Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 09:54
Static task
static1
Behavioral task
behavioral1
Sample
04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
-
Size
512KB
-
MD5
04ed51cbe1459f77b58a943ff3c3d29a
-
SHA1
861ee131f85817baaff034251cd3241843131265
-
SHA256
0f4cbeaeb904a1dcf09d12018ab867d52ef6a9f3c5a45cd72362479b3f39d446
-
SHA512
994e07bad6535762ae9f9c21abbb8772f0921261814f4d19c44d65a0aa4372b400fb9078efeb19e3d56fbc1460733f2a2ec651851df4986ecefb37d048a9c959
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
tvryxhiunb.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tvryxhiunb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
tvryxhiunb.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tvryxhiunb.exe -
Processes:
tvryxhiunb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tvryxhiunb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tvryxhiunb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tvryxhiunb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tvryxhiunb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" tvryxhiunb.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
tvryxhiunb.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tvryxhiunb.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
Processes:
tvryxhiunb.exeuuwnhepwgtnajwp.exexcmwahuy.exexgqbwwlptqbwu.exexcmwahuy.exepid process 2196 tvryxhiunb.exe 2900 uuwnhepwgtnajwp.exe 2564 xcmwahuy.exe 2744 xgqbwwlptqbwu.exe 2792 xcmwahuy.exe -
Loads dropped DLL 5 IoCs
Processes:
04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exetvryxhiunb.exepid process 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2196 tvryxhiunb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
tvryxhiunb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tvryxhiunb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tvryxhiunb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tvryxhiunb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" tvryxhiunb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tvryxhiunb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tvryxhiunb.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
uuwnhepwgtnajwp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbcqkmhq = "tvryxhiunb.exe" uuwnhepwgtnajwp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bsnyddkf = "uuwnhepwgtnajwp.exe" uuwnhepwgtnajwp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xgqbwwlptqbwu.exe" uuwnhepwgtnajwp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
xcmwahuy.exetvryxhiunb.exexcmwahuy.exedescription ioc process File opened (read-only) \??\n: xcmwahuy.exe File opened (read-only) \??\p: tvryxhiunb.exe File opened (read-only) \??\r: tvryxhiunb.exe File opened (read-only) \??\v: tvryxhiunb.exe File opened (read-only) \??\m: xcmwahuy.exe File opened (read-only) \??\l: xcmwahuy.exe File opened (read-only) \??\z: xcmwahuy.exe File opened (read-only) \??\r: xcmwahuy.exe File opened (read-only) \??\n: xcmwahuy.exe File opened (read-only) \??\o: xcmwahuy.exe File opened (read-only) \??\v: xcmwahuy.exe File opened (read-only) \??\j: xcmwahuy.exe File opened (read-only) \??\x: xcmwahuy.exe File opened (read-only) \??\p: xcmwahuy.exe File opened (read-only) \??\q: xcmwahuy.exe File opened (read-only) \??\k: tvryxhiunb.exe File opened (read-only) \??\l: tvryxhiunb.exe File opened (read-only) \??\m: tvryxhiunb.exe File opened (read-only) \??\i: xcmwahuy.exe File opened (read-only) \??\e: xcmwahuy.exe File opened (read-only) \??\m: xcmwahuy.exe File opened (read-only) \??\s: xcmwahuy.exe File opened (read-only) \??\x: xcmwahuy.exe File opened (read-only) \??\t: tvryxhiunb.exe File opened (read-only) \??\l: xcmwahuy.exe File opened (read-only) \??\a: xcmwahuy.exe File opened (read-only) \??\k: xcmwahuy.exe File opened (read-only) \??\y: xcmwahuy.exe File opened (read-only) \??\g: tvryxhiunb.exe File opened (read-only) \??\h: tvryxhiunb.exe File opened (read-only) \??\a: xcmwahuy.exe File opened (read-only) \??\w: xcmwahuy.exe File opened (read-only) \??\z: xcmwahuy.exe File opened (read-only) \??\b: xcmwahuy.exe File opened (read-only) \??\o: xcmwahuy.exe File opened (read-only) \??\e: xcmwahuy.exe File opened (read-only) \??\k: xcmwahuy.exe File opened (read-only) \??\s: tvryxhiunb.exe File opened (read-only) \??\u: tvryxhiunb.exe File opened (read-only) \??\i: xcmwahuy.exe File opened (read-only) \??\j: xcmwahuy.exe File opened (read-only) \??\b: tvryxhiunb.exe File opened (read-only) \??\e: tvryxhiunb.exe File opened (read-only) \??\i: tvryxhiunb.exe File opened (read-only) \??\q: tvryxhiunb.exe File opened (read-only) \??\y: xcmwahuy.exe File opened (read-only) \??\g: xcmwahuy.exe File opened (read-only) \??\v: xcmwahuy.exe File opened (read-only) \??\w: tvryxhiunb.exe File opened (read-only) \??\g: xcmwahuy.exe File opened (read-only) \??\s: xcmwahuy.exe File opened (read-only) \??\u: xcmwahuy.exe File opened (read-only) \??\h: xcmwahuy.exe File opened (read-only) \??\o: tvryxhiunb.exe File opened (read-only) \??\h: xcmwahuy.exe File opened (read-only) \??\p: xcmwahuy.exe File opened (read-only) \??\w: xcmwahuy.exe File opened (read-only) \??\a: tvryxhiunb.exe File opened (read-only) \??\j: tvryxhiunb.exe File opened (read-only) \??\y: tvryxhiunb.exe File opened (read-only) \??\z: tvryxhiunb.exe File opened (read-only) \??\r: xcmwahuy.exe File opened (read-only) \??\t: xcmwahuy.exe File opened (read-only) \??\x: tvryxhiunb.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
tvryxhiunb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tvryxhiunb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tvryxhiunb.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2136-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\uuwnhepwgtnajwp.exe autoit_exe \Windows\SysWOW64\tvryxhiunb.exe autoit_exe \Windows\SysWOW64\xcmwahuy.exe autoit_exe \Windows\SysWOW64\xgqbwwlptqbwu.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exetvryxhiunb.exedescription ioc process File created C:\Windows\SysWOW64\tvryxhiunb.exe 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe File created C:\Windows\SysWOW64\xcmwahuy.exe 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xcmwahuy.exe 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tvryxhiunb.exe 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe File created C:\Windows\SysWOW64\uuwnhepwgtnajwp.exe 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uuwnhepwgtnajwp.exe 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe File created C:\Windows\SysWOW64\xgqbwwlptqbwu.exe 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xgqbwwlptqbwu.exe 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tvryxhiunb.exe -
Drops file in Program Files directory 14 IoCs
Processes:
xcmwahuy.exexcmwahuy.exedescription ioc process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe xcmwahuy.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe xcmwahuy.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe xcmwahuy.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal xcmwahuy.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe xcmwahuy.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe xcmwahuy.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe xcmwahuy.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe xcmwahuy.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal xcmwahuy.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe xcmwahuy.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe xcmwahuy.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal xcmwahuy.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe xcmwahuy.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal xcmwahuy.exe -
Drops file in Windows directory 4 IoCs
Processes:
WINWORD.EXE04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
explorer.exeWINWORD.EXE04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exetvryxhiunb.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF9FFFB4F5885139046D6207DE0BC94E636584667456242D691" 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tvryxhiunb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tvryxhiunb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tvryxhiunb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tvryxhiunb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tvryxhiunb.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2596 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exetvryxhiunb.exeuuwnhepwgtnajwp.exexcmwahuy.exexgqbwwlptqbwu.exexcmwahuy.exepid process 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2196 tvryxhiunb.exe 2196 tvryxhiunb.exe 2196 tvryxhiunb.exe 2196 tvryxhiunb.exe 2196 tvryxhiunb.exe 2900 uuwnhepwgtnajwp.exe 2900 uuwnhepwgtnajwp.exe 2900 uuwnhepwgtnajwp.exe 2900 uuwnhepwgtnajwp.exe 2900 uuwnhepwgtnajwp.exe 2564 xcmwahuy.exe 2564 xcmwahuy.exe 2564 xcmwahuy.exe 2564 xcmwahuy.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2792 xcmwahuy.exe 2792 xcmwahuy.exe 2792 xcmwahuy.exe 2792 xcmwahuy.exe 2900 uuwnhepwgtnajwp.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2900 uuwnhepwgtnajwp.exe 2900 uuwnhepwgtnajwp.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2900 uuwnhepwgtnajwp.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2900 uuwnhepwgtnajwp.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2900 uuwnhepwgtnajwp.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2900 uuwnhepwgtnajwp.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2900 uuwnhepwgtnajwp.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2900 uuwnhepwgtnajwp.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2900 uuwnhepwgtnajwp.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2900 uuwnhepwgtnajwp.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2900 uuwnhepwgtnajwp.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
Processes:
04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exetvryxhiunb.exeuuwnhepwgtnajwp.exexcmwahuy.exexgqbwwlptqbwu.exexcmwahuy.exeexplorer.exepid process 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2196 tvryxhiunb.exe 2196 tvryxhiunb.exe 2196 tvryxhiunb.exe 2900 uuwnhepwgtnajwp.exe 2900 uuwnhepwgtnajwp.exe 2900 uuwnhepwgtnajwp.exe 2564 xcmwahuy.exe 2564 xcmwahuy.exe 2564 xcmwahuy.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2792 xcmwahuy.exe 2792 xcmwahuy.exe 2792 xcmwahuy.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe -
Suspicious use of SendNotifyMessage 34 IoCs
Processes:
04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exetvryxhiunb.exeuuwnhepwgtnajwp.exexcmwahuy.exexgqbwwlptqbwu.exeexplorer.exepid process 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe 2196 tvryxhiunb.exe 2196 tvryxhiunb.exe 2196 tvryxhiunb.exe 2900 uuwnhepwgtnajwp.exe 2900 uuwnhepwgtnajwp.exe 2900 uuwnhepwgtnajwp.exe 2564 xcmwahuy.exe 2564 xcmwahuy.exe 2564 xcmwahuy.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 2744 xgqbwwlptqbwu.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2596 WINWORD.EXE 2596 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exetvryxhiunb.exedescription pid process target process PID 2136 wrote to memory of 2196 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe tvryxhiunb.exe PID 2136 wrote to memory of 2196 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe tvryxhiunb.exe PID 2136 wrote to memory of 2196 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe tvryxhiunb.exe PID 2136 wrote to memory of 2196 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe tvryxhiunb.exe PID 2136 wrote to memory of 2900 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe uuwnhepwgtnajwp.exe PID 2136 wrote to memory of 2900 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe uuwnhepwgtnajwp.exe PID 2136 wrote to memory of 2900 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe uuwnhepwgtnajwp.exe PID 2136 wrote to memory of 2900 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe uuwnhepwgtnajwp.exe PID 2136 wrote to memory of 2564 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe xcmwahuy.exe PID 2136 wrote to memory of 2564 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe xcmwahuy.exe PID 2136 wrote to memory of 2564 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe xcmwahuy.exe PID 2136 wrote to memory of 2564 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe xcmwahuy.exe PID 2136 wrote to memory of 2744 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe xgqbwwlptqbwu.exe PID 2136 wrote to memory of 2744 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe xgqbwwlptqbwu.exe PID 2136 wrote to memory of 2744 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe xgqbwwlptqbwu.exe PID 2136 wrote to memory of 2744 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe xgqbwwlptqbwu.exe PID 2196 wrote to memory of 2792 2196 tvryxhiunb.exe xcmwahuy.exe PID 2196 wrote to memory of 2792 2196 tvryxhiunb.exe xcmwahuy.exe PID 2196 wrote to memory of 2792 2196 tvryxhiunb.exe xcmwahuy.exe PID 2196 wrote to memory of 2792 2196 tvryxhiunb.exe xcmwahuy.exe PID 2136 wrote to memory of 2596 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe WINWORD.EXE PID 2136 wrote to memory of 2596 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe WINWORD.EXE PID 2136 wrote to memory of 2596 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe WINWORD.EXE PID 2136 wrote to memory of 2596 2136 04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tvryxhiunb.exetvryxhiunb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xcmwahuy.exeC:\Windows\system32\xcmwahuy.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\uuwnhepwgtnajwp.exeuuwnhepwgtnajwp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\xcmwahuy.exexcmwahuy.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\xgqbwwlptqbwu.exexgqbwwlptqbwu.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
8Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exeFilesize
512KB
MD55022b2d184c225201be58871f03ce7df
SHA189f71a64f2c0045d42d787aeefdab0ebe0216782
SHA256b6861b707e4a1b26c8142589fcda1a21b6246f78c8049f81317dd6b46ef5dfa6
SHA51216a301bedb03204bb054eb87eff13390eec077eef44497c68b514353e9a59016b0af3683b8e2acb293b4cfce598d62e596920930e83d7dd62ec9fc2d80093a86
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
68B
MD5a7a27f88ffa7ba40afd17e042b065a4d
SHA1d028c90587d6fac87f178763ee5e5b6f9ccca6a8
SHA2560977b07b4ed91356dbf3196df19840611ba6d8cdef7c294bf74bcb03c45f406d
SHA512fb003649d7261005b8d2315d022e44b9377d17409183471718da3b05853714f0ce569de8d595a85ef7879a6ebbdaeded8e813d5cb486e3f411168f25b717d9dd
-
C:\Windows\SysWOW64\uuwnhepwgtnajwp.exeFilesize
512KB
MD5c3d99ce69cd84ea01dfbdd94ae450d7e
SHA1b3c7d3bc0c77f71548ee2e70b23902f266a420c8
SHA2564e3b1ec26ab300890ccd822a9992a02b93d8861bb16414286d45a52108257993
SHA512fa73f5069efebf7131042d12c7c85c08548dd16426072f76cf9222b0381092fdd5ed99a31afc57e06bde699914dc8f82bcc85c480c82634fc207e18a0fda6d59
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\tvryxhiunb.exeFilesize
512KB
MD56c8542b7c12fa79cd972fa65910607ab
SHA103d9e666bd6c9b10982972479ae3dc2da0ccf493
SHA2561fb9e642b0af5e21a70bb231d5efdeea08752d4df8338fae765d4aabb2d5b1f3
SHA512abb2fc008bd37260ea50d591a777ae0690f0212c4c211ef15caaf3af89bc724f197c0a0b04acaea44f6d050b715d86f32fdae0877305f8ccf02305e60c651fbe
-
\Windows\SysWOW64\xcmwahuy.exeFilesize
512KB
MD56c26a46aff4330526cd97f8630cb9b13
SHA1d76e3358a97aaa6b1aa68a21366e4412bdfa47b8
SHA256399617fc7fc4b65e83ccaf9dab1ce739bb6d47bbd8e51d013f037d26691a5273
SHA51229bba6035e5dbe9837d9285674aa852c9ac4656d38831a7ac7a23ff118cdcde09790c8fb668e34ef4473fa06d72ae888a1f126c05f695898cee7bee0c28e9232
-
\Windows\SysWOW64\xgqbwwlptqbwu.exeFilesize
512KB
MD5c8edb97e6de39edd869e69ca3cb41792
SHA1a0046635c001f1d6275f93d210002f73765dbad9
SHA256bce11b44d9ae7e7c8bfd586fbae7fd921f35c1859e144d92c01b7f9e353bb6d5
SHA512faa0f37755fccbdf178e91100dbc80ea8d5d89172188357ee7e4f59f41f76a051b354d111c1d4fd55bad99de161bced3aaf8c8dcd78d3809db4baeb222c3133a
-
memory/1844-79-0x0000000002980000-0x0000000002990000-memory.dmpFilesize
64KB
-
memory/2136-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2596-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB