Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 06:32
Static task
static1
Behavioral task
behavioral1
Sample
04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe
-
Size
512KB
-
MD5
04938f57dbc1fe4d19ac4b7971536702
-
SHA1
d00573fc8d8f0ef0c76bbabc0af9cbe6d481e453
-
SHA256
d81ff74868745291b4314572093928de0ff2ea40dbd48081ca5209188b4601a3
-
SHA512
de559fba535fef507869c0ee7bf083e3eb66e5045f4e438f4a689b18a03802d04b20e2b22c41a8caf880cf9a2b17d18b1dfc0ef452c6607855ed6557b9ac1baf
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5p
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
kzwwbkpnqo.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" kzwwbkpnqo.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
kzwwbkpnqo.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kzwwbkpnqo.exe -
Processes:
kzwwbkpnqo.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kzwwbkpnqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kzwwbkpnqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kzwwbkpnqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kzwwbkpnqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" kzwwbkpnqo.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
kzwwbkpnqo.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" kzwwbkpnqo.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
Processes:
kzwwbkpnqo.exevkkbijbzfenlpfn.exelglzmqov.exegfflkuzbibvzp.exelglzmqov.exepid process 2696 kzwwbkpnqo.exe 2860 vkkbijbzfenlpfn.exe 2412 lglzmqov.exe 2492 gfflkuzbibvzp.exe 1768 lglzmqov.exe -
Loads dropped DLL 5 IoCs
Processes:
04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exekzwwbkpnqo.exepid process 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 2696 kzwwbkpnqo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
kzwwbkpnqo.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" kzwwbkpnqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kzwwbkpnqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" kzwwbkpnqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kzwwbkpnqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kzwwbkpnqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kzwwbkpnqo.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
vkkbijbzfenlpfn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\acbohzxd = "kzwwbkpnqo.exe" vkkbijbzfenlpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eyjojnyh = "vkkbijbzfenlpfn.exe" vkkbijbzfenlpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gfflkuzbibvzp.exe" vkkbijbzfenlpfn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
lglzmqov.exelglzmqov.exekzwwbkpnqo.exedescription ioc process File opened (read-only) \??\i: lglzmqov.exe File opened (read-only) \??\i: lglzmqov.exe File opened (read-only) \??\l: lglzmqov.exe File opened (read-only) \??\a: kzwwbkpnqo.exe File opened (read-only) \??\m: lglzmqov.exe File opened (read-only) \??\q: lglzmqov.exe File opened (read-only) \??\n: lglzmqov.exe File opened (read-only) \??\l: kzwwbkpnqo.exe File opened (read-only) \??\s: kzwwbkpnqo.exe File opened (read-only) \??\q: kzwwbkpnqo.exe File opened (read-only) \??\g: lglzmqov.exe File opened (read-only) \??\z: lglzmqov.exe File opened (read-only) \??\h: kzwwbkpnqo.exe File opened (read-only) \??\p: kzwwbkpnqo.exe File opened (read-only) \??\g: lglzmqov.exe File opened (read-only) \??\r: lglzmqov.exe File opened (read-only) \??\s: lglzmqov.exe File opened (read-only) \??\x: kzwwbkpnqo.exe File opened (read-only) \??\u: lglzmqov.exe File opened (read-only) \??\y: lglzmqov.exe File opened (read-only) \??\g: kzwwbkpnqo.exe File opened (read-only) \??\b: lglzmqov.exe File opened (read-only) \??\o: kzwwbkpnqo.exe File opened (read-only) \??\b: lglzmqov.exe File opened (read-only) \??\e: lglzmqov.exe File opened (read-only) \??\t: lglzmqov.exe File opened (read-only) \??\u: lglzmqov.exe File opened (read-only) \??\x: lglzmqov.exe File opened (read-only) \??\j: lglzmqov.exe File opened (read-only) \??\k: lglzmqov.exe File opened (read-only) \??\p: lglzmqov.exe File opened (read-only) \??\y: lglzmqov.exe File opened (read-only) \??\v: lglzmqov.exe File opened (read-only) \??\e: kzwwbkpnqo.exe File opened (read-only) \??\m: lglzmqov.exe File opened (read-only) \??\z: kzwwbkpnqo.exe File opened (read-only) \??\l: lglzmqov.exe File opened (read-only) \??\k: kzwwbkpnqo.exe File opened (read-only) \??\n: lglzmqov.exe File opened (read-only) \??\w: lglzmqov.exe File opened (read-only) \??\x: lglzmqov.exe File opened (read-only) \??\u: kzwwbkpnqo.exe File opened (read-only) \??\w: kzwwbkpnqo.exe File opened (read-only) \??\h: lglzmqov.exe File opened (read-only) \??\a: lglzmqov.exe File opened (read-only) \??\h: lglzmqov.exe File opened (read-only) \??\q: lglzmqov.exe File opened (read-only) \??\s: lglzmqov.exe File opened (read-only) \??\t: lglzmqov.exe File opened (read-only) \??\a: lglzmqov.exe File opened (read-only) \??\o: lglzmqov.exe File opened (read-only) \??\v: kzwwbkpnqo.exe File opened (read-only) \??\j: lglzmqov.exe File opened (read-only) \??\r: lglzmqov.exe File opened (read-only) \??\v: lglzmqov.exe File opened (read-only) \??\z: lglzmqov.exe File opened (read-only) \??\i: kzwwbkpnqo.exe File opened (read-only) \??\r: kzwwbkpnqo.exe File opened (read-only) \??\t: kzwwbkpnqo.exe File opened (read-only) \??\e: lglzmqov.exe File opened (read-only) \??\j: kzwwbkpnqo.exe File opened (read-only) \??\m: kzwwbkpnqo.exe File opened (read-only) \??\n: kzwwbkpnqo.exe File opened (read-only) \??\y: kzwwbkpnqo.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
kzwwbkpnqo.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" kzwwbkpnqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" kzwwbkpnqo.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1728-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\lglzmqov.exe autoit_exe \Windows\SysWOW64\kzwwbkpnqo.exe autoit_exe \Windows\SysWOW64\vkkbijbzfenlpfn.exe autoit_exe \Windows\SysWOW64\gfflkuzbibvzp.exe autoit_exe C:\Program Files\UndoPublish.doc.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exekzwwbkpnqo.exedescription ioc process File opened for modification C:\Windows\SysWOW64\lglzmqov.exe 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gfflkuzbibvzp.exe 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe File created C:\Windows\SysWOW64\kzwwbkpnqo.exe 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kzwwbkpnqo.exe 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe File created C:\Windows\SysWOW64\vkkbijbzfenlpfn.exe 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vkkbijbzfenlpfn.exe 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe File created C:\Windows\SysWOW64\lglzmqov.exe 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe File created C:\Windows\SysWOW64\gfflkuzbibvzp.exe 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll kzwwbkpnqo.exe -
Drops file in Program Files directory 21 IoCs
Processes:
lglzmqov.exelglzmqov.exedescription ioc process File opened for modification \??\c:\Program Files\UndoPublish.doc.exe lglzmqov.exe File opened for modification C:\Program Files\UndoPublish.doc.exe lglzmqov.exe File opened for modification C:\Program Files\UndoPublish.nal lglzmqov.exe File opened for modification \??\c:\Program Files\UndoPublish.doc.exe lglzmqov.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lglzmqov.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal lglzmqov.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lglzmqov.exe File opened for modification C:\Program Files\UndoPublish.nal lglzmqov.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lglzmqov.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lglzmqov.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lglzmqov.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal lglzmqov.exe File created \??\c:\Program Files\UndoPublish.doc.exe lglzmqov.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal lglzmqov.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lglzmqov.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lglzmqov.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lglzmqov.exe File opened for modification C:\Program Files\UndoPublish.doc.exe lglzmqov.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lglzmqov.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal lglzmqov.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lglzmqov.exe -
Drops file in Windows directory 4 IoCs
Processes:
04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXE04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exekzwwbkpnqo.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332D0D9D5582586A3E76A277262CA97C8F64D6" 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh kzwwbkpnqo.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" kzwwbkpnqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc kzwwbkpnqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" kzwwbkpnqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C7781591DAB4B8CE7C93EC9734BA" 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg kzwwbkpnqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2964 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exekzwwbkpnqo.exevkkbijbzfenlpfn.exelglzmqov.exegfflkuzbibvzp.exelglzmqov.exepid process 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 2696 kzwwbkpnqo.exe 2696 kzwwbkpnqo.exe 2696 kzwwbkpnqo.exe 2696 kzwwbkpnqo.exe 2696 kzwwbkpnqo.exe 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 2860 vkkbijbzfenlpfn.exe 2860 vkkbijbzfenlpfn.exe 2860 vkkbijbzfenlpfn.exe 2860 vkkbijbzfenlpfn.exe 2860 vkkbijbzfenlpfn.exe 2412 lglzmqov.exe 2412 lglzmqov.exe 2412 lglzmqov.exe 2412 lglzmqov.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2860 vkkbijbzfenlpfn.exe 1768 lglzmqov.exe 1768 lglzmqov.exe 1768 lglzmqov.exe 1768 lglzmqov.exe 2860 vkkbijbzfenlpfn.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2860 vkkbijbzfenlpfn.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2860 vkkbijbzfenlpfn.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2860 vkkbijbzfenlpfn.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2860 vkkbijbzfenlpfn.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2860 vkkbijbzfenlpfn.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2860 vkkbijbzfenlpfn.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2860 vkkbijbzfenlpfn.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2860 vkkbijbzfenlpfn.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2860 vkkbijbzfenlpfn.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2860 vkkbijbzfenlpfn.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 2780 explorer.exe Token: SeShutdownPrivilege 2780 explorer.exe Token: SeShutdownPrivilege 2780 explorer.exe Token: SeShutdownPrivilege 2780 explorer.exe Token: SeShutdownPrivilege 2780 explorer.exe Token: SeShutdownPrivilege 2780 explorer.exe Token: SeShutdownPrivilege 2780 explorer.exe Token: SeShutdownPrivilege 2780 explorer.exe Token: SeShutdownPrivilege 2780 explorer.exe Token: SeShutdownPrivilege 2780 explorer.exe Token: SeShutdownPrivilege 2780 explorer.exe Token: SeShutdownPrivilege 2780 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
Processes:
04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exekzwwbkpnqo.exevkkbijbzfenlpfn.exelglzmqov.exegfflkuzbibvzp.exelglzmqov.exeexplorer.exepid process 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 2696 kzwwbkpnqo.exe 2696 kzwwbkpnqo.exe 2696 kzwwbkpnqo.exe 2860 vkkbijbzfenlpfn.exe 2860 vkkbijbzfenlpfn.exe 2860 vkkbijbzfenlpfn.exe 2412 lglzmqov.exe 2412 lglzmqov.exe 2412 lglzmqov.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 1768 lglzmqov.exe 1768 lglzmqov.exe 1768 lglzmqov.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe -
Suspicious use of SendNotifyMessage 34 IoCs
Processes:
04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exekzwwbkpnqo.exevkkbijbzfenlpfn.exelglzmqov.exegfflkuzbibvzp.exeexplorer.exepid process 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe 2696 kzwwbkpnqo.exe 2696 kzwwbkpnqo.exe 2696 kzwwbkpnqo.exe 2860 vkkbijbzfenlpfn.exe 2860 vkkbijbzfenlpfn.exe 2860 vkkbijbzfenlpfn.exe 2412 lglzmqov.exe 2412 lglzmqov.exe 2412 lglzmqov.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2492 gfflkuzbibvzp.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe 2780 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2964 WINWORD.EXE 2964 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exevkkbijbzfenlpfn.exekzwwbkpnqo.exedescription pid process target process PID 1728 wrote to memory of 2696 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe kzwwbkpnqo.exe PID 1728 wrote to memory of 2696 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe kzwwbkpnqo.exe PID 1728 wrote to memory of 2696 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe kzwwbkpnqo.exe PID 1728 wrote to memory of 2696 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe kzwwbkpnqo.exe PID 1728 wrote to memory of 2860 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe vkkbijbzfenlpfn.exe PID 1728 wrote to memory of 2860 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe vkkbijbzfenlpfn.exe PID 1728 wrote to memory of 2860 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe vkkbijbzfenlpfn.exe PID 1728 wrote to memory of 2860 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe vkkbijbzfenlpfn.exe PID 1728 wrote to memory of 2412 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe lglzmqov.exe PID 1728 wrote to memory of 2412 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe lglzmqov.exe PID 1728 wrote to memory of 2412 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe lglzmqov.exe PID 1728 wrote to memory of 2412 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe lglzmqov.exe PID 1728 wrote to memory of 2492 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe gfflkuzbibvzp.exe PID 1728 wrote to memory of 2492 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe gfflkuzbibvzp.exe PID 1728 wrote to memory of 2492 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe gfflkuzbibvzp.exe PID 1728 wrote to memory of 2492 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe gfflkuzbibvzp.exe PID 2860 wrote to memory of 2416 2860 vkkbijbzfenlpfn.exe cmd.exe PID 2860 wrote to memory of 2416 2860 vkkbijbzfenlpfn.exe cmd.exe PID 2860 wrote to memory of 2416 2860 vkkbijbzfenlpfn.exe cmd.exe PID 2860 wrote to memory of 2416 2860 vkkbijbzfenlpfn.exe cmd.exe PID 2696 wrote to memory of 1768 2696 kzwwbkpnqo.exe lglzmqov.exe PID 2696 wrote to memory of 1768 2696 kzwwbkpnqo.exe lglzmqov.exe PID 2696 wrote to memory of 1768 2696 kzwwbkpnqo.exe lglzmqov.exe PID 2696 wrote to memory of 1768 2696 kzwwbkpnqo.exe lglzmqov.exe PID 1728 wrote to memory of 2964 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe WINWORD.EXE PID 1728 wrote to memory of 2964 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe WINWORD.EXE PID 1728 wrote to memory of 2964 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe WINWORD.EXE PID 1728 wrote to memory of 2964 1728 04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04938f57dbc1fe4d19ac4b7971536702_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\kzwwbkpnqo.exekzwwbkpnqo.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lglzmqov.exeC:\Windows\system32\lglzmqov.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\vkkbijbzfenlpfn.exevkkbijbzfenlpfn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c gfflkuzbibvzp.exe3⤵
-
C:\Windows\SysWOW64\lglzmqov.exelglzmqov.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\gfflkuzbibvzp.exegfflkuzbibvzp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
8Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5993c1ed0291f45aa71fdfbd656df76a8
SHA1cdc3953cc853d52b4e4a80664d67784c8a480a31
SHA2561cdb339e662284fb26ec9eb5208dd381825ed3d8467098dc12a6a2d6832ca57f
SHA5126693596394e536f24bad3ee32131c039857d315b7d568b59c3bd46885aa87c244641b63bd5b0ca68a99a3f862acec4215afe448e3500b5b9243f670f1a248c3f
-
C:\Program Files\UndoPublish.doc.exeFilesize
512KB
MD5b67f1828cef075652e8d1639fb7a95b8
SHA1d78970bff5a4723e40b857b85ebaa98c3792784c
SHA256a57387d9b588341821aa10fe8c28f837ff85bd33741b0a3cb3f23af67dc1d193
SHA5121f233a7d1c8bec4fb0084d90e606c28a06fd0efab7770426da0bda15e31172c8faee3f7fb4649cfaf3ea1914301661345e18f536d658d42c39b0a5ed6c021ca5
-
C:\Windows\SysWOW64\lglzmqov.exeFilesize
512KB
MD5070dc6996b1425f08c9a12d46b7bdeaf
SHA1cdaa36d4290e4b8d9d45b099ffad54fae2ba3057
SHA25635e0f29b9099e27d8f6daa6b7961278a89723d8170180c6e687b39a9cb344115
SHA512a6e8676ca4a01c660c3b66fe37b438e778eaec7e8044e31218a9248ee57bb40d8315a4431fa4e2da17787b7629a223fbff611cf8f21c2e43b715ede568c9b2ba
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\gfflkuzbibvzp.exeFilesize
512KB
MD57b0807078e6e61a8e306a242d6aa6885
SHA1049937d49766130069dd1155590ee26b1bc69e12
SHA256b1dfe151744ead7f3a8c1ecf7ba3dde69db8db5cedbbf99f78031be37a3e1e83
SHA5127dae6ac45beacdb06a78034f20fa5e49ea194db00c700157e20671a9a258c22724a1c0f1d59f9f39967b57166a4b56006e2412a7ce0f078a13fdd7184539cfab
-
\Windows\SysWOW64\kzwwbkpnqo.exeFilesize
512KB
MD5a2d774de6b112bcc36eaa400778f4b55
SHA19da48ca4b982960870c239fbf00ccba54a4a524c
SHA2560d2f31ee35b548ec0ca655aad03fe08f6c98e7f71f57d905991ae4b929e1c435
SHA5121a9ff94c906d7804bca28f3fa9a5124d55356bdb6e3a0c294e2872a136f6290630d450cee155becd9aba7da1ec9ff28687266464c6f523aa69d51120eb9f88aa
-
\Windows\SysWOW64\vkkbijbzfenlpfn.exeFilesize
512KB
MD5ec90d14bf07c07494baab59dba8e46a4
SHA1919ee71d770e412fcf120ffddd207e584bd9442e
SHA25605f05f86838f9e4b38716381b8a4689733477751f3a84482b501986dde991711
SHA51288783632996c106f20db8b6e5ce43316fef26e23fe2278cc3c2af0d042828de086f027511bdd91fcf55627d36573228363efcb974458dfa2de36165783c9c78e
-
memory/1728-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2780-84-0x0000000002990000-0x00000000029A0000-memory.dmpFilesize
64KB
-
memory/2964-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB