Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 20:25
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe
-
Size
512KB
-
MD5
f6cc0abffe9509e95744869f94c62d58
-
SHA1
5dae7805c0ce770c81c92dcd350e8b86f918e82a
-
SHA256
5ed8e02162abb4f4d6a79fc6379329c4af5e843fa66865d1155fe50b0c226e23
-
SHA512
ff9a61bc3753fe47c22f4bed9c43cd0c6a09ee5ade46e867ea4c2fa56285febcf3a8dd2138905c36b68be33101a92ecab09c5e3565ce137bbfbadd62b91710e5
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6H:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5i
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rrtanurkry.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rrtanurkry.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rrtanurkry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rrtanurkry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rrtanurkry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rrtanurkry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rrtanurkry.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rrtanurkry.exe -
Executes dropped EXE 5 IoCs
pid Process 2780 rrtanurkry.exe 2880 ttooymyzurvlnel.exe 2656 fmuzcmvdvhwyt.exe 2804 tyhfwchu.exe 2696 tyhfwchu.exe -
Loads dropped DLL 5 IoCs
pid Process 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 2780 rrtanurkry.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rrtanurkry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rrtanurkry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rrtanurkry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rrtanurkry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rrtanurkry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rrtanurkry.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ldtmdkpv = "rrtanurkry.exe" ttooymyzurvlnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qjrdiapd = "ttooymyzurvlnel.exe" ttooymyzurvlnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fmuzcmvdvhwyt.exe" ttooymyzurvlnel.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: rrtanurkry.exe File opened (read-only) \??\r: tyhfwchu.exe File opened (read-only) \??\t: tyhfwchu.exe File opened (read-only) \??\x: tyhfwchu.exe File opened (read-only) \??\e: tyhfwchu.exe File opened (read-only) \??\v: tyhfwchu.exe File opened (read-only) \??\l: rrtanurkry.exe File opened (read-only) \??\y: tyhfwchu.exe File opened (read-only) \??\l: tyhfwchu.exe File opened (read-only) \??\v: tyhfwchu.exe File opened (read-only) \??\m: tyhfwchu.exe File opened (read-only) \??\n: tyhfwchu.exe File opened (read-only) \??\q: tyhfwchu.exe File opened (read-only) \??\r: tyhfwchu.exe File opened (read-only) \??\h: rrtanurkry.exe File opened (read-only) \??\n: rrtanurkry.exe File opened (read-only) \??\i: tyhfwchu.exe File opened (read-only) \??\r: rrtanurkry.exe File opened (read-only) \??\s: rrtanurkry.exe File opened (read-only) \??\m: tyhfwchu.exe File opened (read-only) \??\q: tyhfwchu.exe File opened (read-only) \??\s: tyhfwchu.exe File opened (read-only) \??\i: tyhfwchu.exe File opened (read-only) \??\a: tyhfwchu.exe File opened (read-only) \??\b: rrtanurkry.exe File opened (read-only) \??\v: rrtanurkry.exe File opened (read-only) \??\x: rrtanurkry.exe File opened (read-only) \??\y: rrtanurkry.exe File opened (read-only) \??\b: tyhfwchu.exe File opened (read-only) \??\w: tyhfwchu.exe File opened (read-only) \??\g: rrtanurkry.exe File opened (read-only) \??\a: tyhfwchu.exe File opened (read-only) \??\g: tyhfwchu.exe File opened (read-only) \??\k: rrtanurkry.exe File opened (read-only) \??\q: rrtanurkry.exe File opened (read-only) \??\u: rrtanurkry.exe File opened (read-only) \??\z: rrtanurkry.exe File opened (read-only) \??\e: tyhfwchu.exe File opened (read-only) \??\u: tyhfwchu.exe File opened (read-only) \??\j: tyhfwchu.exe File opened (read-only) \??\p: rrtanurkry.exe File opened (read-only) \??\w: rrtanurkry.exe File opened (read-only) \??\b: tyhfwchu.exe File opened (read-only) \??\e: rrtanurkry.exe File opened (read-only) \??\g: tyhfwchu.exe File opened (read-only) \??\p: tyhfwchu.exe File opened (read-only) \??\j: rrtanurkry.exe File opened (read-only) \??\k: tyhfwchu.exe File opened (read-only) \??\p: tyhfwchu.exe File opened (read-only) \??\h: tyhfwchu.exe File opened (read-only) \??\a: rrtanurkry.exe File opened (read-only) \??\z: tyhfwchu.exe File opened (read-only) \??\k: tyhfwchu.exe File opened (read-only) \??\y: tyhfwchu.exe File opened (read-only) \??\m: rrtanurkry.exe File opened (read-only) \??\o: rrtanurkry.exe File opened (read-only) \??\s: tyhfwchu.exe File opened (read-only) \??\t: tyhfwchu.exe File opened (read-only) \??\t: rrtanurkry.exe File opened (read-only) \??\o: tyhfwchu.exe File opened (read-only) \??\x: tyhfwchu.exe File opened (read-only) \??\o: tyhfwchu.exe File opened (read-only) \??\w: tyhfwchu.exe File opened (read-only) \??\l: tyhfwchu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rrtanurkry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rrtanurkry.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/488-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000600000001870b-9.dat autoit_exe behavioral1/files/0x000a000000012233-17.dat autoit_exe behavioral1/files/0x0007000000018705-21.dat autoit_exe behavioral1/files/0x0006000000018710-36.dat autoit_exe behavioral1/files/0x0008000000018b3e-63.dat autoit_exe behavioral1/files/0x0008000000018b4d-66.dat autoit_exe behavioral1/files/0x0005000000018faa-71.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rrtanurkry.exe File opened for modification C:\Windows\SysWOW64\ttooymyzurvlnel.exe f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe File created C:\Windows\SysWOW64\tyhfwchu.exe f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tyhfwchu.exe f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe File created C:\Windows\SysWOW64\fmuzcmvdvhwyt.exe f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe File created C:\Windows\SysWOW64\rrtanurkry.exe f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rrtanurkry.exe f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe File created C:\Windows\SysWOW64\ttooymyzurvlnel.exe f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fmuzcmvdvhwyt.exe f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tyhfwchu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tyhfwchu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal tyhfwchu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tyhfwchu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tyhfwchu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tyhfwchu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal tyhfwchu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tyhfwchu.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tyhfwchu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tyhfwchu.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tyhfwchu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tyhfwchu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal tyhfwchu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tyhfwchu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal tyhfwchu.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tyhfwchu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tyhfwchu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrtanurkry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttooymyzurvlnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fmuzcmvdvhwyt.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rrtanurkry.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8F9B0F962F19684793B3581EB3EE2B38A038F4215034CE1BF429E08A6" f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B05847E6399D52C9BAD1329DD4B8" f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rrtanurkry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412D7A9D2D83276A3277D577242CAE7CF565AB" f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rrtanurkry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rrtanurkry.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rrtanurkry.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rrtanurkry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rrtanurkry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rrtanurkry.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rrtanurkry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFF8A4F5C821B9142D72A7E93BD90E634593066406237D690" f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD6BB1FF1B21ACD20FD0A58B799017" f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C67B14E0DABFB8CD7CE5EC9E34CD" f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rrtanurkry.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rrtanurkry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rrtanurkry.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2824 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 2780 rrtanurkry.exe 2780 rrtanurkry.exe 2780 rrtanurkry.exe 2780 rrtanurkry.exe 2780 rrtanurkry.exe 2880 ttooymyzurvlnel.exe 2880 ttooymyzurvlnel.exe 2880 ttooymyzurvlnel.exe 2880 ttooymyzurvlnel.exe 2880 ttooymyzurvlnel.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2804 tyhfwchu.exe 2804 tyhfwchu.exe 2804 tyhfwchu.exe 2804 tyhfwchu.exe 2880 ttooymyzurvlnel.exe 2696 tyhfwchu.exe 2696 tyhfwchu.exe 2696 tyhfwchu.exe 2696 tyhfwchu.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2880 ttooymyzurvlnel.exe 2880 ttooymyzurvlnel.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2880 ttooymyzurvlnel.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2880 ttooymyzurvlnel.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2880 ttooymyzurvlnel.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2880 ttooymyzurvlnel.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2880 ttooymyzurvlnel.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2880 ttooymyzurvlnel.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2880 ttooymyzurvlnel.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2880 ttooymyzurvlnel.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2880 ttooymyzurvlnel.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 2780 rrtanurkry.exe 2780 rrtanurkry.exe 2780 rrtanurkry.exe 2880 ttooymyzurvlnel.exe 2880 ttooymyzurvlnel.exe 2880 ttooymyzurvlnel.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2804 tyhfwchu.exe 2804 tyhfwchu.exe 2804 tyhfwchu.exe 2696 tyhfwchu.exe 2696 tyhfwchu.exe 2696 tyhfwchu.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 2780 rrtanurkry.exe 2780 rrtanurkry.exe 2780 rrtanurkry.exe 2880 ttooymyzurvlnel.exe 2880 ttooymyzurvlnel.exe 2880 ttooymyzurvlnel.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2656 fmuzcmvdvhwyt.exe 2804 tyhfwchu.exe 2804 tyhfwchu.exe 2804 tyhfwchu.exe 2696 tyhfwchu.exe 2696 tyhfwchu.exe 2696 tyhfwchu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2824 WINWORD.EXE 2824 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 488 wrote to memory of 2780 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 29 PID 488 wrote to memory of 2780 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 29 PID 488 wrote to memory of 2780 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 29 PID 488 wrote to memory of 2780 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 29 PID 488 wrote to memory of 2880 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 30 PID 488 wrote to memory of 2880 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 30 PID 488 wrote to memory of 2880 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 30 PID 488 wrote to memory of 2880 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 30 PID 488 wrote to memory of 2804 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 31 PID 488 wrote to memory of 2804 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 31 PID 488 wrote to memory of 2804 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 31 PID 488 wrote to memory of 2804 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 31 PID 488 wrote to memory of 2656 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 32 PID 488 wrote to memory of 2656 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 32 PID 488 wrote to memory of 2656 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 32 PID 488 wrote to memory of 2656 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 32 PID 488 wrote to memory of 2824 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 33 PID 488 wrote to memory of 2824 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 33 PID 488 wrote to memory of 2824 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 33 PID 488 wrote to memory of 2824 488 f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe 33 PID 2780 wrote to memory of 2696 2780 rrtanurkry.exe 34 PID 2780 wrote to memory of 2696 2780 rrtanurkry.exe 34 PID 2780 wrote to memory of 2696 2780 rrtanurkry.exe 34 PID 2780 wrote to memory of 2696 2780 rrtanurkry.exe 34 PID 2824 wrote to memory of 1764 2824 WINWORD.EXE 36 PID 2824 wrote to memory of 1764 2824 WINWORD.EXE 36 PID 2824 wrote to memory of 1764 2824 WINWORD.EXE 36 PID 2824 wrote to memory of 1764 2824 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f6cc0abffe9509e95744869f94c62d58_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\SysWOW64\rrtanurkry.exerrtanurkry.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\tyhfwchu.exeC:\Windows\system32\tyhfwchu.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2696
-
-
-
C:\Windows\SysWOW64\ttooymyzurvlnel.exettooymyzurvlnel.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2880
-
-
C:\Windows\SysWOW64\tyhfwchu.exetyhfwchu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2804
-
-
C:\Windows\SysWOW64\fmuzcmvdvhwyt.exefmuzcmvdvhwyt.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2656
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1764
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5cb2645292ccbd2c3a57774f182e89def
SHA1a1762d16b8f770e9242c65d4c70076a0976fcdb2
SHA2566b5e2ef07e090f0652ff03c53f0f559b9610823f994b46a77a0b26b83fc9430a
SHA512a90984bd486cf02a0bed022543244f7303770ed55f831fe131bc8eca68a95d23faabd3ab5df4fbb4f993b5770b3b179c2ce9f58c7da83886889dba4c3d769d84
-
Filesize
512KB
MD5b3ce36a6bb1052ecac8a24807dc8094b
SHA1aae93fcdf5836727e98aa3e6d71c7e2b8634e21b
SHA256757b9d9f49ded7c904dce06cdbdd1df9c796a5faf5ec939409619bc5b95f28fc
SHA5128b16599e2efdb16c7a7f155bf72167e48b5d4b8c751aa87f0b30d5bf98b5d1303a762f35ea177356bd9dd6a70f5ed01560996e6bda7b87c711c9b3971fd7f0a1
-
Filesize
19KB
MD5c39b20438ea758bc7bd158bdd183ba15
SHA1fce2b895b99d056a9cd86ac72ccfd9165c1a0c92
SHA25626600af91c5446ead9ccbb44d7d2ae8acf1f681ddafa13595ef8e138f4ed2691
SHA5124c473c754296f0e098b1141e64542c953f2273fd92f20a4564a4fc1dbdf4039fa42157ac01e935abc20205f046b22f7b0115a0590844066cb125fc25697ccb73
-
Filesize
512KB
MD55bb895e2c6c91f2ea0cdc1dfc8f31349
SHA1d7e1cb8cc6a76e0ea5fdd807693565061c9381e4
SHA256d0573c21c8c3074db27bd2ef693af99cd71d959f78e95035ad075f83d82bff8a
SHA512dc5808aa50dd58871bb01f8236789a80b47a05c8074a4943b474e9e47a6abbf2814844e68a22a81d32f92438716c67b4816a9bb4f54ebd75acdf789087103fa2
-
Filesize
512KB
MD5f9212dec400cd9b884e5000b14b987a6
SHA1d056f55d81d74921892ba4f4e04ad78bdc14f77b
SHA25663829943745dc129a30891f0345deee380c6c53b323698744d6f9418fb880581
SHA512b32ec300e2410568015fc056100043cfa4567078bbdcffc69fe4375dd49bc2d640f2d0bc68177902d0f41c49cf2cd2e121d03ac4c63740a896a7595f6333817e
-
Filesize
512KB
MD53757508880053418304d3fc54ac7d4e7
SHA157e248a8134196093145ab5eed42b5c439e407ef
SHA2562184e5ac3326725cc969daaa820077a7af194b6663b6d5d7df5786109c52c097
SHA5126cd5fc537a7e8e50e8b31d4890579042a1233fdb1b0a9d3eb850877f61899eec67160b589a87df9fb4f9fd3db97234cc6a4e490c88ecd2e4be79ef0aadf731d5
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD535ebe464aa17dead24bb7c84d227b86e
SHA16ff5027c7cd4bb62f30b8af06cbb9d99ccfa64e3
SHA25681ea825c73d7313ad67fb528d802b29d513f966831bb4f847bc822cc8675ae03
SHA5120a01b2df937d6a84d3523ab98d2ea8c9bee81cd220b3779fe14c614222fa49b5571a41c7984dc084caf6d90770270bce9bae79953d561263bb16e595e5a79d7e
-
Filesize
512KB
MD5c2a78c3bdc8a77438935e03cb616e58f
SHA15f532515422a7bc547b0aa1a419536cffd9add8e
SHA256aa1fc602ca0878b54ce5cda4e4bca30d1dbcf0ee0868d75e950403eee1682e24
SHA5127ce7622ccc742b84c6c7ca3a90f672c59b595c043ec6f0766ab94bdc1cfc4e738fc6bab85eca7d4e46f91d075497672db672a07d4070aaac538e17fb21ab1960