Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/09/2024, 09:27
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe
-
Size
512KB
-
MD5
fe3d7d637b2b8f9a2c0ac50faeaf42af
-
SHA1
1808d6a66841243fdb04b750738bf5d388a4b681
-
SHA256
b16ba024debae38dd2dfb0d258cf6016f676c16323b76e22ad0fa5650e63d3cc
-
SHA512
4a8d1f897e871e8182709ae0f8dc205ce834cfc7d0643af7ecf7f57f9e18b54ef70ad1253e8f910a7de1eeddb38c75a8a5d27ed4678fb416306300c71c4df883
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6N:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5E
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fdrgbqstel.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fdrgbqstel.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fdrgbqstel.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fdrgbqstel.exe -
Executes dropped EXE 5 IoCs
pid Process 2380 fdrgbqstel.exe 1916 rmnqmnsdthgagbn.exe 2748 ruynfytj.exe 2284 zwbcpvqdfqcyg.exe 2908 ruynfytj.exe -
Loads dropped DLL 5 IoCs
pid Process 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2380 fdrgbqstel.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fdrgbqstel.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zwbcpvqdfqcyg.exe" rmnqmnsdthgagbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfoxvle = "fdrgbqstel.exe" rmnqmnsdthgagbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pehibcgc = "rmnqmnsdthgagbn.exe" rmnqmnsdthgagbn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: ruynfytj.exe File opened (read-only) \??\z: ruynfytj.exe File opened (read-only) \??\g: ruynfytj.exe File opened (read-only) \??\a: ruynfytj.exe File opened (read-only) \??\y: fdrgbqstel.exe File opened (read-only) \??\n: ruynfytj.exe File opened (read-only) \??\a: ruynfytj.exe File opened (read-only) \??\k: ruynfytj.exe File opened (read-only) \??\k: ruynfytj.exe File opened (read-only) \??\t: ruynfytj.exe File opened (read-only) \??\v: ruynfytj.exe File opened (read-only) \??\w: fdrgbqstel.exe File opened (read-only) \??\b: ruynfytj.exe File opened (read-only) \??\p: ruynfytj.exe File opened (read-only) \??\w: ruynfytj.exe File opened (read-only) \??\j: fdrgbqstel.exe File opened (read-only) \??\h: fdrgbqstel.exe File opened (read-only) \??\m: fdrgbqstel.exe File opened (read-only) \??\h: ruynfytj.exe File opened (read-only) \??\m: ruynfytj.exe File opened (read-only) \??\b: ruynfytj.exe File opened (read-only) \??\g: fdrgbqstel.exe File opened (read-only) \??\j: ruynfytj.exe File opened (read-only) \??\a: fdrgbqstel.exe File opened (read-only) \??\e: fdrgbqstel.exe File opened (read-only) \??\u: ruynfytj.exe File opened (read-only) \??\y: ruynfytj.exe File opened (read-only) \??\w: ruynfytj.exe File opened (read-only) \??\q: ruynfytj.exe File opened (read-only) \??\i: ruynfytj.exe File opened (read-only) \??\o: ruynfytj.exe File opened (read-only) \??\p: ruynfytj.exe File opened (read-only) \??\n: fdrgbqstel.exe File opened (read-only) \??\i: ruynfytj.exe File opened (read-only) \??\j: ruynfytj.exe File opened (read-only) \??\r: ruynfytj.exe File opened (read-only) \??\q: fdrgbqstel.exe File opened (read-only) \??\e: ruynfytj.exe File opened (read-only) \??\t: ruynfytj.exe File opened (read-only) \??\u: ruynfytj.exe File opened (read-only) \??\e: ruynfytj.exe File opened (read-only) \??\n: ruynfytj.exe File opened (read-only) \??\q: ruynfytj.exe File opened (read-only) \??\r: fdrgbqstel.exe File opened (read-only) \??\l: ruynfytj.exe File opened (read-only) \??\x: fdrgbqstel.exe File opened (read-only) \??\r: ruynfytj.exe File opened (read-only) \??\x: ruynfytj.exe File opened (read-only) \??\s: fdrgbqstel.exe File opened (read-only) \??\u: fdrgbqstel.exe File opened (read-only) \??\v: ruynfytj.exe File opened (read-only) \??\i: fdrgbqstel.exe File opened (read-only) \??\t: fdrgbqstel.exe File opened (read-only) \??\x: ruynfytj.exe File opened (read-only) \??\k: fdrgbqstel.exe File opened (read-only) \??\o: fdrgbqstel.exe File opened (read-only) \??\v: fdrgbqstel.exe File opened (read-only) \??\s: ruynfytj.exe File opened (read-only) \??\h: ruynfytj.exe File opened (read-only) \??\l: ruynfytj.exe File opened (read-only) \??\l: fdrgbqstel.exe File opened (read-only) \??\z: ruynfytj.exe File opened (read-only) \??\b: fdrgbqstel.exe File opened (read-only) \??\p: fdrgbqstel.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" fdrgbqstel.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2508-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000f000000018662-5.dat autoit_exe behavioral1/files/0x0008000000012102-17.dat autoit_exe behavioral1/files/0x00060000000186c8-28.dat autoit_exe behavioral1/files/0x000600000001878d-39.dat autoit_exe behavioral1/files/0x00020000000001bf-49.dat autoit_exe behavioral1/files/0x0002000000003d1f-56.dat autoit_exe behavioral1/files/0x00070000000193b7-75.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\rmnqmnsdthgagbn.exe fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File created C:\Windows\SysWOW64\zwbcpvqdfqcyg.exe fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rmnqmnsdthgagbn.exe fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File created C:\Windows\SysWOW64\ruynfytj.exe fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ruynfytj.exe fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zwbcpvqdfqcyg.exe fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll fdrgbqstel.exe File created C:\Windows\SysWOW64\fdrgbqstel.exe fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fdrgbqstel.exe fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe -
Drops file in Program Files directory 28 IoCs
description ioc Process File opened for modification C:\Program Files\ExitRequest.nal ruynfytj.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ruynfytj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ruynfytj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ruynfytj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ruynfytj.exe File created \??\c:\Program Files\CompareHide.doc.exe ruynfytj.exe File opened for modification \??\c:\Program Files\ExitRequest.doc.exe ruynfytj.exe File opened for modification C:\Program Files\ExitRequest.doc.exe ruynfytj.exe File opened for modification \??\c:\Program Files\ExitRequest.doc.exe ruynfytj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ruynfytj.exe File opened for modification C:\Program Files\CompareHide.nal ruynfytj.exe File opened for modification C:\Program Files\CompareHide.nal ruynfytj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ruynfytj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ruynfytj.exe File opened for modification C:\Program Files\ExitRequest.nal ruynfytj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ruynfytj.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ruynfytj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ruynfytj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ruynfytj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ruynfytj.exe File opened for modification \??\c:\Program Files\CompareHide.doc.exe ruynfytj.exe File opened for modification C:\Program Files\ExitRequest.doc.exe ruynfytj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ruynfytj.exe File opened for modification C:\Program Files\CompareHide.doc.exe ruynfytj.exe File opened for modification C:\Program Files\CompareHide.doc.exe ruynfytj.exe File opened for modification \??\c:\Program Files\CompareHide.doc.exe ruynfytj.exe File created \??\c:\Program Files\ExitRequest.doc.exe ruynfytj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ruynfytj.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ruynfytj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdrgbqstel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rmnqmnsdthgagbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ruynfytj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zwbcpvqdfqcyg.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFCFB485D85129047D6217E94BD90E134584667446237D7EA" fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat fdrgbqstel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" fdrgbqstel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" fdrgbqstel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452C7C9D5283586A3E77D177252DDA7DF464AC" fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEFAB9F963F298837D3B3081983995B38B02FC43160338E1C9429B08A4" fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F268B1FE1D21AED178D1A88A759116" fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh fdrgbqstel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg fdrgbqstel.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B02F44E739EC53C8B9A233EAD7CC" fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc fdrgbqstel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" fdrgbqstel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs fdrgbqstel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" fdrgbqstel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC6741593DAB2B8BD7CE7EDE034CA" fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" fdrgbqstel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf fdrgbqstel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" fdrgbqstel.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2412 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2380 fdrgbqstel.exe 2380 fdrgbqstel.exe 2380 fdrgbqstel.exe 2380 fdrgbqstel.exe 2380 fdrgbqstel.exe 2748 ruynfytj.exe 2748 ruynfytj.exe 2748 ruynfytj.exe 2748 ruynfytj.exe 1916 rmnqmnsdthgagbn.exe 1916 rmnqmnsdthgagbn.exe 1916 rmnqmnsdthgagbn.exe 1916 rmnqmnsdthgagbn.exe 1916 rmnqmnsdthgagbn.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 2908 ruynfytj.exe 2908 ruynfytj.exe 2908 ruynfytj.exe 2908 ruynfytj.exe 1916 rmnqmnsdthgagbn.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 1916 rmnqmnsdthgagbn.exe 1916 rmnqmnsdthgagbn.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 1916 rmnqmnsdthgagbn.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 1916 rmnqmnsdthgagbn.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 1916 rmnqmnsdthgagbn.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 1916 rmnqmnsdthgagbn.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 1916 rmnqmnsdthgagbn.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 1916 rmnqmnsdthgagbn.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 1916 rmnqmnsdthgagbn.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 1916 rmnqmnsdthgagbn.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 1916 rmnqmnsdthgagbn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2380 fdrgbqstel.exe 2380 fdrgbqstel.exe 2380 fdrgbqstel.exe 2748 ruynfytj.exe 2748 ruynfytj.exe 2748 ruynfytj.exe 1916 rmnqmnsdthgagbn.exe 1916 rmnqmnsdthgagbn.exe 1916 rmnqmnsdthgagbn.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 2908 ruynfytj.exe 2908 ruynfytj.exe 2908 ruynfytj.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2380 fdrgbqstel.exe 2380 fdrgbqstel.exe 2380 fdrgbqstel.exe 2748 ruynfytj.exe 2748 ruynfytj.exe 2748 ruynfytj.exe 1916 rmnqmnsdthgagbn.exe 1916 rmnqmnsdthgagbn.exe 1916 rmnqmnsdthgagbn.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 2284 zwbcpvqdfqcyg.exe 2908 ruynfytj.exe 2908 ruynfytj.exe 2908 ruynfytj.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2412 WINWORD.EXE 2412 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2380 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 30 PID 2508 wrote to memory of 2380 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 30 PID 2508 wrote to memory of 2380 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 30 PID 2508 wrote to memory of 2380 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 30 PID 2508 wrote to memory of 1916 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 31 PID 2508 wrote to memory of 1916 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 31 PID 2508 wrote to memory of 1916 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 31 PID 2508 wrote to memory of 1916 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 31 PID 2508 wrote to memory of 2748 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 32 PID 2508 wrote to memory of 2748 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 32 PID 2508 wrote to memory of 2748 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 32 PID 2508 wrote to memory of 2748 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 32 PID 2508 wrote to memory of 2284 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 33 PID 2508 wrote to memory of 2284 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 33 PID 2508 wrote to memory of 2284 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 33 PID 2508 wrote to memory of 2284 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 33 PID 2380 wrote to memory of 2908 2380 fdrgbqstel.exe 34 PID 2380 wrote to memory of 2908 2380 fdrgbqstel.exe 34 PID 2380 wrote to memory of 2908 2380 fdrgbqstel.exe 34 PID 2380 wrote to memory of 2908 2380 fdrgbqstel.exe 34 PID 2508 wrote to memory of 2412 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 35 PID 2508 wrote to memory of 2412 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 35 PID 2508 wrote to memory of 2412 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 35 PID 2508 wrote to memory of 2412 2508 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 35 PID 2412 wrote to memory of 536 2412 WINWORD.EXE 38 PID 2412 wrote to memory of 536 2412 WINWORD.EXE 38 PID 2412 wrote to memory of 536 2412 WINWORD.EXE 38 PID 2412 wrote to memory of 536 2412 WINWORD.EXE 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\fdrgbqstel.exefdrgbqstel.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\ruynfytj.exeC:\Windows\system32\ruynfytj.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2908
-
-
-
C:\Windows\SysWOW64\rmnqmnsdthgagbn.exermnqmnsdthgagbn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1916
-
-
C:\Windows\SysWOW64\ruynfytj.exeruynfytj.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2748
-
-
C:\Windows\SysWOW64\zwbcpvqdfqcyg.exezwbcpvqdfqcyg.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2284
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:536
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD59d8c45b82f9a983d66907668d2d8d600
SHA10b98c32b73d0baac2b3b50fe7206b3270b2f8071
SHA256c94dad64cd1db3a1deb1a5a8de694ead74e56890a84c44eef450404340de0306
SHA512ad2a39495930abdf2f92bc8b49bd92d3b965b29a07d4afc52321cb44925b7cf2ff50a6a576730fbe8506b687f881bc954321793896ef384c2256c39f6ae99717
-
Filesize
512KB
MD5457cbd473798d962c04ce74489710cb8
SHA1902e30cbfddb7916a80a91017623f5adf81f6fad
SHA256c8acba98a6422af6f9d582df1c2b377863d7ef8d4fe4da85476e6cc4fd523e53
SHA512490ffa2b75812ec21ded48fc1a926b38251a9fb7b1138c4c20977458ff9fb3cd203c82930163e760c340d4038b9c3ea7d73f3996c8b153ebf7f7b80b8e470aac
-
Filesize
512KB
MD50783a4f59e45522defaa667fcd0c892e
SHA166821fd62a3f3e7a451257bb7d635ca529fc472b
SHA256858a0bb0a8611db105b4b62a69a65bd0f5057bba76eb63fa84169b1b0c8bca22
SHA512fe3ce2913688b0fc6d7ef8cc51abf7f326c567d626c25da5c86f98207fade0ba201d2d5e4cea2d5d34d89e75ebde378945ad27395d51b4ce40001b7e771984b0
-
Filesize
19KB
MD55859e4318be5815045f74a8ab29c93eb
SHA1a2929dfd61fd0ee2464ebbcf4ff5198862ca3abf
SHA2565ca1b37b6933b0e54fce43acd21bc5bc50dd4b88ed5a0e0f328abcd13c82d4a4
SHA512b63778a95f1a7fb918310651bf189439f6f2c850a8429547a9239d923bbf015f7895e35648856078f68cdb54dfe371e36be67842b8113565f1e06205ffd09fd2
-
Filesize
512KB
MD50b2e1048da524c5bf806cb69562b561a
SHA1a5c3d2c8552312a768755963c16d5cdd6ca0ac99
SHA256cb7d681887d6e7101153a84aa4816c6deff1dccaf17528d18fc3250fbf268daa
SHA5120bc05162b7772e04f19af0c0d0ac019d17d88d519a96ccad52e49ef587b1f5e66667eaa5930318e37159d8ea45760673be439d53cc155153dc1975657266ce77
-
Filesize
512KB
MD5401e96d5a92c37fb94e9cdd13c0a86eb
SHA17f79e7f9504a72c0b7d5ea29ae499af99beba315
SHA2561108cf06f86b27ccad346cd76e6f9b7dbc8afc29bdb8c23c9710d4f0b0942d11
SHA512ccbd791318be2b357b0868ad4799a5d2d64965b66a7c2c608a5998d26f71dc41cf01611e376dda82377798356612f46689bbb677e88f164202e1bf99cccff56c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD584eff3a66a57127123a47b2b832bd9d9
SHA1f5a4ab681dad105d1a06e7e6f20aa7399c0fc655
SHA256b42e2ddf559eae1e605a3e0780a7d202d10a5a0a97472afa70d47214bfb356aa
SHA51201548c5c84b2ba1ef52429eb73db027d9b387f69779de0b4fa1937f279eba82058fe215b37b1e58602e1615c34f4e8671c6467e6fdc9b77230d94bc59836983a
-
Filesize
512KB
MD52a908a44b1a7e4df1951de56e598fcc6
SHA1ede45116d86ff63e5145145da95c9490add49ca2
SHA2569be5a622aa1f0763e96fd998228963669a976e1f22376588c0b627683613f991
SHA512d2c3e46f27bc2c9b029ded774cadc1abc2adbeb3213a1e845c6451002345d5210bd88c9aa71ba1bb94e48544c7d22b6c8464b0aef0fc2bfaefbdeab9996e8d31