Analysis
-
max time kernel
154s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 20:17
Static task
static1
Behavioral task
behavioral1
Sample
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe
-
Size
512KB
-
MD5
e5c5edde770bc5b229112f11f43f5019
-
SHA1
d6d44d7f15069d4cfac2ab87b868ad0c63ce5644
-
SHA256
42bfaa077ffeb81706e21042ac4f55b206b9409be8f0c907b1d34e256652f080
-
SHA512
a3301dbcfff1b7be416a333050379b70cd1d6c6032155e0e118d582e2f8563235eb47f0903e915ce8a9a5d5eb587c642f000c7a192336f111ece26a2cfa019cc
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6n:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm56
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
uycmgagtlh.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" uycmgagtlh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
uycmgagtlh.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" uycmgagtlh.exe -
Processes:
uycmgagtlh.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uycmgagtlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" uycmgagtlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uycmgagtlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uycmgagtlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uycmgagtlh.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
uycmgagtlh.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uycmgagtlh.exe -
Executes dropped EXE 5 IoCs
Processes:
uycmgagtlh.exejbclzoujlwqpavc.exehoxhqqot.exeucsbjfwwmwipd.exehoxhqqot.exepid process 1916 uycmgagtlh.exe 2184 jbclzoujlwqpavc.exe 2596 hoxhqqot.exe 2668 ucsbjfwwmwipd.exe 2488 hoxhqqot.exe -
Loads dropped DLL 5 IoCs
Processes:
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exeuycmgagtlh.exepid process 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 1916 uycmgagtlh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
uycmgagtlh.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uycmgagtlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uycmgagtlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" uycmgagtlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uycmgagtlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" uycmgagtlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uycmgagtlh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
hoxhqqot.exeuycmgagtlh.exehoxhqqot.exedescription ioc process File opened (read-only) \??\e: hoxhqqot.exe File opened (read-only) \??\z: hoxhqqot.exe File opened (read-only) \??\m: hoxhqqot.exe File opened (read-only) \??\m: uycmgagtlh.exe File opened (read-only) \??\o: uycmgagtlh.exe File opened (read-only) \??\z: uycmgagtlh.exe File opened (read-only) \??\l: hoxhqqot.exe File opened (read-only) \??\t: uycmgagtlh.exe File opened (read-only) \??\r: hoxhqqot.exe File opened (read-only) \??\s: hoxhqqot.exe File opened (read-only) \??\w: hoxhqqot.exe File opened (read-only) \??\g: hoxhqqot.exe File opened (read-only) \??\w: hoxhqqot.exe File opened (read-only) \??\h: uycmgagtlh.exe File opened (read-only) \??\j: uycmgagtlh.exe File opened (read-only) \??\a: hoxhqqot.exe File opened (read-only) \??\i: hoxhqqot.exe File opened (read-only) \??\k: hoxhqqot.exe File opened (read-only) \??\a: uycmgagtlh.exe File opened (read-only) \??\s: uycmgagtlh.exe File opened (read-only) \??\v: uycmgagtlh.exe File opened (read-only) \??\h: hoxhqqot.exe File opened (read-only) \??\p: hoxhqqot.exe File opened (read-only) \??\h: hoxhqqot.exe File opened (read-only) \??\s: hoxhqqot.exe File opened (read-only) \??\b: uycmgagtlh.exe File opened (read-only) \??\v: hoxhqqot.exe File opened (read-only) \??\o: hoxhqqot.exe File opened (read-only) \??\q: hoxhqqot.exe File opened (read-only) \??\j: hoxhqqot.exe File opened (read-only) \??\n: hoxhqqot.exe File opened (read-only) \??\o: hoxhqqot.exe File opened (read-only) \??\x: uycmgagtlh.exe File opened (read-only) \??\g: hoxhqqot.exe File opened (read-only) \??\x: hoxhqqot.exe File opened (read-only) \??\y: uycmgagtlh.exe File opened (read-only) \??\k: hoxhqqot.exe File opened (read-only) \??\m: hoxhqqot.exe File opened (read-only) \??\n: hoxhqqot.exe File opened (read-only) \??\u: hoxhqqot.exe File opened (read-only) \??\v: hoxhqqot.exe File opened (read-only) \??\e: uycmgagtlh.exe File opened (read-only) \??\l: uycmgagtlh.exe File opened (read-only) \??\u: uycmgagtlh.exe File opened (read-only) \??\x: hoxhqqot.exe File opened (read-only) \??\y: hoxhqqot.exe File opened (read-only) \??\b: hoxhqqot.exe File opened (read-only) \??\p: hoxhqqot.exe File opened (read-only) \??\r: hoxhqqot.exe File opened (read-only) \??\n: uycmgagtlh.exe File opened (read-only) \??\t: hoxhqqot.exe File opened (read-only) \??\q: hoxhqqot.exe File opened (read-only) \??\i: uycmgagtlh.exe File opened (read-only) \??\r: uycmgagtlh.exe File opened (read-only) \??\e: hoxhqqot.exe File opened (read-only) \??\l: hoxhqqot.exe File opened (read-only) \??\p: uycmgagtlh.exe File opened (read-only) \??\q: uycmgagtlh.exe File opened (read-only) \??\j: hoxhqqot.exe File opened (read-only) \??\u: hoxhqqot.exe File opened (read-only) \??\y: hoxhqqot.exe File opened (read-only) \??\t: hoxhqqot.exe File opened (read-only) \??\g: uycmgagtlh.exe File opened (read-only) \??\k: uycmgagtlh.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
uycmgagtlh.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" uycmgagtlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" uycmgagtlh.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2272-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\jbclzoujlwqpavc.exe autoit_exe \Windows\SysWOW64\uycmgagtlh.exe autoit_exe \Windows\SysWOW64\hoxhqqot.exe autoit_exe \Windows\SysWOW64\ucsbjfwwmwipd.exe autoit_exe C:\Users\Admin\Documents\UseMerge.doc.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exeuycmgagtlh.exedescription ioc process File created C:\Windows\SysWOW64\hoxhqqot.exe e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ucsbjfwwmwipd.exe e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll uycmgagtlh.exe File created C:\Windows\SysWOW64\jbclzoujlwqpavc.exe e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jbclzoujlwqpavc.exe e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hoxhqqot.exe e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File created C:\Windows\SysWOW64\ucsbjfwwmwipd.exe e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File created C:\Windows\SysWOW64\uycmgagtlh.exe e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uycmgagtlh.exe e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
hoxhqqot.exehoxhqqot.exedescription ioc process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hoxhqqot.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hoxhqqot.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hoxhqqot.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hoxhqqot.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal hoxhqqot.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hoxhqqot.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal hoxhqqot.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hoxhqqot.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hoxhqqot.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hoxhqqot.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal hoxhqqot.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hoxhqqot.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hoxhqqot.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal hoxhqqot.exe -
Drops file in Windows directory 5 IoCs
Processes:
WINWORD.EXEe5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exedescription ioc process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEe5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exeuycmgagtlh.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC60F15E4DAC3B8BA7F97EDE734C6" e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" uycmgagtlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462D089C5183526A4476D170212DDA7D8264A8" e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" uycmgagtlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FFFF4F5A85139132D7217E92BC95E1445840674E623ED790" e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0866BB0FF6E21ABD27CD0A48B0E9162" e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" uycmgagtlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2588 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exeuycmgagtlh.exehoxhqqot.exeucsbjfwwmwipd.exehoxhqqot.exepid process 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 1916 uycmgagtlh.exe 1916 uycmgagtlh.exe 1916 uycmgagtlh.exe 1916 uycmgagtlh.exe 1916 uycmgagtlh.exe 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2596 hoxhqqot.exe 2596 hoxhqqot.exe 2596 hoxhqqot.exe 2596 hoxhqqot.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2488 hoxhqqot.exe 2488 hoxhqqot.exe 2488 hoxhqqot.exe 2488 hoxhqqot.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exeuycmgagtlh.exehoxhqqot.exeucsbjfwwmwipd.exehoxhqqot.exepid process 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 1916 uycmgagtlh.exe 1916 uycmgagtlh.exe 1916 uycmgagtlh.exe 2596 hoxhqqot.exe 2596 hoxhqqot.exe 2596 hoxhqqot.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2488 hoxhqqot.exe 2488 hoxhqqot.exe 2488 hoxhqqot.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exeuycmgagtlh.exehoxhqqot.exeucsbjfwwmwipd.exehoxhqqot.exepid process 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe 1916 uycmgagtlh.exe 1916 uycmgagtlh.exe 1916 uycmgagtlh.exe 2596 hoxhqqot.exe 2596 hoxhqqot.exe 2596 hoxhqqot.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2668 ucsbjfwwmwipd.exe 2488 hoxhqqot.exe 2488 hoxhqqot.exe 2488 hoxhqqot.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2588 WINWORD.EXE 2588 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exeuycmgagtlh.exeWINWORD.EXEdescription pid process target process PID 2272 wrote to memory of 1916 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe uycmgagtlh.exe PID 2272 wrote to memory of 1916 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe uycmgagtlh.exe PID 2272 wrote to memory of 1916 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe uycmgagtlh.exe PID 2272 wrote to memory of 1916 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe uycmgagtlh.exe PID 2272 wrote to memory of 2184 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe jbclzoujlwqpavc.exe PID 2272 wrote to memory of 2184 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe jbclzoujlwqpavc.exe PID 2272 wrote to memory of 2184 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe jbclzoujlwqpavc.exe PID 2272 wrote to memory of 2184 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe jbclzoujlwqpavc.exe PID 2272 wrote to memory of 2596 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe hoxhqqot.exe PID 2272 wrote to memory of 2596 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe hoxhqqot.exe PID 2272 wrote to memory of 2596 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe hoxhqqot.exe PID 2272 wrote to memory of 2596 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe hoxhqqot.exe PID 2272 wrote to memory of 2668 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe ucsbjfwwmwipd.exe PID 2272 wrote to memory of 2668 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe ucsbjfwwmwipd.exe PID 2272 wrote to memory of 2668 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe ucsbjfwwmwipd.exe PID 2272 wrote to memory of 2668 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe ucsbjfwwmwipd.exe PID 1916 wrote to memory of 2488 1916 uycmgagtlh.exe hoxhqqot.exe PID 1916 wrote to memory of 2488 1916 uycmgagtlh.exe hoxhqqot.exe PID 1916 wrote to memory of 2488 1916 uycmgagtlh.exe hoxhqqot.exe PID 1916 wrote to memory of 2488 1916 uycmgagtlh.exe hoxhqqot.exe PID 2272 wrote to memory of 2588 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe WINWORD.EXE PID 2272 wrote to memory of 2588 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe WINWORD.EXE PID 2272 wrote to memory of 2588 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe WINWORD.EXE PID 2272 wrote to memory of 2588 2272 e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe WINWORD.EXE PID 2588 wrote to memory of 580 2588 WINWORD.EXE splwow64.exe PID 2588 wrote to memory of 580 2588 WINWORD.EXE splwow64.exe PID 2588 wrote to memory of 580 2588 WINWORD.EXE splwow64.exe PID 2588 wrote to memory of 580 2588 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e5c5edde770bc5b229112f11f43f5019_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\uycmgagtlh.exeuycmgagtlh.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\hoxhqqot.exeC:\Windows\system32\hoxhqqot.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2488 -
C:\Windows\SysWOW64\jbclzoujlwqpavc.exejbclzoujlwqpavc.exe2⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\hoxhqqot.exehoxhqqot.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2596 -
C:\Windows\SysWOW64\ucsbjfwwmwipd.exeucsbjfwwmwipd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2668 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD51d4526696f3c654324c2f13414d31ab6
SHA19052785a3d414456db6d57155d2940cb12bbee38
SHA256318b3d52e668a78d122ae095bea6fd374fb6457e965d718560d38fb5ad5ae8fe
SHA5121ce137e1c41b0c4b8fdf993886eb4392215d98af3cd97d202f6dafde5053d0ef3a3ebb0ca7de29e7c2c586052b37d4043d9e86c9bd1bd2e7c367d869f158ec5a
-
Filesize
512KB
MD5f097d4c13df4cf9277c737ac6448e1ee
SHA1ac206ca9a5ef59c34afa5bda3a56f61ec1039858
SHA256856de1931be205053b01f4187a667e742616c38d925c7948c518c71d5a599501
SHA512dc45c1986b84422dd4dd827b6bf9f7d7e10e273e9df76a28217f981961fa142cd1f7668331d652c3ac0076e5cf77d248844bfa4a8df65140aaefd4cec0844175
-
Filesize
512KB
MD55af54055a4a6f2b04c977917e2f6ce28
SHA1b14582448e4bc274b12dbe2fe848ec7d75f7d320
SHA256daaab1d096287790a51925475b5fa885d4fb9119ff7ef7f2564242e08ec33bb6
SHA512356222f49c698452cc0c5c3da13fad54828b401b1d9f899f17d191f01fb83845f9804896de33df8d4eb194929d20335c046300281bdcea291642b3324881a9ae
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5ce009da4b5c2663bea0ba8a6c521e854
SHA135756e7b084b48b77172c7a77c64e18e467ee14a
SHA25644cf0569fe956800d50fdecdce7979d4561caf63c4ddf5889b70a170563990be
SHA512e03aa73b09a6abf41205d28724c679f83a677c4310795e101d1b4125fe87d8183079073f4173fa787e80f69a7291638946f1b920f1392128569b0b638bf8f826
-
Filesize
512KB
MD52dc8651d25c96a6b27d2965292a43708
SHA1fa57366476686b16856a504e3501ba69424b4c02
SHA256273f9a2e35f6a121ec3f4781a2fc412500e74405eb0e5acfc624780170e9c07c
SHA51283296e07495785cd2cbcb1731a88ad1ea903cbd192e7c46211b0960fa14ebd09eafb99d6294b7ba6ee09d5cf6d08db2879ddfc252b56e37c5be0eec091cda30d
-
Filesize
512KB
MD5c26ae97963bd2a22bd027cb77b55a4d8
SHA1dcc2f68e0cc93eaba7a06b598779f329009cf510
SHA256cd5d1b0881591fc388e138067d613cec7fc19fec283d53814327530731f542f1
SHA512599dddb510216fd5d680eab104c9688bdd960227e607a341c109e38aee89bfbca81d4fd83f4297648485f04e3866580a9c6c33b9f841fd57cae23b59c013187c