Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 16:06
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
150 seconds
General
-
Target
f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe
-
Size
512KB
-
MD5
f65eb219b3f600691f3d107086f69a64
-
SHA1
9e1df9b4b85cd00867a617e8667fd963d37588af
-
SHA256
38f07c6c853142e95b203761f4eaf66f97b032106466b4269c094fe0bffbdc26
-
SHA512
f17a4c862f4cb148d9c9765778200943d918910d0e98102c955c0cb1c4f991ed03e80b9fdc2dbce07c729ba87c41716543b20bd9978307406bb8e442d7687bea
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6r:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rkniowlqaj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rkniowlqaj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rkniowlqaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rkniowlqaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rkniowlqaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rkniowlqaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rkniowlqaj.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rkniowlqaj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3848 rkniowlqaj.exe 3844 yxydkefnavowhfj.exe 1488 mpcqgnuh.exe 1936 lddsrfkxxpfyf.exe 2016 mpcqgnuh.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rkniowlqaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rkniowlqaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rkniowlqaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rkniowlqaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rkniowlqaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rkniowlqaj.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zjxmqlzt = "rkniowlqaj.exe" yxydkefnavowhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mfqmvkdo = "yxydkefnavowhfj.exe" yxydkefnavowhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "lddsrfkxxpfyf.exe" yxydkefnavowhfj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: mpcqgnuh.exe File opened (read-only) \??\r: mpcqgnuh.exe File opened (read-only) \??\t: mpcqgnuh.exe File opened (read-only) \??\i: mpcqgnuh.exe File opened (read-only) \??\j: mpcqgnuh.exe File opened (read-only) \??\v: mpcqgnuh.exe File opened (read-only) \??\y: mpcqgnuh.exe File opened (read-only) \??\k: mpcqgnuh.exe File opened (read-only) \??\x: mpcqgnuh.exe File opened (read-only) \??\e: rkniowlqaj.exe File opened (read-only) \??\o: rkniowlqaj.exe File opened (read-only) \??\s: rkniowlqaj.exe File opened (read-only) \??\h: mpcqgnuh.exe File opened (read-only) \??\q: mpcqgnuh.exe File opened (read-only) \??\l: mpcqgnuh.exe File opened (read-only) \??\z: mpcqgnuh.exe File opened (read-only) \??\b: mpcqgnuh.exe File opened (read-only) \??\h: mpcqgnuh.exe File opened (read-only) \??\j: rkniowlqaj.exe File opened (read-only) \??\l: rkniowlqaj.exe File opened (read-only) \??\a: mpcqgnuh.exe File opened (read-only) \??\x: mpcqgnuh.exe File opened (read-only) \??\q: rkniowlqaj.exe File opened (read-only) \??\w: mpcqgnuh.exe File opened (read-only) \??\s: mpcqgnuh.exe File opened (read-only) \??\b: rkniowlqaj.exe File opened (read-only) \??\k: rkniowlqaj.exe File opened (read-only) \??\m: mpcqgnuh.exe File opened (read-only) \??\p: rkniowlqaj.exe File opened (read-only) \??\v: rkniowlqaj.exe File opened (read-only) \??\z: rkniowlqaj.exe File opened (read-only) \??\n: mpcqgnuh.exe File opened (read-only) \??\q: mpcqgnuh.exe File opened (read-only) \??\g: rkniowlqaj.exe File opened (read-only) \??\i: rkniowlqaj.exe File opened (read-only) \??\r: rkniowlqaj.exe File opened (read-only) \??\p: mpcqgnuh.exe File opened (read-only) \??\v: mpcqgnuh.exe File opened (read-only) \??\e: mpcqgnuh.exe File opened (read-only) \??\w: mpcqgnuh.exe File opened (read-only) \??\u: rkniowlqaj.exe File opened (read-only) \??\j: mpcqgnuh.exe File opened (read-only) \??\m: mpcqgnuh.exe File opened (read-only) \??\o: mpcqgnuh.exe File opened (read-only) \??\y: mpcqgnuh.exe File opened (read-only) \??\a: mpcqgnuh.exe File opened (read-only) \??\g: mpcqgnuh.exe File opened (read-only) \??\o: mpcqgnuh.exe File opened (read-only) \??\p: mpcqgnuh.exe File opened (read-only) \??\b: mpcqgnuh.exe File opened (read-only) \??\k: mpcqgnuh.exe File opened (read-only) \??\r: mpcqgnuh.exe File opened (read-only) \??\h: rkniowlqaj.exe File opened (read-only) \??\t: rkniowlqaj.exe File opened (read-only) \??\u: mpcqgnuh.exe File opened (read-only) \??\z: mpcqgnuh.exe File opened (read-only) \??\u: mpcqgnuh.exe File opened (read-only) \??\x: rkniowlqaj.exe File opened (read-only) \??\i: mpcqgnuh.exe File opened (read-only) \??\l: mpcqgnuh.exe File opened (read-only) \??\s: mpcqgnuh.exe File opened (read-only) \??\n: mpcqgnuh.exe File opened (read-only) \??\a: rkniowlqaj.exe File opened (read-only) \??\n: rkniowlqaj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rkniowlqaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rkniowlqaj.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1740-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023461-5.dat autoit_exe behavioral2/files/0x0009000000023401-19.dat autoit_exe behavioral2/files/0x0007000000023466-31.dat autoit_exe behavioral2/files/0x0007000000023465-29.dat autoit_exe behavioral2/files/0x0008000000023448-66.dat autoit_exe behavioral2/files/0x0007000000023473-72.dat autoit_exe behavioral2/files/0x0007000000023486-96.dat autoit_exe behavioral2/files/0x0007000000023486-99.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mpcqgnuh.exe f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lddsrfkxxpfyf.exe f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mpcqgnuh.exe File created C:\Windows\SysWOW64\rkniowlqaj.exe f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe File created C:\Windows\SysWOW64\yxydkefnavowhfj.exe f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yxydkefnavowhfj.exe f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe File created C:\Windows\SysWOW64\mpcqgnuh.exe f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mpcqgnuh.exe File opened for modification C:\Windows\SysWOW64\rkniowlqaj.exe f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe File created C:\Windows\SysWOW64\lddsrfkxxpfyf.exe f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rkniowlqaj.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mpcqgnuh.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mpcqgnuh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mpcqgnuh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mpcqgnuh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mpcqgnuh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mpcqgnuh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mpcqgnuh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mpcqgnuh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mpcqgnuh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mpcqgnuh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mpcqgnuh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mpcqgnuh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mpcqgnuh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mpcqgnuh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mpcqgnuh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mpcqgnuh.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mpcqgnuh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mpcqgnuh.exe File opened for modification C:\Windows\mydoc.rtf f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mpcqgnuh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mpcqgnuh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mpcqgnuh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mpcqgnuh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mpcqgnuh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mpcqgnuh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mpcqgnuh.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mpcqgnuh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mpcqgnuh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mpcqgnuh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mpcqgnuh.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mpcqgnuh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mpcqgnuh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mpcqgnuh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mpcqgnuh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lddsrfkxxpfyf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mpcqgnuh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rkniowlqaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxydkefnavowhfj.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rkniowlqaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rkniowlqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rkniowlqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rkniowlqaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rkniowlqaj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCF9BCFE64F1E2837B3B44869D39E6B08E038B4367023EE1BD42E608A0" f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B02A479438E353C9BADC33E9D7CE" f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC60C14E3DAB6B9B97C94EDE534C6" f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rkniowlqaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rkniowlqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rkniowlqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412C0A9C2783566A3377D770532DDF7D8F64AA" f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFF83485F82129041D7217DE5BCE5E643584767416237D7E9" f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0806BC6FF6C21ACD108D0A28B089011" f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rkniowlqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rkniowlqaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rkniowlqaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rkniowlqaj.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4292 WINWORD.EXE 4292 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 3844 yxydkefnavowhfj.exe 3844 yxydkefnavowhfj.exe 3844 yxydkefnavowhfj.exe 3844 yxydkefnavowhfj.exe 3844 yxydkefnavowhfj.exe 3844 yxydkefnavowhfj.exe 3844 yxydkefnavowhfj.exe 3844 yxydkefnavowhfj.exe 3844 yxydkefnavowhfj.exe 3844 yxydkefnavowhfj.exe 3848 rkniowlqaj.exe 3848 rkniowlqaj.exe 3848 rkniowlqaj.exe 3848 rkniowlqaj.exe 3848 rkniowlqaj.exe 3848 rkniowlqaj.exe 3848 rkniowlqaj.exe 3848 rkniowlqaj.exe 3848 rkniowlqaj.exe 3848 rkniowlqaj.exe 1488 mpcqgnuh.exe 1488 mpcqgnuh.exe 1488 mpcqgnuh.exe 1488 mpcqgnuh.exe 1488 mpcqgnuh.exe 1488 mpcqgnuh.exe 1488 mpcqgnuh.exe 1488 mpcqgnuh.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 3844 yxydkefnavowhfj.exe 3844 yxydkefnavowhfj.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 3844 yxydkefnavowhfj.exe 3844 yxydkefnavowhfj.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 3844 yxydkefnavowhfj.exe 3844 yxydkefnavowhfj.exe 3844 yxydkefnavowhfj.exe 3848 rkniowlqaj.exe 3848 rkniowlqaj.exe 3848 rkniowlqaj.exe 1488 mpcqgnuh.exe 1488 mpcqgnuh.exe 1488 mpcqgnuh.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 2016 mpcqgnuh.exe 2016 mpcqgnuh.exe 2016 mpcqgnuh.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 3844 yxydkefnavowhfj.exe 3844 yxydkefnavowhfj.exe 3844 yxydkefnavowhfj.exe 3848 rkniowlqaj.exe 3848 rkniowlqaj.exe 3848 rkniowlqaj.exe 1488 mpcqgnuh.exe 1488 mpcqgnuh.exe 1488 mpcqgnuh.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 1936 lddsrfkxxpfyf.exe 2016 mpcqgnuh.exe 2016 mpcqgnuh.exe 2016 mpcqgnuh.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4292 WINWORD.EXE 4292 WINWORD.EXE 4292 WINWORD.EXE 4292 WINWORD.EXE 4292 WINWORD.EXE 4292 WINWORD.EXE 4292 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1740 wrote to memory of 3848 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 82 PID 1740 wrote to memory of 3848 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 82 PID 1740 wrote to memory of 3848 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 82 PID 1740 wrote to memory of 3844 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 83 PID 1740 wrote to memory of 3844 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 83 PID 1740 wrote to memory of 3844 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 83 PID 1740 wrote to memory of 1488 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 84 PID 1740 wrote to memory of 1488 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 84 PID 1740 wrote to memory of 1488 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 84 PID 1740 wrote to memory of 1936 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 85 PID 1740 wrote to memory of 1936 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 85 PID 1740 wrote to memory of 1936 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 85 PID 1740 wrote to memory of 4292 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 86 PID 1740 wrote to memory of 4292 1740 f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe 86 PID 3848 wrote to memory of 2016 3848 rkniowlqaj.exe 88 PID 3848 wrote to memory of 2016 3848 rkniowlqaj.exe 88 PID 3848 wrote to memory of 2016 3848 rkniowlqaj.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f65eb219b3f600691f3d107086f69a64_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\rkniowlqaj.exerkniowlqaj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\mpcqgnuh.exeC:\Windows\system32\mpcqgnuh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2016
-
-
-
C:\Windows\SysWOW64\yxydkefnavowhfj.exeyxydkefnavowhfj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3844
-
-
C:\Windows\SysWOW64\mpcqgnuh.exempcqgnuh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1488
-
-
C:\Windows\SysWOW64\lddsrfkxxpfyf.exelddsrfkxxpfyf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1936
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4292
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5dc157a49408ffe2577bc02a2b238f332
SHA14eb240a98343972269bf67cd7d86c473e0885c77
SHA25672a8e4d6c619429cad4509f7af2e905934d2c27bfaf93deb53c417fed8a45183
SHA512254d4aaa7d5384bfe2db0c3a4eb32089e6712d11d79f2f12dacb76a3dd98f595630ec082024d45c667eb528130a6551f72a4d25dc285d2685912b0021a7937d7
-
Filesize
512KB
MD58b2b0d107a006681a16429a4c99cbbb3
SHA1a26426d2e776ae594277810c1b69b2dd99acf689
SHA2569f028de17edc20e22335022de47d967fc619a545bdbececb8dffda3fa649b900
SHA5129f21c02798b22835db4f06aeae70b3dfdb90c5f9f770cd28d84bcca853395c74adee6993834f4e7a183b27e8fa3f21cb99ccba957b26f04211a64933e87e8e39
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
297B
MD57613fd8ff9ec1a60e4ae147319a5b912
SHA1b2221e1a590311f9448a3b9bdee24a3748da8524
SHA256597db3687448745ad002f2c5e026777826294b48663cbb4d3ae579be405957eb
SHA5123dc9dd32c660eaa87f822db29aefdea296224e852058099b61ad18cef8d871c564c2a2c63056aa92c68c83ca746a896dc1878a8b54ef3431afb5976579105b32
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5d1bcf3a21dc501545d98c160d0b2d241
SHA17e87e769e6c3b8d7e136b60523e03fdbacdbde3e
SHA256460822bbd3598ace3670fe660234e808af34bef3b570f343ae9c2adf3e8b9ac0
SHA512ae4c930ac9a7a6a3b914188527236cb0079d8ed3df0273057562101d29d2dcbc84109fc86ea8689a24cbb6862dbb9dd88252bd13b3f9401adf894ef7bba8140b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD5690ff72228bf2e96a30814f034dbf9dd
SHA19bb8a25a4a652defaab98e4f9faadbee961db5db
SHA256bcd522a0e4525ca7cbe2aab5cc28eb9834aaff7a9c3e9898c66c35611aef9d5b
SHA5120e0571130216fdff4256e0b50d1aa3ef8b8ef856031e32a72a02363b99f67c794655a45a3606ced4a5e30354721705a53f76a543d88eaedc1b85d57cef79e9a0
-
Filesize
512KB
MD5beb2f605745ed30b56ac5584b2f6cfe0
SHA1d6feab4d7bf6f319d22dadd1eb13e3656946c193
SHA256b08d6938090c19026a6ddba3e58f250a6c14f15950cfc6493e74599ea6091953
SHA51223ff618f9f8d5cb6b1806f85fa6e6833c83216e58bd35962b5023f533399745816a18f5460adf1bb4c8a4683984881b1377dfdc43ddf971b928eff128f76ec7a
-
Filesize
512KB
MD5b9e6f1692629e707fef8ade5e796b559
SHA162cd818848acd6a9f2e7b55be013a14df1de6a0c
SHA25624c12ebe3270d2a87bcf77d0885288581cd6d23a64b33020dcfdd6c59a746b84
SHA5127a7a55e366ab4457d5f74abccbcc8381ddefa4ee7794f9197058a916d43cfd724dcf7e2c92f5e7254656c29fafbf4e986401d01e6a645a712fd2cd3521e149bb
-
Filesize
512KB
MD5cfd99ab13abeefe4291fb649ee85a5ad
SHA107b006524c3a58c94bf2feed261fb4a78433389f
SHA256915b98434c230fa8d3473e184e55f6f0bd6c9a0c04da237915b1e462b6392bfe
SHA512adc848942f26c088e56d08c60278cc6c22189f53fe443e77257e666a228db856a32087c25f818963c2578f9763a18213ed24553efb369da131cb9b6f7df90625
-
Filesize
512KB
MD5d7cd988e7dc79dff20a047073112f0b4
SHA1e9e772ea546233166592008349a168fb47df1d4d
SHA2569e2e50aba8e0fb7d89b9f889556f46d4977b58660099783640f3ca2df2ea01c5
SHA512703217950af2915575abac07c68de2ed678de69c528239cc3baeb7f4a6ab7ce368cc1a4fdde03abf78fd6d8767cf4c83717d700e129b5e1d7b8341269a24a017
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD58c6aed11a39e2cf584e7abbb1303ec88
SHA19caaf8ec19f57926ba89e95ee9c9f1a874ebfde7
SHA25626bbf1b39de0715f4d19f6bb05e39e7b2311e6897973c7fa57b4436aff86ec3e
SHA5120ee01154830495204646b9ed2bfff389f289b33f89c48d545c084efec4f6f575a4c0bbd721d4553fca779208d9055e9c8215e11bec2d31b409c198ac0cb00db8
-
Filesize
512KB
MD5916b14bc2228a96cacfff9d276c5e024
SHA18e46a60cfa1a42df65d7702b6e6d95b543f71860
SHA256d6d5582a163b443fc47089aec9635ea1578aca9e4c1b304172563484c9f7c518
SHA512b56bbb6352d1198e9d04abcfa8a93040cb26fc81a786f85ec726efd69787b84d7205434a5003bf8313302ff64e520c47410eb9e00981c05dac08e90e63262021