Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 14:11
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
25 signatures
150 seconds
General
-
Target
fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe
-
Size
512KB
-
MD5
fa8cd8394aa27c9b22fa8bd7d7b5a51c
-
SHA1
93205ba789a795d333a5beb6441ebd3eadeeae27
-
SHA256
c3762ac4dcd225bb4afbd6f12a41877065cb23f0e10cb1eef6ffdaa7c2eb620e
-
SHA512
8a3b47b9e58f36eacef4c91f24b47a2d973a070bd5196de35f755c4840781ac36606e52504a2c30d0256f032abeb8180aa1fe915cf03368982921616389f0126
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6r:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5c
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" admvtgopfw.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" admvtgopfw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" admvtgopfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" admvtgopfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" admvtgopfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" admvtgopfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" admvtgopfw.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" admvtgopfw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 624 admvtgopfw.exe 1592 uqjmooubmnaqfpc.exe 3804 hyftsckh.exe 3080 wdfuhujvoojvr.exe 2024 hyftsckh.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" admvtgopfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" admvtgopfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" admvtgopfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" admvtgopfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" admvtgopfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" admvtgopfw.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ucnbtoxi = "admvtgopfw.exe" uqjmooubmnaqfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cwsgvonb = "uqjmooubmnaqfpc.exe" uqjmooubmnaqfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wdfuhujvoojvr.exe" uqjmooubmnaqfpc.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: admvtgopfw.exe File opened (read-only) \??\k: admvtgopfw.exe File opened (read-only) \??\t: admvtgopfw.exe File opened (read-only) \??\j: hyftsckh.exe File opened (read-only) \??\e: hyftsckh.exe File opened (read-only) \??\m: hyftsckh.exe File opened (read-only) \??\p: admvtgopfw.exe File opened (read-only) \??\m: hyftsckh.exe File opened (read-only) \??\n: hyftsckh.exe File opened (read-only) \??\n: hyftsckh.exe File opened (read-only) \??\p: hyftsckh.exe File opened (read-only) \??\u: hyftsckh.exe File opened (read-only) \??\a: hyftsckh.exe File opened (read-only) \??\l: hyftsckh.exe File opened (read-only) \??\s: hyftsckh.exe File opened (read-only) \??\j: hyftsckh.exe File opened (read-only) \??\l: hyftsckh.exe File opened (read-only) \??\b: admvtgopfw.exe File opened (read-only) \??\o: admvtgopfw.exe File opened (read-only) \??\k: hyftsckh.exe File opened (read-only) \??\b: hyftsckh.exe File opened (read-only) \??\u: admvtgopfw.exe File opened (read-only) \??\z: admvtgopfw.exe File opened (read-only) \??\q: hyftsckh.exe File opened (read-only) \??\q: hyftsckh.exe File opened (read-only) \??\v: hyftsckh.exe File opened (read-only) \??\e: admvtgopfw.exe File opened (read-only) \??\h: admvtgopfw.exe File opened (read-only) \??\s: admvtgopfw.exe File opened (read-only) \??\i: hyftsckh.exe File opened (read-only) \??\s: hyftsckh.exe File opened (read-only) \??\r: admvtgopfw.exe File opened (read-only) \??\w: admvtgopfw.exe File opened (read-only) \??\g: hyftsckh.exe File opened (read-only) \??\v: admvtgopfw.exe File opened (read-only) \??\y: admvtgopfw.exe File opened (read-only) \??\b: hyftsckh.exe File opened (read-only) \??\h: hyftsckh.exe File opened (read-only) \??\r: hyftsckh.exe File opened (read-only) \??\t: hyftsckh.exe File opened (read-only) \??\v: hyftsckh.exe File opened (read-only) \??\g: hyftsckh.exe File opened (read-only) \??\k: hyftsckh.exe File opened (read-only) \??\r: hyftsckh.exe File opened (read-only) \??\n: admvtgopfw.exe File opened (read-only) \??\x: hyftsckh.exe File opened (read-only) \??\g: admvtgopfw.exe File opened (read-only) \??\x: admvtgopfw.exe File opened (read-only) \??\u: hyftsckh.exe File opened (read-only) \??\w: hyftsckh.exe File opened (read-only) \??\h: hyftsckh.exe File opened (read-only) \??\t: hyftsckh.exe File opened (read-only) \??\z: hyftsckh.exe File opened (read-only) \??\z: hyftsckh.exe File opened (read-only) \??\o: hyftsckh.exe File opened (read-only) \??\w: hyftsckh.exe File opened (read-only) \??\a: admvtgopfw.exe File opened (read-only) \??\p: hyftsckh.exe File opened (read-only) \??\y: hyftsckh.exe File opened (read-only) \??\o: hyftsckh.exe File opened (read-only) \??\y: hyftsckh.exe File opened (read-only) \??\i: admvtgopfw.exe File opened (read-only) \??\l: admvtgopfw.exe File opened (read-only) \??\m: admvtgopfw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" admvtgopfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" admvtgopfw.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4624-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000234a8-5.dat autoit_exe behavioral2/files/0x00080000000234a4-20.dat autoit_exe behavioral2/files/0x00070000000234a9-30.dat autoit_exe behavioral2/files/0x00070000000234aa-29.dat autoit_exe behavioral2/files/0x0008000000023488-66.dat autoit_exe behavioral2/files/0x00070000000234b6-69.dat autoit_exe behavioral2/files/0x00070000000234b7-72.dat autoit_exe behavioral2/files/0x00080000000234be-85.dat autoit_exe behavioral2/files/0x00070000000234bf-89.dat autoit_exe behavioral2/files/0x00070000000234c0-97.dat autoit_exe behavioral2/files/0x00080000000234c4-116.dat autoit_exe behavioral2/files/0x00080000000234c4-124.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hyftsckh.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hyftsckh.exe File opened for modification C:\Windows\SysWOW64\uqjmooubmnaqfpc.exe fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe File created C:\Windows\SysWOW64\hyftsckh.exe fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hyftsckh.exe fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe File created C:\Windows\SysWOW64\wdfuhujvoojvr.exe fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll admvtgopfw.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hyftsckh.exe File created C:\Windows\SysWOW64\admvtgopfw.exe fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\admvtgopfw.exe fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe File created C:\Windows\SysWOW64\uqjmooubmnaqfpc.exe fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wdfuhujvoojvr.exe fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hyftsckh.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hyftsckh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hyftsckh.exe File opened for modification C:\Program Files\PingConfirm.doc.exe hyftsckh.exe File opened for modification C:\Program Files\PingConfirm.doc.exe hyftsckh.exe File opened for modification C:\Program Files\PingConfirm.nal hyftsckh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hyftsckh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hyftsckh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hyftsckh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hyftsckh.exe File opened for modification C:\Program Files\PingConfirm.nal hyftsckh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hyftsckh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hyftsckh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hyftsckh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hyftsckh.exe File opened for modification \??\c:\Program Files\PingConfirm.doc.exe hyftsckh.exe File opened for modification \??\c:\Program Files\PingConfirm.doc.exe hyftsckh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hyftsckh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hyftsckh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hyftsckh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hyftsckh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hyftsckh.exe File created \??\c:\Program Files\PingConfirm.doc.exe hyftsckh.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hyftsckh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hyftsckh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hyftsckh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hyftsckh.exe File opened for modification C:\Windows\mydoc.rtf fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hyftsckh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hyftsckh.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hyftsckh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hyftsckh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hyftsckh.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hyftsckh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hyftsckh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hyftsckh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hyftsckh.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hyftsckh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hyftsckh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hyftsckh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyftsckh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language admvtgopfw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uqjmooubmnaqfpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyftsckh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wdfuhujvoojvr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422C7C9C2482596D4176D770522DDE7DF165DE" fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc admvtgopfw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs admvtgopfw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf admvtgopfw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" admvtgopfw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFF9CCF967F194837F3B37819E3993B0F902FA43690238E1C8459908A9" fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFF834826826D9130D65B7DE6BC92E13D593167366241D6ED" fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB6FE6A21DAD10FD0A18B0E9163" fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" admvtgopfw.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" admvtgopfw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" admvtgopfw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" admvtgopfw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg admvtgopfw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" admvtgopfw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B0584793389F52CDBAD1329ED7CE" fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC70F14E1DAC7B9B97C90ED9034CB" fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat admvtgopfw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh admvtgopfw.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2640 WINWORD.EXE 2640 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 1592 uqjmooubmnaqfpc.exe 1592 uqjmooubmnaqfpc.exe 1592 uqjmooubmnaqfpc.exe 1592 uqjmooubmnaqfpc.exe 1592 uqjmooubmnaqfpc.exe 1592 uqjmooubmnaqfpc.exe 1592 uqjmooubmnaqfpc.exe 1592 uqjmooubmnaqfpc.exe 624 admvtgopfw.exe 624 admvtgopfw.exe 624 admvtgopfw.exe 624 admvtgopfw.exe 624 admvtgopfw.exe 624 admvtgopfw.exe 624 admvtgopfw.exe 624 admvtgopfw.exe 624 admvtgopfw.exe 624 admvtgopfw.exe 3804 hyftsckh.exe 3804 hyftsckh.exe 3804 hyftsckh.exe 3804 hyftsckh.exe 3804 hyftsckh.exe 3804 hyftsckh.exe 3804 hyftsckh.exe 3804 hyftsckh.exe 1592 uqjmooubmnaqfpc.exe 1592 uqjmooubmnaqfpc.exe 3080 wdfuhujvoojvr.exe 3080 wdfuhujvoojvr.exe 3080 wdfuhujvoojvr.exe 3080 wdfuhujvoojvr.exe 3080 wdfuhujvoojvr.exe 3080 wdfuhujvoojvr.exe 3080 wdfuhujvoojvr.exe 3080 wdfuhujvoojvr.exe 3080 wdfuhujvoojvr.exe 3080 wdfuhujvoojvr.exe 3080 wdfuhujvoojvr.exe 3080 wdfuhujvoojvr.exe 1592 uqjmooubmnaqfpc.exe 1592 uqjmooubmnaqfpc.exe 2024 hyftsckh.exe 2024 hyftsckh.exe 2024 hyftsckh.exe 2024 hyftsckh.exe 2024 hyftsckh.exe 2024 hyftsckh.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 1592 uqjmooubmnaqfpc.exe 1592 uqjmooubmnaqfpc.exe 1592 uqjmooubmnaqfpc.exe 624 admvtgopfw.exe 624 admvtgopfw.exe 624 admvtgopfw.exe 3804 hyftsckh.exe 3804 hyftsckh.exe 3804 hyftsckh.exe 3080 wdfuhujvoojvr.exe 3080 wdfuhujvoojvr.exe 3080 wdfuhujvoojvr.exe 2024 hyftsckh.exe 2024 hyftsckh.exe 2024 hyftsckh.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 1592 uqjmooubmnaqfpc.exe 1592 uqjmooubmnaqfpc.exe 1592 uqjmooubmnaqfpc.exe 624 admvtgopfw.exe 624 admvtgopfw.exe 624 admvtgopfw.exe 3804 hyftsckh.exe 3804 hyftsckh.exe 3804 hyftsckh.exe 3080 wdfuhujvoojvr.exe 3080 wdfuhujvoojvr.exe 3080 wdfuhujvoojvr.exe 2024 hyftsckh.exe 2024 hyftsckh.exe 2024 hyftsckh.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2640 WINWORD.EXE 2640 WINWORD.EXE 2640 WINWORD.EXE 2640 WINWORD.EXE 2640 WINWORD.EXE 2640 WINWORD.EXE 2640 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4624 wrote to memory of 624 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 82 PID 4624 wrote to memory of 624 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 82 PID 4624 wrote to memory of 624 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 82 PID 4624 wrote to memory of 1592 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 83 PID 4624 wrote to memory of 1592 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 83 PID 4624 wrote to memory of 1592 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 83 PID 4624 wrote to memory of 3804 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 84 PID 4624 wrote to memory of 3804 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 84 PID 4624 wrote to memory of 3804 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 84 PID 4624 wrote to memory of 3080 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 85 PID 4624 wrote to memory of 3080 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 85 PID 4624 wrote to memory of 3080 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 85 PID 4624 wrote to memory of 2640 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 86 PID 4624 wrote to memory of 2640 4624 fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe 86 PID 624 wrote to memory of 2024 624 admvtgopfw.exe 88 PID 624 wrote to memory of 2024 624 admvtgopfw.exe 88 PID 624 wrote to memory of 2024 624 admvtgopfw.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa8cd8394aa27c9b22fa8bd7d7b5a51c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\admvtgopfw.exeadmvtgopfw.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\hyftsckh.exeC:\Windows\system32\hyftsckh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2024
-
-
-
C:\Windows\SysWOW64\uqjmooubmnaqfpc.exeuqjmooubmnaqfpc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1592
-
-
C:\Windows\SysWOW64\hyftsckh.exehyftsckh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3804
-
-
C:\Windows\SysWOW64\wdfuhujvoojvr.exewdfuhujvoojvr.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3080
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2640
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD51759aafad6964b51120f922541bd1499
SHA1a2c05aff8533bb20186f8e0df66bf8c4f14eede0
SHA2560cbd2a9ceced94265bc6ff01ceab645c8836ffc64ac94dc8494057b3eb9976e5
SHA512f357f42a6598971b20332d6c13aa7163aa76b73596bb8f7ffb6dc9a1a5e65c6c9b5dd1135ad1d3c09880bfb0ceb8e14a1b57381e76f88ce55498c79914d40a08
-
Filesize
512KB
MD55069c7df8d2220a5964a247408b06605
SHA1eaa16b8663281fc227e51e0c36453cffa6e0b146
SHA2567928f73ab75d3def1c68add5dec0972be026dad3f7788ada50ff46e59a216f04
SHA512e689f48d1cae7a1d149aa34b3adc70a2f370a36a9d8cb77abd0c257910c6076390d0056ac3a825eddae15e44844cf069e2b1b43b6bfcaed23c85678c63ca7b58
-
Filesize
512KB
MD50cb45fdebe2909d3286373f4236b5652
SHA1446a08c21811999c155875e23a640c381e683000
SHA25699b273cef1a7656fadefee971cd9eb9b7eb6c3b3edead832d8263225eed547c9
SHA512db56479ac2f6f4804215fb0e136cd169b7fa8d6de372fcab3654aa4f104a507b4d0618071b051691091552e419c476544db6fe20bca1fc4e38812b579e87d991
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
247B
MD522b4101774a7582eccc9be93d6c899ae
SHA12497ee1f7c81466ec2bfc27d818a620a58cd54f8
SHA256fb99dc0900724c09dad860128ada46418371e3ed452eb78a3e21628fa52f590c
SHA5123b43ddfae35e5427d5d814f01bf84d1c4f9ea1192ec3d38bb60b224e4b7e8a795de1767b1f339841e037461e233c2f885adcfe813aca33cdd6fe598d0e70a01d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD53bf23f3bc1e59585ef406c6bfebc12b4
SHA1cee8c4bb56af0c7c548f186b2b5f76032dfc1f48
SHA256fa22f637216f3ff81c2f81b0f1c3fcdd3affb0f0df3349c5dc4032951b1efe5d
SHA5124bd59665a9b94c3fbd83f2808255cab36a8dc33be655de0f2c3e531dc39b3c31bb0069b236df58aaa93f58d48da02697ebf44bf2547b3549c0912bd7e56eb24b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5a3a4361ae6c5e8c812edb43ef34385d5
SHA149bbda08b0a95e5f271bd0fd3e8b52c274bc82b3
SHA2568fb03a8452274aba808bc001f808bec2cd4da9aa920bd0f9fd560edc94772bbb
SHA51202724da1134450e20c216ee54e49cc637a47b352bff145074e2317819917e0b805be243c0bc76845ea8da9b951f85296b6582b2a577cb46669439c247e4344b4
-
Filesize
512KB
MD5e24b22da36eda19449def9e812f431fa
SHA14201b0c1ea2e72673d0319f3a60c7ccd4f9b0165
SHA2561387e660bf0c57e35b9216fe928d4c5a6909b046856c572a315f5bd652d578cc
SHA512d35db40bd8f16fb590db579083fcc41add114bb7762ac91e42c0928baf045125a80be2ddcb4d1eaa2aa9edbd60696b120a138a982b96013b24ffb6d14a336a6f
-
Filesize
512KB
MD57b9ebb540739d96ffa6b1a797ee202a5
SHA13e07290ce60a8fc415ca8b120b7964056273f3d1
SHA2560a73f881964307ff5039f05a371eada2655ebf7e464931cfe2a3af771614213f
SHA5128252dbd5cdcf42fb92d83ebedfd764d13f52e2329a0b0454c8b478358846c9e2cdfb56a49fffd54786d6209022f28df943bd25549024efe85afd3fb133c47949
-
Filesize
512KB
MD5520228857aec64473405e759b2d89434
SHA1fd32f228625914aba5e256686ff29b5e88aee708
SHA25661cf244a2f994977b15ce85ab06fc23d19113d1021deab5d9c0878b3e97d708a
SHA512cee50b3f363537dc66686b4e7170381fa32d54b8b299bb9c3a88234ef6e793eea3e0c7cf573c1d03ba94c40475a27322e4d2e1885d790e009f4f5068839220a0
-
Filesize
512KB
MD5d06b56a682cbb3ba86f8704ffb3a998c
SHA1970c8466db344a69edc457d288b33d7f9e18dc2b
SHA2569a3264904af822d5ba82fe8a63fffedd605457e5fd80609a987deab9cda7ef15
SHA5125c2eefd4f77b5126ca92d126c7e13cba75cf6858943c3351c5cbdfbe33a8a0117d94f8bc4b23432f68651f5e3d8f9c8bc3d67ad672d3a8027927bd33c1abde48
-
Filesize
512KB
MD518eadc0a12c303bd50af3500c9a6903c
SHA1c2514347efc7de2fac4c139f7a88b19ca6ba2bb8
SHA2565bee49150940d33475d5456e939196a367c7fa052f0e5bf844307285e6149bff
SHA512cfa02ae6f96ac073308262c7adc4aab947a3dede4b30f191165c66f0a6b08be9c663a7cb03732bb87ef4f1b094de1ee8b1206fba9eb37b7f834af21d10246f96
-
Filesize
512KB
MD5d55329b212e25de5c91ead1fdf73b6a4
SHA1f521557d9d3f5a54c640908de68896e8b938bacd
SHA256e3dfd85b4e0f0612eb6f32cf55eb5b207dbddaa072c5c0d8e87563d81130c897
SHA512374bb3e6c61857f61849af24982e8cf0b25f52fdf897bcf0cef7756204ad85e12f12168cba260a80d6ae36266e8908ed43e31f4d813056f98b3ed21ea869f57a
-
Filesize
512KB
MD537291b65f4f31f9b425816cfb663f571
SHA1bcde66e4a06ba28b18cf38259fe59936628bd635
SHA256fa8a65e51fc93cf319649b807649c2fbdc18f0d54beb8debc70afffa7f9812c7
SHA5121c500ec03877e095d504f52d455cf5f68e627c87ae40f87066ec1b81609546af436676444ec3841c5abe532e16a97457d8e193cb5fa35625fb918e1164635a4e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD557f321eae1ddd3d4ad98319ef10db86c
SHA13334a21fd40fa96210de6de7ef4202cddfa10790
SHA2563bc79e171c502b7e4b65e9f748df6e1749539a031feafd07f5b9136c028eeb5e
SHA5124c162e2d50d536524da69e0980bf70d24fdd3c3df011f6cb92c64e3eb95482e0be8e6efc90d7aecd194b4326b654a22e643470a39dfa279a97b6c0bd48442627
-
Filesize
512KB
MD5674d78a961df5632b26a626a3ef9cde9
SHA1cd82fad48045eda9a0b3b842c3916a178386251c
SHA25656e917ff20ca8c6e4c5854f006ab6c243ebda1552ab2880723cdfc7c72d29a6f
SHA5126a1c0b00159101c502b1b29ff1cc6723b84cd8075e8a2d40fc68239caf82b203cfe26603c9e9e16a2937178ad1406cdd2f18d58e9489a53a6f420b02102a93b1