Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 13:26
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
150 seconds
General
-
Target
fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe
-
Size
512KB
-
MD5
fa7c328ed1155f461e2907e95e71888e
-
SHA1
f62a47454d0705212e9c84681bb68da2e8547ea4
-
SHA256
b71dba1e942d77326b3aab54a73fdafe2e195a6e22fa73eb9ab023dfc4544b3a
-
SHA512
30d2a24208a5bce51226f559ca4470e2bb01ca5e6360815b6243307fefddba4ef96cdc80d9d372099e2138a266b052533a71d75f4b294ae1ef7ec7a8229288cc
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj66:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm57
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ycslkabysa.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ycslkabysa.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ycslkabysa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ycslkabysa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ycslkabysa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ycslkabysa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ycslkabysa.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ycslkabysa.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4360 ycslkabysa.exe 3612 dvnzwpajkvpqfoy.exe 4788 bipunwae.exe 1576 hxgrrdcixkwbz.exe 916 bipunwae.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ycslkabysa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ycslkabysa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ycslkabysa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ycslkabysa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ycslkabysa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ycslkabysa.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hxgrrdcixkwbz.exe" dvnzwpajkvpqfoy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hnzuejhi = "ycslkabysa.exe" dvnzwpajkvpqfoy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\btyrfvxs = "dvnzwpajkvpqfoy.exe" dvnzwpajkvpqfoy.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: bipunwae.exe File opened (read-only) \??\a: ycslkabysa.exe File opened (read-only) \??\u: ycslkabysa.exe File opened (read-only) \??\q: bipunwae.exe File opened (read-only) \??\t: bipunwae.exe File opened (read-only) \??\y: bipunwae.exe File opened (read-only) \??\i: bipunwae.exe File opened (read-only) \??\x: bipunwae.exe File opened (read-only) \??\p: ycslkabysa.exe File opened (read-only) \??\h: bipunwae.exe File opened (read-only) \??\l: bipunwae.exe File opened (read-only) \??\m: bipunwae.exe File opened (read-only) \??\e: bipunwae.exe File opened (read-only) \??\w: bipunwae.exe File opened (read-only) \??\q: ycslkabysa.exe File opened (read-only) \??\b: bipunwae.exe File opened (read-only) \??\h: bipunwae.exe File opened (read-only) \??\g: ycslkabysa.exe File opened (read-only) \??\j: ycslkabysa.exe File opened (read-only) \??\i: bipunwae.exe File opened (read-only) \??\o: bipunwae.exe File opened (read-only) \??\t: bipunwae.exe File opened (read-only) \??\z: bipunwae.exe File opened (read-only) \??\k: ycslkabysa.exe File opened (read-only) \??\o: ycslkabysa.exe File opened (read-only) \??\t: ycslkabysa.exe File opened (read-only) \??\z: ycslkabysa.exe File opened (read-only) \??\x: bipunwae.exe File opened (read-only) \??\p: bipunwae.exe File opened (read-only) \??\u: bipunwae.exe File opened (read-only) \??\e: bipunwae.exe File opened (read-only) \??\m: ycslkabysa.exe File opened (read-only) \??\s: ycslkabysa.exe File opened (read-only) \??\j: bipunwae.exe File opened (read-only) \??\n: bipunwae.exe File opened (read-only) \??\n: ycslkabysa.exe File opened (read-only) \??\v: ycslkabysa.exe File opened (read-only) \??\s: bipunwae.exe File opened (read-only) \??\a: bipunwae.exe File opened (read-only) \??\g: bipunwae.exe File opened (read-only) \??\h: ycslkabysa.exe File opened (read-only) \??\r: ycslkabysa.exe File opened (read-only) \??\o: bipunwae.exe File opened (read-only) \??\s: bipunwae.exe File opened (read-only) \??\v: bipunwae.exe File opened (read-only) \??\x: ycslkabysa.exe File opened (read-only) \??\v: bipunwae.exe File opened (read-only) \??\i: ycslkabysa.exe File opened (read-only) \??\w: ycslkabysa.exe File opened (read-only) \??\k: bipunwae.exe File opened (read-only) \??\p: bipunwae.exe File opened (read-only) \??\g: bipunwae.exe File opened (read-only) \??\y: ycslkabysa.exe File opened (read-only) \??\b: bipunwae.exe File opened (read-only) \??\b: ycslkabysa.exe File opened (read-only) \??\l: ycslkabysa.exe File opened (read-only) \??\n: bipunwae.exe File opened (read-only) \??\u: bipunwae.exe File opened (read-only) \??\a: bipunwae.exe File opened (read-only) \??\l: bipunwae.exe File opened (read-only) \??\r: bipunwae.exe File opened (read-only) \??\k: bipunwae.exe File opened (read-only) \??\q: bipunwae.exe File opened (read-only) \??\r: bipunwae.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ycslkabysa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ycslkabysa.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4816-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002343e-5.dat autoit_exe behavioral2/files/0x000b000000023431-19.dat autoit_exe behavioral2/files/0x000700000002343f-26.dat autoit_exe behavioral2/files/0x0007000000023440-32.dat autoit_exe behavioral2/files/0x0008000000023427-66.dat autoit_exe behavioral2/files/0x000700000002344c-71.dat autoit_exe behavioral2/files/0x0007000000023458-89.dat autoit_exe behavioral2/files/0x0007000000023458-92.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dvnzwpajkvpqfoy.exe fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bipunwae.exe fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe File created C:\Windows\SysWOW64\hxgrrdcixkwbz.exe fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ycslkabysa.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bipunwae.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bipunwae.exe File created C:\Windows\SysWOW64\ycslkabysa.exe fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe File created C:\Windows\SysWOW64\dvnzwpajkvpqfoy.exe fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe File created C:\Windows\SysWOW64\bipunwae.exe fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hxgrrdcixkwbz.exe fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bipunwae.exe File opened for modification C:\Windows\SysWOW64\ycslkabysa.exe fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bipunwae.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bipunwae.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bipunwae.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bipunwae.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bipunwae.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bipunwae.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bipunwae.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bipunwae.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bipunwae.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bipunwae.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bipunwae.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bipunwae.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bipunwae.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bipunwae.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bipunwae.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bipunwae.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bipunwae.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bipunwae.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bipunwae.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bipunwae.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bipunwae.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bipunwae.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bipunwae.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bipunwae.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bipunwae.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bipunwae.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bipunwae.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bipunwae.exe File opened for modification C:\Windows\mydoc.rtf fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bipunwae.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bipunwae.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bipunwae.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvnzwpajkvpqfoy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bipunwae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hxgrrdcixkwbz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bipunwae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ycslkabysa.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ycslkabysa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ycslkabysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ycslkabysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FC8F482782139041D7587D96BDE4E643593566406345D69E" fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C7751490DBC0B8B97FE2EC9637CA" fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ycslkabysa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ycslkabysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8F9C9F963F293840C3A41869A39E2B0FB038B42680238E1C842EF09A3" fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B15844EE389853BFB9D532EDD7B8" fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ycslkabysa.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ycslkabysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ycslkabysa.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7866BC2FF6E22DDD20CD0A48A0E9163" fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ycslkabysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ycslkabysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C7B9D5183536A3776D170242DD77CF664D8" fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ycslkabysa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ycslkabysa.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3004 WINWORD.EXE 3004 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4360 ycslkabysa.exe 4360 ycslkabysa.exe 4360 ycslkabysa.exe 4360 ycslkabysa.exe 4360 ycslkabysa.exe 4360 ycslkabysa.exe 4360 ycslkabysa.exe 4360 ycslkabysa.exe 4360 ycslkabysa.exe 4360 ycslkabysa.exe 3612 dvnzwpajkvpqfoy.exe 3612 dvnzwpajkvpqfoy.exe 3612 dvnzwpajkvpqfoy.exe 3612 dvnzwpajkvpqfoy.exe 3612 dvnzwpajkvpqfoy.exe 3612 dvnzwpajkvpqfoy.exe 3612 dvnzwpajkvpqfoy.exe 3612 dvnzwpajkvpqfoy.exe 3612 dvnzwpajkvpqfoy.exe 3612 dvnzwpajkvpqfoy.exe 1576 hxgrrdcixkwbz.exe 1576 hxgrrdcixkwbz.exe 1576 hxgrrdcixkwbz.exe 1576 hxgrrdcixkwbz.exe 1576 hxgrrdcixkwbz.exe 1576 hxgrrdcixkwbz.exe 1576 hxgrrdcixkwbz.exe 1576 hxgrrdcixkwbz.exe 1576 hxgrrdcixkwbz.exe 1576 hxgrrdcixkwbz.exe 1576 hxgrrdcixkwbz.exe 1576 hxgrrdcixkwbz.exe 4788 bipunwae.exe 4788 bipunwae.exe 4788 bipunwae.exe 4788 bipunwae.exe 4788 bipunwae.exe 4788 bipunwae.exe 4788 bipunwae.exe 4788 bipunwae.exe 916 bipunwae.exe 916 bipunwae.exe 916 bipunwae.exe 916 bipunwae.exe 916 bipunwae.exe 916 bipunwae.exe 916 bipunwae.exe 916 bipunwae.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4360 ycslkabysa.exe 4360 ycslkabysa.exe 4360 ycslkabysa.exe 3612 dvnzwpajkvpqfoy.exe 3612 dvnzwpajkvpqfoy.exe 3612 dvnzwpajkvpqfoy.exe 1576 hxgrrdcixkwbz.exe 4788 bipunwae.exe 1576 hxgrrdcixkwbz.exe 4788 bipunwae.exe 1576 hxgrrdcixkwbz.exe 4788 bipunwae.exe 916 bipunwae.exe 916 bipunwae.exe 916 bipunwae.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 4360 ycslkabysa.exe 4360 ycslkabysa.exe 4360 ycslkabysa.exe 3612 dvnzwpajkvpqfoy.exe 3612 dvnzwpajkvpqfoy.exe 3612 dvnzwpajkvpqfoy.exe 1576 hxgrrdcixkwbz.exe 4788 bipunwae.exe 1576 hxgrrdcixkwbz.exe 4788 bipunwae.exe 1576 hxgrrdcixkwbz.exe 4788 bipunwae.exe 916 bipunwae.exe 916 bipunwae.exe 916 bipunwae.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3004 WINWORD.EXE 3004 WINWORD.EXE 3004 WINWORD.EXE 3004 WINWORD.EXE 3004 WINWORD.EXE 3004 WINWORD.EXE 3004 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4816 wrote to memory of 4360 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 82 PID 4816 wrote to memory of 4360 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 82 PID 4816 wrote to memory of 4360 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 82 PID 4816 wrote to memory of 3612 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 83 PID 4816 wrote to memory of 3612 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 83 PID 4816 wrote to memory of 3612 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 83 PID 4816 wrote to memory of 4788 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 84 PID 4816 wrote to memory of 4788 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 84 PID 4816 wrote to memory of 4788 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 84 PID 4816 wrote to memory of 1576 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 85 PID 4816 wrote to memory of 1576 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 85 PID 4816 wrote to memory of 1576 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 85 PID 4360 wrote to memory of 916 4360 ycslkabysa.exe 86 PID 4360 wrote to memory of 916 4360 ycslkabysa.exe 86 PID 4360 wrote to memory of 916 4360 ycslkabysa.exe 86 PID 4816 wrote to memory of 3004 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 87 PID 4816 wrote to memory of 3004 4816 fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa7c328ed1155f461e2907e95e71888e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\ycslkabysa.exeycslkabysa.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\bipunwae.exeC:\Windows\system32\bipunwae.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:916
-
-
-
C:\Windows\SysWOW64\dvnzwpajkvpqfoy.exedvnzwpajkvpqfoy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3612
-
-
C:\Windows\SysWOW64\bipunwae.exebipunwae.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4788
-
-
C:\Windows\SysWOW64\hxgrrdcixkwbz.exehxgrrdcixkwbz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1576
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3004
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5a7de09472d4133108e63b7a2f96cbc86
SHA1fe446edab319f2d4bdd5a17d41ff5e9ef713e8b8
SHA25678b8127f4d8245d59d86398db32287fe63313b74e844fdb4139b2329844a6e6e
SHA512e49814fde71d6c77a52821d6bc379a75e2deaeed20177e1d6f12642c613b02f3b0521ea70b891cb90c39071b2087a68ca3bceb56a7be2aa2edea0334245c074d
-
Filesize
512KB
MD5baa6f60c6108668b1e2ddc5c401b6f50
SHA1bf56b432516ed3ebecd1eeb5ad398e4980f2d17f
SHA256880bdd624a5734f18548cdc358535ca127b8de8f855feadd229da3a8081a0eb3
SHA51298006ebab6c3836690c732c56446a49f3806db64479f711ac5b0a92d6612a52bc8bebbfe065ce4a4e71ae038502c6693f79788168e29810032546f275458c9c4
-
Filesize
257B
MD524cd80077f61c414edb7150dde297822
SHA12e30a320e1381f40efd8f5c1786be69b5e4a3f08
SHA256d3d99afe05f200e532960b1c22b8818cb1cc43545eca238b15f06109a7fc537e
SHA512463947108e0a95c9b328669fb8e698a57e2728470c2b769283341c4a4f43614a86148fe2432fa9cc6c18a907858c0638fba22ca9b144a2fd3186b79193f4ade1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD589b58231d7be3de263f4ee8b6f15041f
SHA1fc7b770eefa2e4f9667c06c0eacb3059ddc1c566
SHA256cc04d12c1a22b7159cc31e209f2691aca8c2041c03d9f0ea42e8e576e7784fb7
SHA51228dd313fa7cc6cef78b7e938802dcf584357132e40978ff46c190e5a7c19573da060523a8a438a6e911a8d8374cc57e3c514a3365589f385ce9dc7aa23936535
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5dcfc0285e65f789d4e64f3b34f59799c
SHA190686dc7e0f0ca3f0ff1b0942547b8567c6e96c5
SHA256e9b65631b0bc9d4d3dcdfe43eab0ff44cd1dc3e55ae2fdf87c9c1797f13baa39
SHA51293f3ee71c78c9a1abb2f8b343d088735d52c522777fbe73dff76fa257fddb300cefab31c381110221e6364fa0bc434d64e49de8ff7ec79483f4713bf724ae4cc
-
Filesize
512KB
MD5c62594352fab7112c612637f3b7ba2b1
SHA1810be4a4cd723070115f7075db497d92d7471b88
SHA25673e670bae1649ed858cc43922d24b69fc3bc3637d8f3aea247cb56f597a3d140
SHA512098ee3078eb6b1890fd347522a7c31dffc543f50bd1d1ee547bc53ef401d598682f616bf901220801d29805782e8cbaa479a7f84206ab392d40876ee54965f56
-
Filesize
512KB
MD5ff401bd6f3eaccaaca965d791a444188
SHA1e80f0e31cd14b6392af51187f3d268c0446caa36
SHA256a0ab7ce8c33d4ad9ce075d27b8891561c1fb6bef39e2e221dce99dbf64bc3242
SHA512b6b23b9c5a00dca8a66356bf3bd88b5b8f553ce1ee8237f388a71e4d572320931b9629c93fbea2cc324a87c741f7a1690576d5dd35e6ca128f930c732b4037fc
-
Filesize
512KB
MD5ba3b968700864e07be002b35b8362f2b
SHA15c9635c9843a7f7a7ddba10d21f1f84df40340d5
SHA256df5f4e31927a71c3069d9d6ffc980c6340e135bde3e142cef2a86507772d26b4
SHA5128709d5d151478e34a3b34001ab4e6d0a2dbfe092ac9303e6d45a69d2c23a9a81dc4f5500675c5d802bda16ee236dd1b57d11a5171d5c422663639190a26f2810
-
Filesize
512KB
MD5fdfd42e196101f8e178c21cdca02e6d2
SHA159844d6f5a0e00329626c293252dcb42d4b48e7a
SHA256e0f410a596d985682eb908974a4eec17953b9f5dd912ae51b913e2aaa8dd524a
SHA5122c3566a9e9e87c7d0461f1b77001faa43523a768daa2c65067b8756d138cfe8e5ddc5c19c0a6cb7fd9f37953dddbe9cf9931ce46cb758b7c6c926fada38f2561
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5a31ecf5cf8ab0476e83dff8bdcbbb298
SHA180467fe5390493eb26b2c9455111963fbf41c82f
SHA256564ac960d5caf5ed1ada841f83592f1918a2ec0b55007f5215559a3d8a4d6c3b
SHA51218bf151301a374b05d28573591f46b77c2d9e66c2b3b2e9fd48ea53fc248efa991646bc73124d1b443646fcf0631ae503ba2bd8e8fd4422c6f5e4e8e0d3e3e43
-
Filesize
512KB
MD528de355eea98eac8c098bcd2f6f7b79a
SHA12ee78def631626b24a7bec7e135f02254e2f7646
SHA256f68038084bc49081a74af40672cc703128a4760dcd8f512aab8caaa2b6cfe727
SHA5124611108b9a6b5d6838ba31c7c95ee3f466b3ea22da331dec2da533cdd84d5537ab80caeeef00330747766a528c76f63a4ee40df4d0ea86ea5295f965a8960928