Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/09/2024, 09:27
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe
-
Size
512KB
-
MD5
fe3d7d637b2b8f9a2c0ac50faeaf42af
-
SHA1
1808d6a66841243fdb04b750738bf5d388a4b681
-
SHA256
b16ba024debae38dd2dfb0d258cf6016f676c16323b76e22ad0fa5650e63d3cc
-
SHA512
4a8d1f897e871e8182709ae0f8dc205ce834cfc7d0643af7ecf7f57f9e18b54ef70ad1253e8f910a7de1eeddb38c75a8a5d27ed4678fb416306300c71c4df883
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6N:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5E
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fdrgbqstel.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fdrgbqstel.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fdrgbqstel.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fdrgbqstel.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 2452 fdrgbqstel.exe 3200 rmnqmnsdthgagbn.exe 2636 ruynfytj.exe 4196 zwbcpvqdfqcyg.exe 3860 ruynfytj.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fdrgbqstel.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pehibcgc = "rmnqmnsdthgagbn.exe" rmnqmnsdthgagbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zwbcpvqdfqcyg.exe" rmnqmnsdthgagbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfoxvle = "fdrgbqstel.exe" rmnqmnsdthgagbn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: ruynfytj.exe File opened (read-only) \??\z: ruynfytj.exe File opened (read-only) \??\g: fdrgbqstel.exe File opened (read-only) \??\t: fdrgbqstel.exe File opened (read-only) \??\x: fdrgbqstel.exe File opened (read-only) \??\a: ruynfytj.exe File opened (read-only) \??\l: ruynfytj.exe File opened (read-only) \??\m: ruynfytj.exe File opened (read-only) \??\s: ruynfytj.exe File opened (read-only) \??\n: fdrgbqstel.exe File opened (read-only) \??\x: ruynfytj.exe File opened (read-only) \??\i: ruynfytj.exe File opened (read-only) \??\t: ruynfytj.exe File opened (read-only) \??\y: ruynfytj.exe File opened (read-only) \??\i: fdrgbqstel.exe File opened (read-only) \??\v: ruynfytj.exe File opened (read-only) \??\k: fdrgbqstel.exe File opened (read-only) \??\o: fdrgbqstel.exe File opened (read-only) \??\z: fdrgbqstel.exe File opened (read-only) \??\z: ruynfytj.exe File opened (read-only) \??\v: fdrgbqstel.exe File opened (read-only) \??\e: ruynfytj.exe File opened (read-only) \??\t: ruynfytj.exe File opened (read-only) \??\r: ruynfytj.exe File opened (read-only) \??\h: ruynfytj.exe File opened (read-only) \??\w: ruynfytj.exe File opened (read-only) \??\v: ruynfytj.exe File opened (read-only) \??\w: ruynfytj.exe File opened (read-only) \??\m: fdrgbqstel.exe File opened (read-only) \??\p: fdrgbqstel.exe File opened (read-only) \??\e: ruynfytj.exe File opened (read-only) \??\g: ruynfytj.exe File opened (read-only) \??\k: ruynfytj.exe File opened (read-only) \??\q: ruynfytj.exe File opened (read-only) \??\l: fdrgbqstel.exe File opened (read-only) \??\i: ruynfytj.exe File opened (read-only) \??\x: ruynfytj.exe File opened (read-only) \??\a: fdrgbqstel.exe File opened (read-only) \??\r: fdrgbqstel.exe File opened (read-only) \??\n: ruynfytj.exe File opened (read-only) \??\o: ruynfytj.exe File opened (read-only) \??\u: ruynfytj.exe File opened (read-only) \??\u: fdrgbqstel.exe File opened (read-only) \??\b: ruynfytj.exe File opened (read-only) \??\r: ruynfytj.exe File opened (read-only) \??\h: ruynfytj.exe File opened (read-only) \??\e: fdrgbqstel.exe File opened (read-only) \??\s: fdrgbqstel.exe File opened (read-only) \??\b: ruynfytj.exe File opened (read-only) \??\n: ruynfytj.exe File opened (read-only) \??\h: fdrgbqstel.exe File opened (read-only) \??\q: fdrgbqstel.exe File opened (read-only) \??\j: ruynfytj.exe File opened (read-only) \??\a: ruynfytj.exe File opened (read-only) \??\g: ruynfytj.exe File opened (read-only) \??\j: ruynfytj.exe File opened (read-only) \??\k: ruynfytj.exe File opened (read-only) \??\b: fdrgbqstel.exe File opened (read-only) \??\j: fdrgbqstel.exe File opened (read-only) \??\y: fdrgbqstel.exe File opened (read-only) \??\m: ruynfytj.exe File opened (read-only) \??\y: ruynfytj.exe File opened (read-only) \??\l: ruynfytj.exe File opened (read-only) \??\o: ruynfytj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" fdrgbqstel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" fdrgbqstel.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/436-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000234a0-5.dat autoit_exe behavioral2/files/0x000900000002343c-18.dat autoit_exe behavioral2/files/0x00070000000234a2-31.dat autoit_exe behavioral2/files/0x00070000000234a1-29.dat autoit_exe behavioral2/files/0x0008000000023482-66.dat autoit_exe behavioral2/files/0x00070000000234ae-72.dat autoit_exe behavioral2/files/0x00070000000234ba-81.dat autoit_exe behavioral2/files/0x00070000000234bd-103.dat autoit_exe behavioral2/files/0x00070000000234bd-360.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\rmnqmnsdthgagbn.exe fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rmnqmnsdthgagbn.exe fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zwbcpvqdfqcyg.exe fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll fdrgbqstel.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ruynfytj.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ruynfytj.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ruynfytj.exe File created C:\Windows\SysWOW64\fdrgbqstel.exe fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fdrgbqstel.exe fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File created C:\Windows\SysWOW64\ruynfytj.exe fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ruynfytj.exe fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File created C:\Windows\SysWOW64\zwbcpvqdfqcyg.exe fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ruynfytj.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ruynfytj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ruynfytj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ruynfytj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ruynfytj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ruynfytj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ruynfytj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ruynfytj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ruynfytj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ruynfytj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ruynfytj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ruynfytj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ruynfytj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ruynfytj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ruynfytj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ruynfytj.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ruynfytj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ruynfytj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ruynfytj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ruynfytj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ruynfytj.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ruynfytj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ruynfytj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ruynfytj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ruynfytj.exe File opened for modification C:\Windows\mydoc.rtf fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ruynfytj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ruynfytj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ruynfytj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ruynfytj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ruynfytj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ruynfytj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ruynfytj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zwbcpvqdfqcyg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ruynfytj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdrgbqstel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rmnqmnsdthgagbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ruynfytj.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" fdrgbqstel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" fdrgbqstel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf fdrgbqstel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs fdrgbqstel.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat fdrgbqstel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" fdrgbqstel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEFAB9F963F298837D3B3081983995B38B02FC43160338E1C9429B08A4" fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFCFB485D85129047D6217E94BD90E134584667446237D7EA" fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" fdrgbqstel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" fdrgbqstel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B02F44E739EC53C8B9A233EAD7CC" fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc fdrgbqstel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" fdrgbqstel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh fdrgbqstel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg fdrgbqstel.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452C7C9D5283586A3E77D177252DDA7DF464AC" fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F268B1FE1D21AED178D1A88A759116" fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC6741593DAB2B8BD7CE7EDE034CA" fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4008 WINWORD.EXE 4008 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 2452 fdrgbqstel.exe 2452 fdrgbqstel.exe 2452 fdrgbqstel.exe 2452 fdrgbqstel.exe 2452 fdrgbqstel.exe 2452 fdrgbqstel.exe 2452 fdrgbqstel.exe 2452 fdrgbqstel.exe 2452 fdrgbqstel.exe 2452 fdrgbqstel.exe 3200 rmnqmnsdthgagbn.exe 3200 rmnqmnsdthgagbn.exe 3200 rmnqmnsdthgagbn.exe 3200 rmnqmnsdthgagbn.exe 3200 rmnqmnsdthgagbn.exe 3200 rmnqmnsdthgagbn.exe 3200 rmnqmnsdthgagbn.exe 3200 rmnqmnsdthgagbn.exe 2636 ruynfytj.exe 2636 ruynfytj.exe 2636 ruynfytj.exe 2636 ruynfytj.exe 2636 ruynfytj.exe 2636 ruynfytj.exe 2636 ruynfytj.exe 2636 ruynfytj.exe 3200 rmnqmnsdthgagbn.exe 3200 rmnqmnsdthgagbn.exe 3200 rmnqmnsdthgagbn.exe 3200 rmnqmnsdthgagbn.exe 4196 zwbcpvqdfqcyg.exe 4196 zwbcpvqdfqcyg.exe 4196 zwbcpvqdfqcyg.exe 4196 zwbcpvqdfqcyg.exe 4196 zwbcpvqdfqcyg.exe 4196 zwbcpvqdfqcyg.exe 4196 zwbcpvqdfqcyg.exe 4196 zwbcpvqdfqcyg.exe 4196 zwbcpvqdfqcyg.exe 4196 zwbcpvqdfqcyg.exe 4196 zwbcpvqdfqcyg.exe 4196 zwbcpvqdfqcyg.exe 3860 ruynfytj.exe 3860 ruynfytj.exe 3860 ruynfytj.exe 3860 ruynfytj.exe 3860 ruynfytj.exe 3860 ruynfytj.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 3200 rmnqmnsdthgagbn.exe 2452 fdrgbqstel.exe 3200 rmnqmnsdthgagbn.exe 2452 fdrgbqstel.exe 2452 fdrgbqstel.exe 3200 rmnqmnsdthgagbn.exe 2636 ruynfytj.exe 2636 ruynfytj.exe 2636 ruynfytj.exe 4196 zwbcpvqdfqcyg.exe 4196 zwbcpvqdfqcyg.exe 4196 zwbcpvqdfqcyg.exe 3860 ruynfytj.exe 3860 ruynfytj.exe 3860 ruynfytj.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 3200 rmnqmnsdthgagbn.exe 2452 fdrgbqstel.exe 3200 rmnqmnsdthgagbn.exe 2452 fdrgbqstel.exe 2452 fdrgbqstel.exe 3200 rmnqmnsdthgagbn.exe 2636 ruynfytj.exe 2636 ruynfytj.exe 2636 ruynfytj.exe 4196 zwbcpvqdfqcyg.exe 4196 zwbcpvqdfqcyg.exe 4196 zwbcpvqdfqcyg.exe 3860 ruynfytj.exe 3860 ruynfytj.exe 3860 ruynfytj.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4008 WINWORD.EXE 4008 WINWORD.EXE 4008 WINWORD.EXE 4008 WINWORD.EXE 4008 WINWORD.EXE 4008 WINWORD.EXE 4008 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 436 wrote to memory of 2452 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 82 PID 436 wrote to memory of 2452 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 82 PID 436 wrote to memory of 2452 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 82 PID 436 wrote to memory of 3200 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 83 PID 436 wrote to memory of 3200 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 83 PID 436 wrote to memory of 3200 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 83 PID 436 wrote to memory of 2636 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 84 PID 436 wrote to memory of 2636 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 84 PID 436 wrote to memory of 2636 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 84 PID 436 wrote to memory of 4196 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 85 PID 436 wrote to memory of 4196 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 85 PID 436 wrote to memory of 4196 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 85 PID 2452 wrote to memory of 3860 2452 fdrgbqstel.exe 86 PID 2452 wrote to memory of 3860 2452 fdrgbqstel.exe 86 PID 2452 wrote to memory of 3860 2452 fdrgbqstel.exe 86 PID 436 wrote to memory of 4008 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 87 PID 436 wrote to memory of 4008 436 fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe3d7d637b2b8f9a2c0ac50faeaf42af_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\fdrgbqstel.exefdrgbqstel.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\ruynfytj.exeC:\Windows\system32\ruynfytj.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3860
-
-
-
C:\Windows\SysWOW64\rmnqmnsdthgagbn.exermnqmnsdthgagbn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3200
-
-
C:\Windows\SysWOW64\ruynfytj.exeruynfytj.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2636
-
-
C:\Windows\SysWOW64\zwbcpvqdfqcyg.exezwbcpvqdfqcyg.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4196
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4008
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5c7573d7fa3da95518f4bd3b558ad8642
SHA1224bf0b25c6821bc53363351ffc8d02112b73608
SHA2569130f74ce6a09b2d5b3b2c26976ecb0d39a7cd46179a4f06badf30c0b46bf464
SHA512cf499f67af4e3cc3918e4f4bf4a19a6d2d0593ac8aefdc89ac0c5b5c32dc1f4f176bf95e05123041fed919bdd67310224a1cde5bbf395d7fab890572b854dbc9
-
Filesize
512KB
MD5a7c905cadadb9c8ce434c21cc371ccc3
SHA1701f1f2dbdf8c575cab6ae1b4561c8780815e300
SHA2569d217813ad6b4f1cadd3a1d999b32cd1ed281a6e9a699c9a626fea43c7cef954
SHA5127d37e35e237a0899d1b082df70901a0aa4e682e9ea93d7f7dd59d9b71e961e96cecdea88894b4dc04c0a66f19ec391db35f806a52335ab5e4a6af9d580e645bc
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
423B
MD5505ce61a856e175a4d7f9ca1dcb1eb09
SHA17bac553c32587fad729b783516f49be2db3b4fd1
SHA256c9a6130c43afb8a99fac3a0b9dbb063b17d78d32306331d017a95336fb58d29b
SHA512c12df2a6f5d92e4feba18f060a923a76079a34470ffa0ea64732c5a1955d9d591a826093e46f80beed5c26dba56d21766743eeecfaf696459dfde28960f7b44b
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD570d2156500e498dbe4e511910ac0decd
SHA10f9939da3f2ecda14e83603c2f55206a8e515ecd
SHA2564768008ac83c8c47f1f8aba277d5dedfa8891df62f4ce065e2778535851c06b4
SHA512c25e8845df958b9bbd3a1e441451b913157e0302f5b235ef0edab11de8df3abc38f0a8c34809abd32889c6055db703902bff79d26bc1781494a2c5e62feefc6b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5cd9238fbac53a4d4ee958c315a3eb510
SHA18ed0a168fa52dacf2a23843d5110393f16a08445
SHA256a64728654d889504369ff28471b2258c59eabb5a7ba29c8936c384bb33aac74c
SHA5125d019d84929509fa434bdacf93b5bd8e92c42404564fc509656596d9ebbd24d64ed455296d58c9f56092f845ae161753d6eaf417c2ab43be331891a807cad707
-
Filesize
512KB
MD5ab055aef4272caa64f8acc74bb7e8c25
SHA133ab1dea5dd476ad9050bf17bbc21febe2310dea
SHA256fbdac64d40125d5218fe05a55e88c65a8f58b50d3c66f589d860900ea7dda511
SHA5122a4bdfe26fc4f89819b972088ec7d168ffc60e08e30f0bc409fae3b65589bdfd8eacc6550210f0dbfd5d233ce8401b06616a70133e0839a21e5645fe41db28cc
-
Filesize
512KB
MD505687b3cbc3006acaa991cc178353684
SHA1833c47c75ee9475f5fd7d812a1a7ff27a5dcea8f
SHA256ab97e1dc8b2d6be65027324ac9a364894dc0d56b9eaac89f1a11781eac0abaae
SHA512702db16fbdad3a8d45637979897bdef7d24b0a21835b51fd9a2d937bef8e267cd4ec928d3b22c1b54aeedc18c2e489e5cbb5f3b01c7198644a1535f4f2c0358f
-
Filesize
512KB
MD5d4f08d9bdd0ca6ccbd66b7385a49b68f
SHA19b6a7a074527cca029056467bed7c0f98e660f6c
SHA256a7ff7ff49daebda0975f16a5c3abe4c9744acbd16785d34341864f70ce481c44
SHA5122fb2aad14dc5a6d7e463a819158c35e1a3b08c1227d2d9480b811a82374a7dfbba5aee2965d41c0b3ccebf32bfa188335d52e401583b9373ead1e2f125336ce6
-
Filesize
512KB
MD58b5d57270ff98af1beed6eff40a6b5f5
SHA1fd1c4bc324015d97b530dbe572cfa434770519cc
SHA25659673daa71153c9e6a7f4d81ffeecb4800a9e89148d70759a314972fa41baac3
SHA512d54fa4409deb46a4bc73c1678d32dfdc75d64f99ae160900971c9c0771f45083dba814cc6ef39d2e77a66278fd260af8b3b7e82dac65447cf80a1c75ecb106ab
-
Filesize
512KB
MD502a180d77d0c11e31acef7d10cc01738
SHA103314b84c184ba618ffa38fe7a74f9edc8d96241
SHA256487eac463a8521a9139fe3c4b3da8e9cc60fd4985950885f375c8dd0beafc063
SHA512f9015ada9ef4c268b07c7fd5fea38e194289d7a722fdf35be166e69bd6286902713ea66e77f9397b7b1062019a853bc15b126bf372466a3c34fda204f41af922
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5ba1777b0ed17af050c0ae1f2dc5a94d4
SHA18d3437904567f32a26f89d2f5066f521d39e58b4
SHA2564e443bcd8445e940b433153b85cdfad5a87b5ac8eb883bcf944c2b079e2439de
SHA512f0bc35d18f3e308da0f7394c97f5fef1ca95149209b3b874e72ff2af1d16b01f005c8a137972785ad6b43114f8aa61eede5ee537e5203738e0c31888d9a92899
-
Filesize
512KB
MD560078011bca606268eb5e9746c9a6fda
SHA13deb4f098643eca279b950725c17088316183820
SHA25666ce4c7e82a16b74943da39f930675e81c38a1c17b86905b21fddbc029ff8c02
SHA512abdee5c50e9bba9becd4b65e216f8651d13f1781c3fc8638146a6d7b6b9ab3a29a98f5103033fe42006f0a31386e27e48a087a140df9b5d2188a745444156c5d