqbcsbcni.exe 3400 vjvuhktqbcsbcni.exe 3400 vjvuhktqbcsbcni.exe 1624 jeixnbtsji.exe 1624 jeixnbtsji.exe 1624 jeixnbtsji.exe 1624 jeixnbtsji.exe 1624 jeixnbtsji.exe 1624 jeixnbtsji.exe 1624 jeixnbtsji.exe 1624 jeixnbtsji.exe 1624 jeixnbtsji.exe 1624 jeixnbtsji.exe 3400 vjvuhktqbcsbcni.exe 3400 vjvuhktqbcsbcni.exe 2412 nxhuxbmbbkxzw.exe 2412 nxhuxbmbbkxzw.exe 2412 nxhuxbmbbkxzw.exe 2412 nxhuxbmbbkxzw.exe 2412 nxhuxbmbbkxzw.exe 2412 nxhuxbmbbkxzw.exe 2412 nxhuxbmbbkxzw.exe 2412 nxhuxbmbbkxzw.exe 2412 nxhuxbmbbkxzw.exe 2412 nxhuxbmbbkxzw.exe 2412 nxhuxbmbbkxzw.exe 2412 nxhuxbmbbkxzw.exe 3656 qouswdxi.exe 3656 qouswdxi.exe 3656 qouswdxi.exe 3656 qouswdxi.exe 3656 qouswdxi.exe 3656 qouswdxi.exe 3656 qouswdxi.exe 3656 qouswdxi.exe 3400 vjvuhktqbcsbcni.exe 3400 vjvuhktqbcsbcni.exe 2116 qouswdxi.exe 2116 qouswdxi.exe 2116 qouswdxi.exe 2116 qouswdxi.exe 2116 qouswdxi.exe 2116 qouswdxi.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 3400 vjvuhktqbcsbcni.exe 3400 vjvuhktqbcsbcni.exe 3400 vjvuhktqbcsbcni.exe 1624 jeixnbtsji.exe 1624 jeixnbtsji.exe 1624 jeixnbtsji.exe 2412 nxhuxbmbbkxzw.exe 2412 nxhuxbmbbkxzw.exe 2412 nxhuxbmbbkxzw.exe 3656 qouswdxi.exe 3656 qouswdxi.exe 3656 qouswdxi.exe 2116 qouswdxi.exe 2116 qouswdxi.exe 2116 qouswdxi.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 3400 vjvuhktqbcsbcni.exe 3400 vjvuhktqbcsbcni.exe 3400 vjvuhktqbcsbcni.exe 1624 jeixnbtsji.exe 1624 jeixnbtsji.exe 1624 jeixnbtsji.exe 2412 nxhuxbmbbkxzw.exe 2412 nxhuxbmbbkxzw.exe 2412 nxhuxbmbbkxzw.exe 3656 qouswdxi.exe 3656 qouswdxi.exe 3656 qouswdxi.exe 2116 qouswdxi.exe 2116 qouswdxi.exe 2116 qouswdxi.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4196 WINWORD.EXE 4196 WINWORD.EXE 4196 WINWORD.EXE 4196 WINWORD.EXE 4196 WINWORD.EXE 4196 WINWORD.EXE 4196 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2596 wrote to memory of 1624 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 82 PID 2596 wrote to memory of 1624 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 82 PID 2596 wrote to memory of 1624 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 82 PID 2596 wrote to memory of 3400 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 83 PID 2596 wrote to memory of 3400 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 83 PID 2596 wrote to memory of 3400 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 83 PID 2596 wrote to memory of 3656 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 84 PID 2596 wrote to memory of 3656 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 84 PID 2596 wrote to memory of 3656 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 84 PID 2596 wrote to memory of 2412 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 85 PID 2596 wrote to memory of 2412 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 85 PID 2596 wrote to memory of 2412 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 85 PID 2596 wrote to memory of 4196 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 86 PID 2596 wrote to memory of 4196 2596 f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe 86 PID 1624 wrote to memory of 2116 1624 jeixnbtsji.exe 89 PID 1624 wrote to memory of 2116 1624 jeixnbtsji.exe 89 PID 1624 wrote to memory of 2116 1624 jeixnbtsji.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f557e23fbaea06dd8d1346e9860dc6b4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\jeixnbtsji.exejeixnbtsji.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\qouswdxi.exeC:\Windows\system32\qouswdxi.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2116
-
-
-
C:\Windows\SysWOW64\vjvuhktqbcsbcni.exevjvuhktqbcsbcni.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3400
-
-
C:\Windows\SysWOW64\qouswdxi.exeqouswdxi.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3656
-
-
C:\Windows\SysWOW64\nxhuxbmbbkxzw.exenxhuxbmbbkxzw.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2412
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4196
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD51ff59e44553c74541b4199774dbff952
SHA17620ab2fbda5c700efbe734eff398f6e8e2cfb6f
SHA2560b2c5ac6cbd40dc87fe81b1ba383682520d91b83f83478dc67d98fa10d6248d2
SHA5124d976d6d73f46cdad49c1281dee55ebeb8a80afd69187aa36f164c68a1793d3f067400b17cfc68fb5e2be2313da242e70674db8227dbe6962883622b2f4b9326
-
Filesize
512KB
MD5b50966fff3283a4f06c5f267267806bc
SHA15517aaea49319f235e000e6d8351b006dda711d7
SHA2563a2b59540eb15868bf3d8066141bbaa47ea5fd2b15a4537b4897f6a4b8391401
SHA512d74b9cbd261d482fe87de9905eb8e9301b67463803284ea98f06c4841aec6c5c5bf024f64591fed679f9d7d64530ae19ce5df02a6ffdffeba6a1300653fb88d0
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
365B
MD56448bdbff26e0704f8cc3b17882b0304
SHA1cc8f074da5332f04bbd7a60032492ee4fd56f0eb
SHA256ad71b7567b43c360f35051dec2bbfeaa4eb9a1f709f9ec2248bb3522a90e586a
SHA5121d1132a68959955242f3b8a05e9e0c8c386103d1117e2ba2fc6a485e06a5c9d883bbb08c14d6fac54a995192685e04416fa4a8429eea70872a5430f69a67f246
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5156bea6dac6953d4ac28bf3cf70be7df
SHA124653862e9b48b9d168559d728056076b3738b18
SHA2563912f8b1ef34ffa329e47be0f5e38a04cf92fca14ccbc08773dc230d13280893
SHA512c39a0ac917cf8632b58f0bbabc6cadd2d97c01beb38de3d1f75f89a0b5f30f1748bead44ef4c415f08449b939439d02e609773c73d7bc224d63ecbf2ab9527b8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5cae2b356ad138ef19af5cb74927a86b3
SHA14442d0f4bec0fe01523eba5ec8d1dc6a54381ac6
SHA2569365dbe71b52f4de3692da137791e9120f51ee4815bb9f5d7e3aa79d9bbd6f04
SHA512296176f03087d4253605ba2ec8bedcfa81aaad3952c747080f6328808e7a028d00aff24f54666fd9f3da746d3144c601de22dd619f84fcf3c4f44f475418151d
-
Filesize
512KB
MD5f017de5768080bcf7c5ff00c805d2de3
SHA1703675593855ee885e3e3226c9ff14d9a37966bb
SHA256c2771b9a64916aa1076dae3a3ce505d8664136542a0bb71d4962ad096595d2b0
SHA512beafc4843049a0961502877735f9e23ec0564d173b8186eb1050d129d33ae6ac9ef951a71b6b3e5ab2a3472751472d352f635e003750e99574b7a2d4193ab03f
-
Filesize
512KB
MD57ae11fde6408298dae784f6c54a80dee
SHA170f060f53ec10a1e1d180712e771f858e0789460
SHA256d70e4358e080e608f9d988acf6cd15f0cf2bdae92dc80c0aeeb23f4e58e4caa8
SHA512f17a0c9eb446619b3d5389d81f29056bf2eaa01f7d8713f129f601b488f3b613783813e2c148c7af418e64f37c7b83e118610e61f6fdab390504f458128c40e2
-
Filesize
512KB
MD59d1e7e0f3d0d7378b8623b4e90b83914
SHA119a24ce927bdcea8a3f7e901d1a6a54ea0c5a2e1
SHA256ec6a6832e90fa88bb7489a2e3800e9419fc7793801b1c7450c4a294c1fcc04d4
SHA5123a7082dc72a2b9dfa9190da0672846a7f9df10640404f4f4236553a990169e790925bd3ad48fbfacf0b6833aa2fffbd7a13774748c692fc572ebbf6ce71f37c7
-
Filesize
512KB
MD5cce17ae2fa1ce2cb9fb38c74852e6f0d
SHA1d41a6397fcca728b233c3b1e47f41951f2dd68d6
SHA25695100a0dd3ee3cf90d15885a23df3c33fc3a6859cd44adbf81b99a388b289447
SHA512fdff171898cc5cb01793b625da9e4b5dc657852834acbc5ae7277b800f8a288dd298c69b14b6bf704b9b8e6ccf35e5fa8a2c609da8c6e9a7a97c87be8136d3a2
-
Filesize
512KB
MD5a0ddddf78462274c42e75d4ae05377fc
SHA1ad360ef40b75e7ae6d863bbe77776ffc57b4c6a1
SHA25608b05072d19f640df1db8822a166b60e53d2a718ffb05378c22d3e46b2efd85c
SHA5124c131eee30d0ce01233aa13555386dea16c31770473b1c4e7977f41d7f8755311ac9a16622b5d7ea408b22469d8e352b8706938dbc55c8d679011dc78a245d1a
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5ec3ff09f13e0e9547c9ed749528f48a0
SHA1ce4a97d13565c3c60883ed6b40695e86dfaee6c7
SHA2569c1176af78ca29a9b0455e60d0295b0f4fef6e050d38bebc9c2e131c9655965c
SHA512d391184cc90923e8114e6afaa328dffaa8d35979d141678f5be8a68e3ec24f3752ed5e1999cfdbcd220c80b04b42e01c94b4aa3e17380fefd4361679f494cd66