Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 00:52
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
150 seconds
General
-
Target
fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe
-
Size
512KB
-
MD5
fb3404e91682666191ca2521075cdf8c
-
SHA1
f7b0d536ab155235c4edf528035d1a1a4d48702c
-
SHA256
351124adf2040c41417cc0eae67a53125c5c6f6ada75087425890ed36deeaace
-
SHA512
ff86934a229e4de766addcfdb9ebe46ec89ac2281afbac53af7d612dceefe4c6384702dcecb311e5ddc7ed2b4203e7bc2acd493a3a25eec7765f0f5fc9a5ae57
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6k:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bnqulipakh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bnqulipakh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bnqulipakh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bnqulipakh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bnqulipakh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bnqulipakh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" bnqulipakh.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bnqulipakh.exe -
Executes dropped EXE 5 IoCs
pid Process 2352 bnqulipakh.exe 2852 ukjcwmzvrtvufhk.exe 2704 bomkishv.exe 2812 fklsqhagzwojq.exe 2840 bomkishv.exe -
Loads dropped DLL 5 IoCs
pid Process 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 2352 bnqulipakh.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bnqulipakh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bnqulipakh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bnqulipakh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bnqulipakh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bnqulipakh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" bnqulipakh.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wagsthrc = "bnqulipakh.exe" ukjcwmzvrtvufhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tyelgbre = "ukjcwmzvrtvufhk.exe" ukjcwmzvrtvufhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fklsqhagzwojq.exe" ukjcwmzvrtvufhk.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: bnqulipakh.exe File opened (read-only) \??\t: bnqulipakh.exe File opened (read-only) \??\y: bomkishv.exe File opened (read-only) \??\w: bomkishv.exe File opened (read-only) \??\z: bomkishv.exe File opened (read-only) \??\e: bnqulipakh.exe File opened (read-only) \??\r: bomkishv.exe File opened (read-only) \??\v: bomkishv.exe File opened (read-only) \??\n: bomkishv.exe File opened (read-only) \??\n: bnqulipakh.exe File opened (read-only) \??\h: bomkishv.exe File opened (read-only) \??\x: bomkishv.exe File opened (read-only) \??\e: bomkishv.exe File opened (read-only) \??\e: bomkishv.exe File opened (read-only) \??\n: bomkishv.exe File opened (read-only) \??\z: bomkishv.exe File opened (read-only) \??\j: bnqulipakh.exe File opened (read-only) \??\m: bnqulipakh.exe File opened (read-only) \??\i: bomkishv.exe File opened (read-only) \??\u: bomkishv.exe File opened (read-only) \??\p: bnqulipakh.exe File opened (read-only) \??\r: bnqulipakh.exe File opened (read-only) \??\w: bnqulipakh.exe File opened (read-only) \??\b: bomkishv.exe File opened (read-only) \??\g: bomkishv.exe File opened (read-only) \??\k: bomkishv.exe File opened (read-only) \??\w: bomkishv.exe File opened (read-only) \??\x: bomkishv.exe File opened (read-only) \??\l: bnqulipakh.exe File opened (read-only) \??\x: bnqulipakh.exe File opened (read-only) \??\b: bomkishv.exe File opened (read-only) \??\q: bomkishv.exe File opened (read-only) \??\h: bomkishv.exe File opened (read-only) \??\m: bomkishv.exe File opened (read-only) \??\s: bnqulipakh.exe File opened (read-only) \??\l: bomkishv.exe File opened (read-only) \??\h: bnqulipakh.exe File opened (read-only) \??\q: bnqulipakh.exe File opened (read-only) \??\i: bomkishv.exe File opened (read-only) \??\j: bomkishv.exe File opened (read-only) \??\l: bomkishv.exe File opened (read-only) \??\t: bomkishv.exe File opened (read-only) \??\a: bomkishv.exe File opened (read-only) \??\m: bomkishv.exe File opened (read-only) \??\o: bomkishv.exe File opened (read-only) \??\y: bomkishv.exe File opened (read-only) \??\b: bnqulipakh.exe File opened (read-only) \??\i: bnqulipakh.exe File opened (read-only) \??\v: bnqulipakh.exe File opened (read-only) \??\s: bomkishv.exe File opened (read-only) \??\p: bomkishv.exe File opened (read-only) \??\t: bomkishv.exe File opened (read-only) \??\u: bomkishv.exe File opened (read-only) \??\g: bnqulipakh.exe File opened (read-only) \??\k: bnqulipakh.exe File opened (read-only) \??\u: bnqulipakh.exe File opened (read-only) \??\z: bnqulipakh.exe File opened (read-only) \??\p: bomkishv.exe File opened (read-only) \??\g: bomkishv.exe File opened (read-only) \??\s: bomkishv.exe File opened (read-only) \??\v: bomkishv.exe File opened (read-only) \??\q: bomkishv.exe File opened (read-only) \??\o: bomkishv.exe File opened (read-only) \??\j: bomkishv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bnqulipakh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bnqulipakh.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/276-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0008000000015fa6-5.dat autoit_exe behavioral1/files/0x000d000000012272-17.dat autoit_exe behavioral1/files/0x00070000000160da-27.dat autoit_exe behavioral1/files/0x0007000000016141-39.dat autoit_exe behavioral1/files/0x0002000000003d25-62.dat autoit_exe behavioral1/files/0x0002000000003d26-68.dat autoit_exe behavioral1/files/0x000900000001660e-78.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bomkishv.exe fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bnqulipakh.exe File created C:\Windows\SysWOW64\bnqulipakh.exe fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bnqulipakh.exe fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe File created C:\Windows\SysWOW64\ukjcwmzvrtvufhk.exe fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fklsqhagzwojq.exe fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ukjcwmzvrtvufhk.exe fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe File created C:\Windows\SysWOW64\bomkishv.exe fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe File created C:\Windows\SysWOW64\fklsqhagzwojq.exe fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bomkishv.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bomkishv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bomkishv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal bomkishv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal bomkishv.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bomkishv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal bomkishv.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bomkishv.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bomkishv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bomkishv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe bomkishv.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bomkishv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe bomkishv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal bomkishv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fklsqhagzwojq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bomkishv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnqulipakh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ukjcwmzvrtvufhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bomkishv.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFFABFF967F1E3840C3B3581EA3E97B38D03F04215023CE1C842E808A1" fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFF8C482C82129040D72F7D94BD95E641584067316334D6EC" fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bnqulipakh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bnqulipakh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bnqulipakh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B15A47E339E953BEB9D1329DD4B9" fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C77815E7DAB7B8BA7CE6ECE734CC" fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bnqulipakh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bnqulipakh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bnqulipakh.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bnqulipakh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bnqulipakh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bnqulipakh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bnqulipakh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C769D5782236A3076A077262CDF7D8564A8" fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F66BB4FE1A22DBD10FD0A68B7B9110" fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bnqulipakh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bnqulipakh.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2592 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 2352 bnqulipakh.exe 2352 bnqulipakh.exe 2352 bnqulipakh.exe 2352 bnqulipakh.exe 2352 bnqulipakh.exe 2704 bomkishv.exe 2704 bomkishv.exe 2704 bomkishv.exe 2704 bomkishv.exe 2852 ukjcwmzvrtvufhk.exe 2852 ukjcwmzvrtvufhk.exe 2852 ukjcwmzvrtvufhk.exe 2852 ukjcwmzvrtvufhk.exe 2852 ukjcwmzvrtvufhk.exe 2840 bomkishv.exe 2840 bomkishv.exe 2840 bomkishv.exe 2840 bomkishv.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2852 ukjcwmzvrtvufhk.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2852 ukjcwmzvrtvufhk.exe 2852 ukjcwmzvrtvufhk.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2852 ukjcwmzvrtvufhk.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2852 ukjcwmzvrtvufhk.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2852 ukjcwmzvrtvufhk.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2852 ukjcwmzvrtvufhk.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2852 ukjcwmzvrtvufhk.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2852 ukjcwmzvrtvufhk.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2852 ukjcwmzvrtvufhk.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2852 ukjcwmzvrtvufhk.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2852 ukjcwmzvrtvufhk.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe Token: SeShutdownPrivilege 2648 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 2352 bnqulipakh.exe 2352 bnqulipakh.exe 2352 bnqulipakh.exe 2704 bomkishv.exe 2704 bomkishv.exe 2704 bomkishv.exe 2852 ukjcwmzvrtvufhk.exe 2852 ukjcwmzvrtvufhk.exe 2852 ukjcwmzvrtvufhk.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2840 bomkishv.exe 2840 bomkishv.exe 2840 bomkishv.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe -
Suspicious use of SendNotifyMessage 36 IoCs
pid Process 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 2352 bnqulipakh.exe 2352 bnqulipakh.exe 2352 bnqulipakh.exe 2704 bomkishv.exe 2704 bomkishv.exe 2704 bomkishv.exe 2852 ukjcwmzvrtvufhk.exe 2852 ukjcwmzvrtvufhk.exe 2852 ukjcwmzvrtvufhk.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2812 fklsqhagzwojq.exe 2840 bomkishv.exe 2840 bomkishv.exe 2840 bomkishv.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2592 WINWORD.EXE 2592 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 276 wrote to memory of 2352 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 31 PID 276 wrote to memory of 2352 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 31 PID 276 wrote to memory of 2352 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 31 PID 276 wrote to memory of 2352 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 31 PID 276 wrote to memory of 2852 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 32 PID 276 wrote to memory of 2852 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 32 PID 276 wrote to memory of 2852 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 32 PID 276 wrote to memory of 2852 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 32 PID 276 wrote to memory of 2704 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 33 PID 276 wrote to memory of 2704 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 33 PID 276 wrote to memory of 2704 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 33 PID 276 wrote to memory of 2704 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 33 PID 276 wrote to memory of 2812 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 34 PID 276 wrote to memory of 2812 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 34 PID 276 wrote to memory of 2812 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 34 PID 276 wrote to memory of 2812 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 34 PID 2352 wrote to memory of 2840 2352 bnqulipakh.exe 35 PID 2352 wrote to memory of 2840 2352 bnqulipakh.exe 35 PID 2352 wrote to memory of 2840 2352 bnqulipakh.exe 35 PID 2352 wrote to memory of 2840 2352 bnqulipakh.exe 35 PID 276 wrote to memory of 2592 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 36 PID 276 wrote to memory of 2592 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 36 PID 276 wrote to memory of 2592 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 36 PID 276 wrote to memory of 2592 276 fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe 36 PID 2592 wrote to memory of 2908 2592 WINWORD.EXE 39 PID 2592 wrote to memory of 2908 2592 WINWORD.EXE 39 PID 2592 wrote to memory of 2908 2592 WINWORD.EXE 39 PID 2592 wrote to memory of 2908 2592 WINWORD.EXE 39 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb3404e91682666191ca2521075cdf8c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\bnqulipakh.exebnqulipakh.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\bomkishv.exeC:\Windows\system32\bomkishv.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2840
-
-
-
C:\Windows\SysWOW64\ukjcwmzvrtvufhk.exeukjcwmzvrtvufhk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2852
-
-
C:\Windows\SysWOW64\bomkishv.exebomkishv.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704
-
-
C:\Windows\SysWOW64\fklsqhagzwojq.exefklsqhagzwojq.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2812
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2908
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2648
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5c3c4a6d6f8b49686b7aca1c074dda67d
SHA140af022fe17ce383015c73829943726014330387
SHA25672c7e65b5e2bf329dd60e2a76d0611ea3d396cd716c493c2fb82fe66e4ef7100
SHA512e7696edad474e731a576772974ba73e5d53d1ec82d4c8acc2716c3b5feb487ff015cfdad6e5b839406c37823665cf32b46b548863c151cb20bd6138b21213ed1
-
Filesize
512KB
MD5b0024c15357a1cde98476a57b9af0877
SHA1e88a04ea5b162bf5e28eacca4ad5a5bb76ab27c4
SHA25691d9f8d01f8a12fbf2f668c0a3c0df1eb9ccf3687097e7d06c86adf715252825
SHA51285a9208f07bfb21343cbbdf119a50cded9f202cd5fa1a801731100ba2b0923ca2ed246254dd79d07ffd2ab7beb3b5cc83bfc4ea179677fc1777f3830fdf42823
-
Filesize
512KB
MD5bc989ae5e2698363b62e0263d07f5e11
SHA1f7156ca3a80f90723ce44dc293c6d967b60f62b4
SHA2564bb2c11fd557f08a349f9c9789da04c3f89d9a582c55d956ef42b20f1e744246
SHA5128adf27825067e44b5af21890c0b63773904443607d5fbbf6244d25950be3510a32d3db32076ca7ff2ed8f3333b59e4cb2040bf74edeaa048ca293551887d6802
-
Filesize
512KB
MD56c9001f6efd87320b559fb6c32e9ffce
SHA1ddf2cd9033029791d0023d805c34b63b44876071
SHA25609b7c208cc7aa76edc66d4060d2702c4fb4f3136f6680e5ee079bd1d438ccabe
SHA512ac098a88bb741174233238c248b7fc06ce969856a4fbbdf9a11ef6bf03f093e445f042558f9de4053bdfddbb576e6d794f62d37392af92bf0b599e7a12b35d10
-
Filesize
512KB
MD528a6e6bb0a35b29854357661c3fb71dc
SHA1efd243b156f81243a6c9fe59e5ec52d3077c4917
SHA256805d840a005f163c8262b2cb48944eb901c1ed8de58641a4c073b437f9fe32ea
SHA512dfb72280b8b59788f8db64aff6e50736e93b340db698700d9651d327ee310ac79d50a6a15fc77ea8880f516878926ea06937334ad47f23a46c7a47781c03686a
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5ac6b16b6ef436d9fec3abc2e4446d4b4
SHA13fa344ab5a2b79f3a182c7289af5716d555d128c
SHA2562756f25281faeb1c630c56be7d4322d04e443851deaf518f8ac2cc9dad5d3cb4
SHA512ffc1d7ec9b262a65ad82ec3449764cb1b94a0992424ab1c7533d2d7f53ed34fe3abafb91de1a2f25edced6fef266f5f226d1758734974d589c39b20874247633
-
Filesize
512KB
MD579ed306d7fefefb84855727ad5a6c80b
SHA1a7ef27a50b1a89c648b08d6dc1a7902d1ba3424e
SHA256a61cbb34e909f4bfc38a798b06c41008ce93e07b2c3cbad074b6341282ea8ac3
SHA51289bc3d2189f37a376c1b6d66880502896741eb28fe326988776d036e13206656d78487e2b1e473f12af518657ee00318e4cfdf69eba164e4b33a8f3e23632c1f