0f4cbeaeb904a1dcf09d12018ab867d52ef6a9f3c5a45cd72362479b3f39d446

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
Size

512KB
MD5

04ed51cbe1459f77b58a943ff3c3d29a
SHA1

861ee131f85817baaff034251cd3241843131265
SHA256

0f4cbeaeb904a1dcf09d12018ab867d52ef6a9f3c5a45cd72362479b3f39d446
SHA512

994e07bad6535762ae9f9c21abbb8772f0921261814f4d19c44d65a0aa4372b400fb9078efeb19e3d56fbc1460733f2a2ec651851df4986ecefb37d048a9c959
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

tvryxhiunb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	tvryxhiunb.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

tvryxhiunb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tvryxhiunb.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

tvryxhiunb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	tvryxhiunb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	tvryxhiunb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	tvryxhiunb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	tvryxhiunb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	tvryxhiunb.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

tvryxhiunb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tvryxhiunb.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

Processes:

tvryxhiunb.exeuuwnhepwgtnajwp.exexcmwahuy.exexgqbwwlptqbwu.exexcmwahuy.exe

pid process

2196 tvryxhiunb.exe
2900 uuwnhepwgtnajwp.exe
2564 xcmwahuy.exe
2744 xgqbwwlptqbwu.exe
2792 xcmwahuy.exe

pid	process
2196	tvryxhiunb.exe
2900	uuwnhepwgtnajwp.exe
2564	xcmwahuy.exe
2744	xgqbwwlptqbwu.exe
2792	xcmwahuy.exe

Loads dropped DLL 5 IoCs

Processes:

04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exetvryxhiunb.exe

pid	process
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2196	tvryxhiunb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

tvryxhiunb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	tvryxhiunb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	tvryxhiunb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	tvryxhiunb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	tvryxhiunb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	tvryxhiunb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	tvryxhiunb.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

uuwnhepwgtnajwp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbcqkmhq = "tvryxhiunb.exe"	uuwnhepwgtnajwp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bsnyddkf = "uuwnhepwgtnajwp.exe"	uuwnhepwgtnajwp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xgqbwwlptqbwu.exe"	uuwnhepwgtnajwp.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

xcmwahuy.exetvryxhiunb.exexcmwahuy.exe

description	ioc	process
File opened (read-only)	\??\n:	xcmwahuy.exe
File opened (read-only)	\??\p:	tvryxhiunb.exe
File opened (read-only)	\??\r:	tvryxhiunb.exe
File opened (read-only)	\??\v:	tvryxhiunb.exe
File opened (read-only)	\??\m:	xcmwahuy.exe
File opened (read-only)	\??\l:	xcmwahuy.exe
File opened (read-only)	\??\z:	xcmwahuy.exe
File opened (read-only)	\??\r:	xcmwahuy.exe
File opened (read-only)	\??\n:	xcmwahuy.exe
File opened (read-only)	\??\o:	xcmwahuy.exe
File opened (read-only)	\??\v:	xcmwahuy.exe
File opened (read-only)	\??\j:	xcmwahuy.exe
File opened (read-only)	\??\x:	xcmwahuy.exe
File opened (read-only)	\??\p:	xcmwahuy.exe
File opened (read-only)	\??\q:	xcmwahuy.exe
File opened (read-only)	\??\k:	tvryxhiunb.exe
File opened (read-only)	\??\l:	tvryxhiunb.exe
File opened (read-only)	\??\m:	tvryxhiunb.exe
File opened (read-only)	\??\i:	xcmwahuy.exe
File opened (read-only)	\??\e:	xcmwahuy.exe
File opened (read-only)	\??\m:	xcmwahuy.exe
File opened (read-only)	\??\s:	xcmwahuy.exe
File opened (read-only)	\??\x:	xcmwahuy.exe
File opened (read-only)	\??\t:	tvryxhiunb.exe
File opened (read-only)	\??\l:	xcmwahuy.exe
File opened (read-only)	\??\a:	xcmwahuy.exe
File opened (read-only)	\??\k:	xcmwahuy.exe
File opened (read-only)	\??\y:	xcmwahuy.exe
File opened (read-only)	\??\g:	tvryxhiunb.exe
File opened (read-only)	\??\h:	tvryxhiunb.exe
File opened (read-only)	\??\a:	xcmwahuy.exe
File opened (read-only)	\??\w:	xcmwahuy.exe
File opened (read-only)	\??\z:	xcmwahuy.exe
File opened (read-only)	\??\b:	xcmwahuy.exe
File opened (read-only)	\??\o:	xcmwahuy.exe
File opened (read-only)	\??\e:	xcmwahuy.exe
File opened (read-only)	\??\k:	xcmwahuy.exe
File opened (read-only)	\??\s:	tvryxhiunb.exe
File opened (read-only)	\??\u:	tvryxhiunb.exe
File opened (read-only)	\??\i:	xcmwahuy.exe
File opened (read-only)	\??\j:	xcmwahuy.exe
File opened (read-only)	\??\b:	tvryxhiunb.exe
File opened (read-only)	\??\e:	tvryxhiunb.exe
File opened (read-only)	\??\i:	tvryxhiunb.exe
File opened (read-only)	\??\q:	tvryxhiunb.exe
File opened (read-only)	\??\y:	xcmwahuy.exe
File opened (read-only)	\??\g:	xcmwahuy.exe
File opened (read-only)	\??\v:	xcmwahuy.exe
File opened (read-only)	\??\w:	tvryxhiunb.exe
File opened (read-only)	\??\g:	xcmwahuy.exe
File opened (read-only)	\??\s:	xcmwahuy.exe
File opened (read-only)	\??\u:	xcmwahuy.exe
File opened (read-only)	\??\h:	xcmwahuy.exe
File opened (read-only)	\??\o:	tvryxhiunb.exe
File opened (read-only)	\??\h:	xcmwahuy.exe
File opened (read-only)	\??\p:	xcmwahuy.exe
File opened (read-only)	\??\w:	xcmwahuy.exe
File opened (read-only)	\??\a:	tvryxhiunb.exe
File opened (read-only)	\??\j:	tvryxhiunb.exe
File opened (read-only)	\??\y:	tvryxhiunb.exe
File opened (read-only)	\??\z:	tvryxhiunb.exe
File opened (read-only)	\??\r:	xcmwahuy.exe
File opened (read-only)	\??\t:	xcmwahuy.exe
File opened (read-only)	\??\x:	tvryxhiunb.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

tvryxhiunb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	tvryxhiunb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	tvryxhiunb.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2136-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
C:\Windows\SysWOW64\uuwnhepwgtnajwp.exe	autoit_exe
\Windows\SysWOW64\tvryxhiunb.exe	autoit_exe
\Windows\SysWOW64\xcmwahuy.exe	autoit_exe
\Windows\SysWOW64\xgqbwwlptqbwu.exe	autoit_exe
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exetvryxhiunb.exe

description	ioc	process
File created	C:\Windows\SysWOW64\tvryxhiunb.exe	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xcmwahuy.exe	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xcmwahuy.exe	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tvryxhiunb.exe	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\uuwnhepwgtnajwp.exe	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uuwnhepwgtnajwp.exe	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xgqbwwlptqbwu.exe	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xgqbwwlptqbwu.exe	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	tvryxhiunb.exe

Drops file in Program Files directory 14 IoCs

Processes:

xcmwahuy.exexcmwahuy.exe

description	ioc	process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xcmwahuy.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xcmwahuy.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xcmwahuy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	xcmwahuy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xcmwahuy.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xcmwahuy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xcmwahuy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xcmwahuy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	xcmwahuy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xcmwahuy.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xcmwahuy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	xcmwahuy.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xcmwahuy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	xcmwahuy.exe

Drops file in Windows directory 4 IoCs

Processes:

WINWORD.EXE04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

explorer.exeWINWORD.EXE04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exetvryxhiunb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF9FFFB4F5885139046D6207DE0BC94E636584667456242D691"	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	tvryxhiunb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	tvryxhiunb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	tvryxhiunb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	tvryxhiunb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	tvryxhiunb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2596 WINWORD.EXE

pid	process
2596	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exetvryxhiunb.exeuuwnhepwgtnajwp.exexcmwahuy.exexgqbwwlptqbwu.exexcmwahuy.exe

pid	process
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2196	tvryxhiunb.exe
2196	tvryxhiunb.exe
2196	tvryxhiunb.exe
2196	tvryxhiunb.exe
2196	tvryxhiunb.exe
2900	uuwnhepwgtnajwp.exe
2900	uuwnhepwgtnajwp.exe
2900	uuwnhepwgtnajwp.exe
2900	uuwnhepwgtnajwp.exe
2900	uuwnhepwgtnajwp.exe
2564	xcmwahuy.exe
2564	xcmwahuy.exe
2564	xcmwahuy.exe
2564	xcmwahuy.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2792	xcmwahuy.exe
2792	xcmwahuy.exe
2792	xcmwahuy.exe
2792	xcmwahuy.exe
2900	uuwnhepwgtnajwp.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2900	uuwnhepwgtnajwp.exe
2900	uuwnhepwgtnajwp.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2900	uuwnhepwgtnajwp.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2900	uuwnhepwgtnajwp.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2900	uuwnhepwgtnajwp.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2900	uuwnhepwgtnajwp.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2900	uuwnhepwgtnajwp.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2900	uuwnhepwgtnajwp.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2900	uuwnhepwgtnajwp.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2900	uuwnhepwgtnajwp.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2900	uuwnhepwgtnajwp.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	1844	explorer.exe
Token: SeShutdownPrivilege	1844	explorer.exe
Token: SeShutdownPrivilege	1844	explorer.exe
Token: SeShutdownPrivilege	1844	explorer.exe
Token: SeShutdownPrivilege	1844	explorer.exe
Token: SeShutdownPrivilege	1844	explorer.exe
Token: SeShutdownPrivilege	1844	explorer.exe
Token: SeShutdownPrivilege	1844	explorer.exe
Token: SeShutdownPrivilege	1844	explorer.exe
Token: SeShutdownPrivilege	1844	explorer.exe
Token: SeShutdownPrivilege	1844	explorer.exe
Token: SeShutdownPrivilege	1844	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exetvryxhiunb.exeuuwnhepwgtnajwp.exexcmwahuy.exexgqbwwlptqbwu.exexcmwahuy.exeexplorer.exe

pid	process
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2196	tvryxhiunb.exe
2196	tvryxhiunb.exe
2196	tvryxhiunb.exe
2900	uuwnhepwgtnajwp.exe
2900	uuwnhepwgtnajwp.exe
2900	uuwnhepwgtnajwp.exe
2564	xcmwahuy.exe
2564	xcmwahuy.exe
2564	xcmwahuy.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2792	xcmwahuy.exe
2792	xcmwahuy.exe
2792	xcmwahuy.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exetvryxhiunb.exeuuwnhepwgtnajwp.exexcmwahuy.exexgqbwwlptqbwu.exeexplorer.exe

pid	process
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
2196	tvryxhiunb.exe
2196	tvryxhiunb.exe
2196	tvryxhiunb.exe
2900	uuwnhepwgtnajwp.exe
2900	uuwnhepwgtnajwp.exe
2900	uuwnhepwgtnajwp.exe
2564	xcmwahuy.exe
2564	xcmwahuy.exe
2564	xcmwahuy.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
2744	xgqbwwlptqbwu.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2596 WINWORD.EXE
2596 WINWORD.EXE

pid	process
2596	WINWORD.EXE
2596	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exetvryxhiunb.exe

description	pid	process	target process
PID 2136 wrote to memory of 2196	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	tvryxhiunb.exe
PID 2136 wrote to memory of 2196	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	tvryxhiunb.exe
PID 2136 wrote to memory of 2196	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	tvryxhiunb.exe
PID 2136 wrote to memory of 2196	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	tvryxhiunb.exe
PID 2136 wrote to memory of 2900	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	uuwnhepwgtnajwp.exe
PID 2136 wrote to memory of 2900	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	uuwnhepwgtnajwp.exe
PID 2136 wrote to memory of 2900	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	uuwnhepwgtnajwp.exe
PID 2136 wrote to memory of 2900	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	uuwnhepwgtnajwp.exe
PID 2136 wrote to memory of 2564	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	xcmwahuy.exe
PID 2136 wrote to memory of 2564	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	xcmwahuy.exe
PID 2136 wrote to memory of 2564	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	xcmwahuy.exe
PID 2136 wrote to memory of 2564	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	xcmwahuy.exe
PID 2136 wrote to memory of 2744	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	xgqbwwlptqbwu.exe
PID 2136 wrote to memory of 2744	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	xgqbwwlptqbwu.exe
PID 2136 wrote to memory of 2744	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	xgqbwwlptqbwu.exe
PID 2136 wrote to memory of 2744	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	xgqbwwlptqbwu.exe
PID 2196 wrote to memory of 2792	2196	tvryxhiunb.exe	xcmwahuy.exe
PID 2196 wrote to memory of 2792	2196	tvryxhiunb.exe	xcmwahuy.exe
PID 2196 wrote to memory of 2792	2196	tvryxhiunb.exe	xcmwahuy.exe
PID 2196 wrote to memory of 2792	2196	tvryxhiunb.exe	xcmwahuy.exe
PID 2136 wrote to memory of 2596	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	WINWORD.EXE
PID 2136 wrote to memory of 2596	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	WINWORD.EXE
PID 2136 wrote to memory of 2596	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	WINWORD.EXE
PID 2136 wrote to memory of 2596	2136	04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\tvryxhiunb.exe
tvryxhiunb.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\xcmwahuy.exe
C:\Windows\system32\xcmwahuy.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2792

C:\Windows\SysWOW64\uuwnhepwgtnajwp.exe
uuwnhepwgtnajwp.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2900

C:\Windows\SysWOW64\xcmwahuy.exe
xcmwahuy.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2564

C:\Windows\SysWOW64\xgqbwwlptqbwu.exe
xgqbwwlptqbwu.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2744

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2596

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1844

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
Filesize
512KB

MD5
5022b2d184c225201be58871f03ce7df

SHA1
89f71a64f2c0045d42d787aeefdab0ebe0216782

SHA256
b6861b707e4a1b26c8142589fcda1a21b6246f78c8049f81317dd6b46ef5dfa6

SHA512
16a301bedb03204bb054eb87eff13390eec077eef44497c68b514353e9a59016b0af3683b8e2acb293b4cfce598d62e596920930e83d7dd62ec9fc2d80093a86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
68B

MD5
a7a27f88ffa7ba40afd17e042b065a4d

SHA1
d028c90587d6fac87f178763ee5e5b6f9ccca6a8

SHA256
0977b07b4ed91356dbf3196df19840611ba6d8cdef7c294bf74bcb03c45f406d

SHA512
fb003649d7261005b8d2315d022e44b9377d17409183471718da3b05853714f0ce569de8d595a85ef7879a6ebbdaeded8e813d5cb486e3f411168f25b717d9dd

Download Submit
C:\Windows\SysWOW64\uuwnhepwgtnajwp.exe
Filesize
512KB

MD5
c3d99ce69cd84ea01dfbdd94ae450d7e

SHA1
b3c7d3bc0c77f71548ee2e70b23902f266a420c8

SHA256
4e3b1ec26ab300890ccd822a9992a02b93d8861bb16414286d45a52108257993

SHA512
fa73f5069efebf7131042d12c7c85c08548dd16426072f76cf9222b0381092fdd5ed99a31afc57e06bde699914dc8f82bcc85c480c82634fc207e18a0fda6d59

Download Submit
C:\Windows\mydoc.rtf
Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\tvryxhiunb.exe
Filesize
512KB

MD5
6c8542b7c12fa79cd972fa65910607ab

SHA1
03d9e666bd6c9b10982972479ae3dc2da0ccf493

SHA256
1fb9e642b0af5e21a70bb231d5efdeea08752d4df8338fae765d4aabb2d5b1f3

SHA512
abb2fc008bd37260ea50d591a777ae0690f0212c4c211ef15caaf3af89bc724f197c0a0b04acaea44f6d050b715d86f32fdae0877305f8ccf02305e60c651fbe

Download Submit
\Windows\SysWOW64\xcmwahuy.exe
Filesize
512KB

MD5
6c26a46aff4330526cd97f8630cb9b13

SHA1
d76e3358a97aaa6b1aa68a21366e4412bdfa47b8

SHA256
399617fc7fc4b65e83ccaf9dab1ce739bb6d47bbd8e51d013f037d26691a5273

SHA512
29bba6035e5dbe9837d9285674aa852c9ac4656d38831a7ac7a23ff118cdcde09790c8fb668e34ef4473fa06d72ae888a1f126c05f695898cee7bee0c28e9232

Download Submit
\Windows\SysWOW64\xgqbwwlptqbwu.exe
Filesize
512KB

MD5
c8edb97e6de39edd869e69ca3cb41792

SHA1
a0046635c001f1d6275f93d210002f73765dbad9

SHA256
bce11b44d9ae7e7c8bfd586fbae7fd921f35c1859e144d92c01b7f9e353bb6d5

SHA512
faa0f37755fccbdf178e91100dbc80ea8d5d89172188357ee7e4f59f41f76a051b354d111c1d4fd55bad99de161bced3aaf8c8dcd78d3809db4baeb222c3133a

Download Submit
memory/1844-79-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/2136-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2596-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads