Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 19:53
Behavioral task
behavioral1
Sample
07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe
-
Size
255KB
-
MD5
07302e8a2533fd1b255a1e7ffa67e1f0
-
SHA1
1fc108bcfee2c334545241be97b7db200342437d
-
SHA256
4a58739beb97d2a3dc4d5d8c58157c16a80d486121292a96204beb72abbbaae6
-
SHA512
159a0b9fa62d37c6d3e789df679c44324333046d4f25883b82a1a4b20c59ad01f76bd82ef2f3717fd95c6ed89302d0bee50e5e62b06fdd0a16cb35f223e4cbf5
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJw:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIx
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pmulnvyvco.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pmulnvyvco.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" pmulnvyvco.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pmulnvyvco.exe -
Executes dropped EXE 5 IoCs
pid Process 1004 pmulnvyvco.exe 2516 zbmdcnvhtztycdj.exe 2268 plshmjob.exe 804 lasjdswuopdvs.exe 3036 plshmjob.exe -
Loads dropped DLL 5 IoCs
pid Process 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 1004 pmulnvyvco.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pmulnvyvco.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\baahdirn = "zbmdcnvhtztycdj.exe" zbmdcnvhtztycdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "lasjdswuopdvs.exe" zbmdcnvhtztycdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xtilmnhc = "pmulnvyvco.exe" zbmdcnvhtztycdj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: plshmjob.exe File opened (read-only) \??\k: pmulnvyvco.exe File opened (read-only) \??\u: pmulnvyvco.exe File opened (read-only) \??\j: plshmjob.exe File opened (read-only) \??\p: plshmjob.exe File opened (read-only) \??\n: plshmjob.exe File opened (read-only) \??\a: plshmjob.exe File opened (read-only) \??\i: plshmjob.exe File opened (read-only) \??\l: plshmjob.exe File opened (read-only) \??\o: plshmjob.exe File opened (read-only) \??\v: pmulnvyvco.exe File opened (read-only) \??\h: pmulnvyvco.exe File opened (read-only) \??\b: plshmjob.exe File opened (read-only) \??\e: plshmjob.exe File opened (read-only) \??\k: plshmjob.exe File opened (read-only) \??\m: plshmjob.exe File opened (read-only) \??\t: plshmjob.exe File opened (read-only) \??\x: plshmjob.exe File opened (read-only) \??\q: pmulnvyvco.exe File opened (read-only) \??\z: plshmjob.exe File opened (read-only) \??\y: pmulnvyvco.exe File opened (read-only) \??\b: plshmjob.exe File opened (read-only) \??\q: plshmjob.exe File opened (read-only) \??\b: pmulnvyvco.exe File opened (read-only) \??\e: pmulnvyvco.exe File opened (read-only) \??\q: plshmjob.exe File opened (read-only) \??\w: plshmjob.exe File opened (read-only) \??\j: plshmjob.exe File opened (read-only) \??\r: pmulnvyvco.exe File opened (read-only) \??\s: pmulnvyvco.exe File opened (read-only) \??\g: plshmjob.exe File opened (read-only) \??\o: plshmjob.exe File opened (read-only) \??\t: plshmjob.exe File opened (read-only) \??\m: pmulnvyvco.exe File opened (read-only) \??\n: pmulnvyvco.exe File opened (read-only) \??\p: pmulnvyvco.exe File opened (read-only) \??\y: plshmjob.exe File opened (read-only) \??\z: plshmjob.exe File opened (read-only) \??\a: plshmjob.exe File opened (read-only) \??\w: plshmjob.exe File opened (read-only) \??\v: plshmjob.exe File opened (read-only) \??\g: plshmjob.exe File opened (read-only) \??\m: plshmjob.exe File opened (read-only) \??\p: plshmjob.exe File opened (read-only) \??\u: plshmjob.exe File opened (read-only) \??\i: pmulnvyvco.exe File opened (read-only) \??\z: pmulnvyvco.exe File opened (read-only) \??\s: plshmjob.exe File opened (read-only) \??\x: plshmjob.exe File opened (read-only) \??\a: pmulnvyvco.exe File opened (read-only) \??\e: plshmjob.exe File opened (read-only) \??\i: plshmjob.exe File opened (read-only) \??\s: plshmjob.exe File opened (read-only) \??\w: pmulnvyvco.exe File opened (read-only) \??\l: plshmjob.exe File opened (read-only) \??\r: plshmjob.exe File opened (read-only) \??\h: plshmjob.exe File opened (read-only) \??\g: pmulnvyvco.exe File opened (read-only) \??\t: pmulnvyvco.exe File opened (read-only) \??\x: pmulnvyvco.exe File opened (read-only) \??\h: plshmjob.exe File opened (read-only) \??\n: plshmjob.exe File opened (read-only) \??\y: plshmjob.exe File opened (read-only) \??\r: plshmjob.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pmulnvyvco.exe -
AutoIT Executable 58 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1004-29-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/804-42-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2268-37-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2516-36-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-45-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1004-92-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2516-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2268-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/804-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3036-97-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1004-98-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2516-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3036-102-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/804-101-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2268-100-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1004-103-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2516-104-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3036-107-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/804-106-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2268-105-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1004-108-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2516-109-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/3036-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2268-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/804-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1004-116-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/804-118-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2516-117-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2516-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/804-121-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1004-119-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1004-122-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/804-124-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2516-123-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2516-127-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/804-128-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1004-126-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2516-130-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/804-131-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1004-129-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1004-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2516-133-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/804-134-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2516-136-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1004-135-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/804-137-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1004-138-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/804-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2516-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1004-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/804-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2516-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1004-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2516-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/804-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1004-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/804-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2516-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\lasjdswuopdvs.exe 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pmulnvyvco.exe 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe File created C:\Windows\SysWOW64\zbmdcnvhtztycdj.exe 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zbmdcnvhtztycdj.exe 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe File created C:\Windows\SysWOW64\plshmjob.exe 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\plshmjob.exe 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lasjdswuopdvs.exe 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll pmulnvyvco.exe File created C:\Windows\SysWOW64\pmulnvyvco.exe 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/1864-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x00070000000173c8-9.dat upx behavioral1/files/0x000700000001211b-17.dat upx behavioral1/files/0x00080000000173c2-22.dat upx behavioral1/memory/1004-29-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/804-42-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x00080000000173de-41.dat upx behavioral1/memory/2268-37-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2516-36-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-45-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3036-50-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0009000000016ddf-76.dat upx behavioral1/files/0x00070000000174f5-78.dat upx behavioral1/memory/1004-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2516-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2268-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/804-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3036-97-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1004-98-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2516-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3036-102-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/804-101-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2268-100-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1004-103-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2516-104-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3036-107-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/804-106-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2268-105-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1004-108-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2516-109-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/3036-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2268-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/804-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1004-116-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/804-118-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2516-117-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2516-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/804-121-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1004-119-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1004-122-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/804-124-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2516-123-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2516-127-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/804-128-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1004-126-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2516-130-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/804-131-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1004-129-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1004-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2516-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/804-134-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2516-136-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1004-135-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/804-137-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1004-138-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/804-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2516-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1004-141-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/804-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2516-142-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1004-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2516-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/804-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1004-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Drops file in Program Files directory 18 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe plshmjob.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe plshmjob.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal plshmjob.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe plshmjob.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal plshmjob.exe File opened for modification \??\c:\Program Files\UnpublishCompress.doc.exe plshmjob.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe plshmjob.exe File opened for modification C:\Program Files\UnpublishCompress.nal plshmjob.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe plshmjob.exe File opened for modification C:\Program Files\UnpublishCompress.doc.exe plshmjob.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe plshmjob.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe plshmjob.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe plshmjob.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal plshmjob.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe plshmjob.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe plshmjob.exe File created \??\c:\Program Files\UnpublishCompress.doc.exe plshmjob.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal plshmjob.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pmulnvyvco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zbmdcnvhtztycdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plshmjob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lasjdswuopdvs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plshmjob.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668B1FE6D21ABD27DD0A08A0E9110" 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C60915E3DAB3B8C07C92ECE734C7" 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pmulnvyvco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pmulnvyvco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pmulnvyvco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C0C9D2C83536A3277D6772F2DD87DF664D6" 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFACDF960F1E283083B30819D3999B38B03FE4213024BE1CD429D08A0" 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECBB15F449439EA53BABAA7329AD7C4" 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFFF94F5A851B913CD65D7E92BC93E13D584767436241D6EE" 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pmulnvyvco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pmulnvyvco.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pmulnvyvco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pmulnvyvco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pmulnvyvco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pmulnvyvco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pmulnvyvco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pmulnvyvco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pmulnvyvco.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2960 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 2516 zbmdcnvhtztycdj.exe 2516 zbmdcnvhtztycdj.exe 2516 zbmdcnvhtztycdj.exe 2516 zbmdcnvhtztycdj.exe 2516 zbmdcnvhtztycdj.exe 1004 pmulnvyvco.exe 1004 pmulnvyvco.exe 1004 pmulnvyvco.exe 1004 pmulnvyvco.exe 1004 pmulnvyvco.exe 2268 plshmjob.exe 2268 plshmjob.exe 2268 plshmjob.exe 2268 plshmjob.exe 3036 plshmjob.exe 3036 plshmjob.exe 3036 plshmjob.exe 3036 plshmjob.exe 2516 zbmdcnvhtztycdj.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 2516 zbmdcnvhtztycdj.exe 2516 zbmdcnvhtztycdj.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 2516 zbmdcnvhtztycdj.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 2516 zbmdcnvhtztycdj.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 2516 zbmdcnvhtztycdj.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 2516 zbmdcnvhtztycdj.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 2516 zbmdcnvhtztycdj.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 2516 zbmdcnvhtztycdj.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 2516 zbmdcnvhtztycdj.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 2516 zbmdcnvhtztycdj.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 2516 zbmdcnvhtztycdj.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 2516 zbmdcnvhtztycdj.exe 1004 pmulnvyvco.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 1004 pmulnvyvco.exe 804 lasjdswuopdvs.exe 1004 pmulnvyvco.exe 2516 zbmdcnvhtztycdj.exe 2268 plshmjob.exe 2516 zbmdcnvhtztycdj.exe 2268 plshmjob.exe 2268 plshmjob.exe 3036 plshmjob.exe 3036 plshmjob.exe 3036 plshmjob.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 2516 zbmdcnvhtztycdj.exe 1004 pmulnvyvco.exe 804 lasjdswuopdvs.exe 804 lasjdswuopdvs.exe 1004 pmulnvyvco.exe 804 lasjdswuopdvs.exe 1004 pmulnvyvco.exe 2516 zbmdcnvhtztycdj.exe 2268 plshmjob.exe 2516 zbmdcnvhtztycdj.exe 2268 plshmjob.exe 2268 plshmjob.exe 3036 plshmjob.exe 3036 plshmjob.exe 3036 plshmjob.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2960 WINWORD.EXE 2960 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1864 wrote to memory of 1004 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 30 PID 1864 wrote to memory of 1004 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 30 PID 1864 wrote to memory of 1004 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 30 PID 1864 wrote to memory of 1004 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 30 PID 1864 wrote to memory of 2516 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 31 PID 1864 wrote to memory of 2516 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 31 PID 1864 wrote to memory of 2516 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 31 PID 1864 wrote to memory of 2516 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 31 PID 1864 wrote to memory of 2268 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 32 PID 1864 wrote to memory of 2268 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 32 PID 1864 wrote to memory of 2268 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 32 PID 1864 wrote to memory of 2268 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 32 PID 1864 wrote to memory of 804 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 33 PID 1864 wrote to memory of 804 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 33 PID 1864 wrote to memory of 804 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 33 PID 1864 wrote to memory of 804 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 33 PID 1864 wrote to memory of 2960 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 34 PID 1864 wrote to memory of 2960 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 34 PID 1864 wrote to memory of 2960 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 34 PID 1864 wrote to memory of 2960 1864 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 34 PID 1004 wrote to memory of 3036 1004 pmulnvyvco.exe 36 PID 1004 wrote to memory of 3036 1004 pmulnvyvco.exe 36 PID 1004 wrote to memory of 3036 1004 pmulnvyvco.exe 36 PID 1004 wrote to memory of 3036 1004 pmulnvyvco.exe 36 PID 2960 wrote to memory of 1020 2960 WINWORD.EXE 38 PID 2960 wrote to memory of 1020 2960 WINWORD.EXE 38 PID 2960 wrote to memory of 1020 2960 WINWORD.EXE 38 PID 2960 wrote to memory of 1020 2960 WINWORD.EXE 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\pmulnvyvco.exepmulnvyvco.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\plshmjob.exeC:\Windows\system32\plshmjob.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3036
-
-
-
C:\Windows\SysWOW64\zbmdcnvhtztycdj.exezbmdcnvhtztycdj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2516
-
-
C:\Windows\SysWOW64\plshmjob.exeplshmjob.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2268
-
-
C:\Windows\SysWOW64\lasjdswuopdvs.exelasjdswuopdvs.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:804
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1020
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5a216c3d54c439a768584a114eccd0d2b
SHA17479a2180ef9a77b00a14cb4f2a07c8f95c36f50
SHA2566d0bd5e11477125c66740abacf4a9e86fd156909ecdd28bfca85dd7eb8c5bfad
SHA512252b67913e5791b6bd9453e34e32b1fe4eab8dcf0ebf2a5b94be67354519b1660b9b5089f0cab88113db6fdb262587737ba09ba856d66068b906a144e4bb76ff
-
Filesize
255KB
MD51a006f3d48ffb1e957e92322e9390127
SHA174852ae0aa4d9d122621e96d4b8d16f6e6e113eb
SHA2561e3847933e1d9c832791afbddda2cb89163af96cf55db22f87042253aa449a31
SHA5128d3813ec03e0fbca73fb896521d3f79cc516425c0925265950f3cf53963e5e40d257161fb1ee39f93fccff330da83257a10e756095899319c927a6e792209d7a
-
Filesize
437B
MD51987af2d8e926f88c2b21b9a702e05bc
SHA137681a5405dabf608dd9217fb47e3d63eac700e4
SHA256485bd155b6ce9e478e346c79a1d732df961a222056bba01fd80cb5e2d769ae3d
SHA5129fef3aebf4b2fe6ec6f53e647eed0f5dd10e554face51c5aa3ad674dbd7711efade9efae81ab376023fc49d420132d6ee1ecac4c222f0575e5b56854519a5dcc
-
Filesize
255KB
MD54048c1b92ec3495138874e65015d1c6b
SHA1488c134d88bcb84d5634f6badde813bc1f5821ef
SHA256baba2de098cba42b0f97d6ecae7649d2cf15705ffa8a478c59b76229f5453223
SHA512c14ea4787c2eabf8ed5f76917a8144b675ef25b653f3636ec05703af55c97a58fcfc0ad99a09dedd5614be5baf6eefead18c4af2272d8b2108a821ba95297161
-
Filesize
255KB
MD53ef6c064b5024443bf97563e6e1d8c35
SHA14f4ff68283b0f1c05600d1999b2151941a53182e
SHA2562cc0ca97055c03d76463592d78dbbc7f8a229c78426c904ae238a4720f4056ad
SHA512e5f5cbaa67afa3bfded09aa1cbe2ff3c0e0b49ebf9080ce842ec052db98f4f14168aa83faf4eec469e481ea9a93368477f1364c936096114d330663b4d15c7ab
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5335e17ad99474baa51be08c988c1ccd5
SHA10ba01ab05200c957022a06124a36ab3d99457d01
SHA2563fa234940002da94869979143b504c7038e83de682630dc29798600337536cc5
SHA512cca45c7fa7f87b6980aa4aaa35de7618d2ad1087e67b9dc4e4175c38d7da4f8f1005c59a75ec26f186698687a7493ec42fe140e54630e11b340caa434a8c21e1
-
Filesize
255KB
MD5f91cee2e7da701a0df13e0b1588913f5
SHA1ced9305054281c0a6a25639d3e6ec8b7b4b92ae1
SHA256c968f0e601624f8d95ae504eb7edc0843c2b1f21ea3a959bbedf159d8b42ca64
SHA512ec02faba0b5490a529fdabf7b82e3d553ae7db9643089a07e4923716bcf783fedefc563a62b63ed9587a94c2769b28b81e5fb32c9a2580257c8b82507fa9f1a9