Analysis
-
max time kernel
167s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 12:18
Static task
static1
Behavioral task
behavioral1
Sample
fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
General
-
Target
fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe
-
Size
512KB
-
MD5
fa477ca67f6789158c11650c86679dfb
-
SHA1
95c01b1dcb3f73bf0afa8b25f1d9b7169990d37c
-
SHA256
c510182a81ae86599ef21b56332561c7cbc0ceced418267c4c19cd44eb919a56
-
SHA512
d4987a6889820c388c8a3d582b1fc651f42c2517b7f5013376ba523ef299e8206532bb503eff0269ca88c68d217767a28f30a015a2de7efcd97149c6fee4cd22
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6F:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5k
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pdntvzmzft.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pdntvzmzft.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pdntvzmzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pdntvzmzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pdntvzmzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pdntvzmzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pdntvzmzft.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pdntvzmzft.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3464 pdntvzmzft.exe 4416 dqitxnpb.exe 4068 itfmbdbizatfxcd.exe 2540 riniawdpscbqy.exe 1716 dqitxnpb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pdntvzmzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pdntvzmzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pdntvzmzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pdntvzmzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pdntvzmzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pdntvzmzft.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fsiglkze = "pdntvzmzft.exe" itfmbdbizatfxcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sahpwdif = "itfmbdbizatfxcd.exe" itfmbdbizatfxcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "riniawdpscbqy.exe" itfmbdbizatfxcd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: dqitxnpb.exe File opened (read-only) \??\u: dqitxnpb.exe File opened (read-only) \??\e: pdntvzmzft.exe File opened (read-only) \??\o: pdntvzmzft.exe File opened (read-only) \??\q: pdntvzmzft.exe File opened (read-only) \??\q: dqitxnpb.exe File opened (read-only) \??\w: dqitxnpb.exe File opened (read-only) \??\h: pdntvzmzft.exe File opened (read-only) \??\l: pdntvzmzft.exe File opened (read-only) \??\q: dqitxnpb.exe File opened (read-only) \??\w: dqitxnpb.exe File opened (read-only) \??\j: pdntvzmzft.exe File opened (read-only) \??\k: pdntvzmzft.exe File opened (read-only) \??\r: pdntvzmzft.exe File opened (read-only) \??\u: pdntvzmzft.exe File opened (read-only) \??\x: pdntvzmzft.exe File opened (read-only) \??\g: dqitxnpb.exe File opened (read-only) \??\s: dqitxnpb.exe File opened (read-only) \??\m: dqitxnpb.exe File opened (read-only) \??\k: dqitxnpb.exe File opened (read-only) \??\l: dqitxnpb.exe File opened (read-only) \??\m: dqitxnpb.exe File opened (read-only) \??\o: dqitxnpb.exe File opened (read-only) \??\t: dqitxnpb.exe File opened (read-only) \??\j: dqitxnpb.exe File opened (read-only) \??\p: pdntvzmzft.exe File opened (read-only) \??\t: pdntvzmzft.exe File opened (read-only) \??\a: dqitxnpb.exe File opened (read-only) \??\z: dqitxnpb.exe File opened (read-only) \??\p: dqitxnpb.exe File opened (read-only) \??\b: pdntvzmzft.exe File opened (read-only) \??\a: pdntvzmzft.exe File opened (read-only) \??\s: pdntvzmzft.exe File opened (read-only) \??\x: dqitxnpb.exe File opened (read-only) \??\g: pdntvzmzft.exe File opened (read-only) \??\m: pdntvzmzft.exe File opened (read-only) \??\e: dqitxnpb.exe File opened (read-only) \??\j: dqitxnpb.exe File opened (read-only) \??\i: dqitxnpb.exe File opened (read-only) \??\l: dqitxnpb.exe File opened (read-only) \??\s: dqitxnpb.exe File opened (read-only) \??\y: dqitxnpb.exe File opened (read-only) \??\v: pdntvzmzft.exe File opened (read-only) \??\n: dqitxnpb.exe File opened (read-only) \??\v: dqitxnpb.exe File opened (read-only) \??\i: dqitxnpb.exe File opened (read-only) \??\r: dqitxnpb.exe File opened (read-only) \??\u: dqitxnpb.exe File opened (read-only) \??\i: pdntvzmzft.exe File opened (read-only) \??\z: pdntvzmzft.exe File opened (read-only) \??\e: dqitxnpb.exe File opened (read-only) \??\h: dqitxnpb.exe File opened (read-only) \??\r: dqitxnpb.exe File opened (read-only) \??\z: dqitxnpb.exe File opened (read-only) \??\y: pdntvzmzft.exe File opened (read-only) \??\t: dqitxnpb.exe File opened (read-only) \??\w: pdntvzmzft.exe File opened (read-only) \??\h: dqitxnpb.exe File opened (read-only) \??\k: dqitxnpb.exe File opened (read-only) \??\n: pdntvzmzft.exe File opened (read-only) \??\p: dqitxnpb.exe File opened (read-only) \??\y: dqitxnpb.exe File opened (read-only) \??\a: dqitxnpb.exe File opened (read-only) \??\b: dqitxnpb.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pdntvzmzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pdntvzmzft.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4592-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000233fb-5.dat autoit_exe behavioral2/files/0x0005000000022f1f-18.dat autoit_exe behavioral2/files/0x00070000000233ff-24.dat autoit_exe behavioral2/files/0x0007000000023400-32.dat autoit_exe behavioral2/files/0x000a00000002341d-72.dat autoit_exe behavioral2/files/0x000800000002341e-78.dat autoit_exe behavioral2/files/0x000d000000023371-99.dat autoit_exe behavioral2/files/0x00080000000234b8-585.dat autoit_exe behavioral2/files/0x00080000000234b8-590.dat autoit_exe behavioral2/files/0x00080000000234b8-592.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\pdntvzmzft.exe fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\riniawdpscbqy.exe fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll pdntvzmzft.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dqitxnpb.exe File opened for modification C:\Windows\SysWOW64\pdntvzmzft.exe fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\itfmbdbizatfxcd.exe fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe File created C:\Windows\SysWOW64\dqitxnpb.exe fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe File created C:\Windows\SysWOW64\riniawdpscbqy.exe fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe File created C:\Windows\SysWOW64\itfmbdbizatfxcd.exe fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dqitxnpb.exe fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dqitxnpb.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dqitxnpb.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dqitxnpb.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dqitxnpb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dqitxnpb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dqitxnpb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dqitxnpb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dqitxnpb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dqitxnpb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dqitxnpb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dqitxnpb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dqitxnpb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dqitxnpb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dqitxnpb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dqitxnpb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dqitxnpb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dqitxnpb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dqitxnpb.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pdntvzmzft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B02B47E7389F52BDBADC33EED7C4" fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pdntvzmzft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pdntvzmzft.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F768B6FE6D21DFD27CD0A58B089116" fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pdntvzmzft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pdntvzmzft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pdntvzmzft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pdntvzmzft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pdntvzmzft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C7C9C2782206D4377A170542DAD7DF165DD" fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pdntvzmzft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pdntvzmzft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FF8E482E85189140D6207D91BC94E63159446745623FD69D" fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC6091593DBC2B9BA7CE0ED9734CF" fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pdntvzmzft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pdntvzmzft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCF9B0F96BF194830B3B4586993998B3FC028A4213033FE2BD429C08D5" fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4336 WINWORD.EXE 4336 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 3464 pdntvzmzft.exe 3464 pdntvzmzft.exe 3464 pdntvzmzft.exe 3464 pdntvzmzft.exe 3464 pdntvzmzft.exe 3464 pdntvzmzft.exe 3464 pdntvzmzft.exe 3464 pdntvzmzft.exe 3464 pdntvzmzft.exe 3464 pdntvzmzft.exe 4416 dqitxnpb.exe 4416 dqitxnpb.exe 4416 dqitxnpb.exe 4416 dqitxnpb.exe 4416 dqitxnpb.exe 4416 dqitxnpb.exe 4416 dqitxnpb.exe 4416 dqitxnpb.exe 2540 riniawdpscbqy.exe 2540 riniawdpscbqy.exe 2540 riniawdpscbqy.exe 2540 riniawdpscbqy.exe 2540 riniawdpscbqy.exe 2540 riniawdpscbqy.exe 2540 riniawdpscbqy.exe 2540 riniawdpscbqy.exe 2540 riniawdpscbqy.exe 2540 riniawdpscbqy.exe 2540 riniawdpscbqy.exe 2540 riniawdpscbqy.exe 4068 itfmbdbizatfxcd.exe 4068 itfmbdbizatfxcd.exe 4068 itfmbdbizatfxcd.exe 4068 itfmbdbizatfxcd.exe 4068 itfmbdbizatfxcd.exe 4068 itfmbdbizatfxcd.exe 4068 itfmbdbizatfxcd.exe 4068 itfmbdbizatfxcd.exe 4068 itfmbdbizatfxcd.exe 4068 itfmbdbizatfxcd.exe 2540 riniawdpscbqy.exe 2540 riniawdpscbqy.exe 2540 riniawdpscbqy.exe 2540 riniawdpscbqy.exe 4068 itfmbdbizatfxcd.exe 4068 itfmbdbizatfxcd.exe 4068 itfmbdbizatfxcd.exe 4068 itfmbdbizatfxcd.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 3464 pdntvzmzft.exe 3464 pdntvzmzft.exe 3464 pdntvzmzft.exe 2540 riniawdpscbqy.exe 4416 dqitxnpb.exe 2540 riniawdpscbqy.exe 2540 riniawdpscbqy.exe 4416 dqitxnpb.exe 4416 dqitxnpb.exe 4068 itfmbdbizatfxcd.exe 4068 itfmbdbizatfxcd.exe 4068 itfmbdbizatfxcd.exe 1716 dqitxnpb.exe 1716 dqitxnpb.exe 1716 dqitxnpb.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 3464 pdntvzmzft.exe 3464 pdntvzmzft.exe 3464 pdntvzmzft.exe 2540 riniawdpscbqy.exe 2540 riniawdpscbqy.exe 4416 dqitxnpb.exe 2540 riniawdpscbqy.exe 4416 dqitxnpb.exe 4416 dqitxnpb.exe 4068 itfmbdbizatfxcd.exe 4068 itfmbdbizatfxcd.exe 4068 itfmbdbizatfxcd.exe 1716 dqitxnpb.exe 1716 dqitxnpb.exe 1716 dqitxnpb.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4592 wrote to memory of 3464 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 86 PID 4592 wrote to memory of 3464 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 86 PID 4592 wrote to memory of 3464 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 86 PID 4592 wrote to memory of 4068 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 87 PID 4592 wrote to memory of 4068 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 87 PID 4592 wrote to memory of 4068 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 87 PID 4592 wrote to memory of 4416 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 88 PID 4592 wrote to memory of 4416 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 88 PID 4592 wrote to memory of 4416 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 88 PID 4592 wrote to memory of 2540 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 89 PID 4592 wrote to memory of 2540 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 89 PID 4592 wrote to memory of 2540 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 89 PID 4592 wrote to memory of 4336 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 90 PID 4592 wrote to memory of 4336 4592 fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe 90 PID 3464 wrote to memory of 1716 3464 pdntvzmzft.exe 93 PID 3464 wrote to memory of 1716 3464 pdntvzmzft.exe 93 PID 3464 wrote to memory of 1716 3464 pdntvzmzft.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa477ca67f6789158c11650c86679dfb_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\pdntvzmzft.exepdntvzmzft.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\dqitxnpb.exeC:\Windows\system32\dqitxnpb.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1716
-
-
-
C:\Windows\SysWOW64\itfmbdbizatfxcd.exeitfmbdbizatfxcd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4068
-
-
C:\Windows\SysWOW64\dqitxnpb.exedqitxnpb.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4416
-
-
C:\Windows\SysWOW64\riniawdpscbqy.exeriniawdpscbqy.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2540
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4336
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD521920f1e2b2be9f430fdfb64a1e14c40
SHA12b6ca53df72e838aff3dccb97ceae007604bf07b
SHA256e1392b1da24248d4e6e42e20f3d66aa159e47ca21aae6c2963187a0a53749d5a
SHA512a9586d202e001f41f3e8303ffed157456b6c6a5454c21aa3755843c2e9e0ca4f5444687cd5d748c0f98ea6706f0a541f2f671c016d19c422e4121ff0c9433aad
-
Filesize
512KB
MD5dd8ab59b5fa603df39cd7667ecb545b7
SHA1f385723afc5ba74b3492298397519d0e964c79c2
SHA256ac85220f2c49530ffa019185d363793313f9a710e4d1dfb19f849bec7cbfbf6b
SHA512b3ed6f5e07c73c0fb03e5d27271d7c4a276202de6fe87e5102f7dfac8e51563f93e336c58b152d4fee317a42e69cfc375308f54f7f27ee23f55510c709063bc5
-
Filesize
239B
MD5f5f219efcf259c0c15a0521bf15fafcf
SHA168b81f987dbe56b2c44e1c2b8ef4a9c078ea7a5c
SHA256d72d7074d338c425e95ab938b674f45cf7afe1e96a1434d956df4bbd0ecdebf9
SHA512d798ed0683b4bc7b025f5ebe96c8b557948bb7570a3ba7efe4d1844014e4415eead9c06db7454f2f5bc8a83fabea619173cea271cf12945b451c8f357c36ac54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl
Filesize245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD506019a730fbc1efbc8ec8e430baa43bc
SHA128668c701b588936efa3b5d6df9ad778bcf1c37f
SHA2562d3e565667078a33730c521102e079b34f72a1b69f0334aa2975497e5b0fb2c2
SHA512d8cdf7470a98cd6801755107299d4c5b06d06bc2d87cf29a9c6180af7dcec565197b12ffec0d2ca56e505295a75731e161f2aff3b87deb3b08dabef9c6ad5c0e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e8a9d0db27a6437b1d236b99c1db6bea
SHA14fc6cbf93bfa76364d3ae57340a179e7cd11a465
SHA256fc8c55de8f9bef1de8f06fe02e492f6c673fd86c345d48ec0fd3ff853e9cce4e
SHA512784f529b2cfd4cf450353c44c8ca1b425fdc1ef2ca3289dfad603c90940a2047a294f8232cfeebce9fab70ca2a7ccf38e2b20b9690b15cbab27cee8a647a634e
-
Filesize
512KB
MD5a8f5aa067a9aa7116f448849564cf026
SHA13d9f6a8840c82b9b119d6cf5131765893f033c4b
SHA2567f0d031b255e56658c977e655041cd1bd1eac6d7ffe01dfdd48673cd6da3cee8
SHA512526a2eeb1a8399e6ac3b2cd029ecbda63bec4f744199784a36a0d7fd596e9fdb4cda017835d927ba4181b1881fe69c84aa5356bcd0d40cb31fba13ea4b8e2394
-
Filesize
512KB
MD5fe3ee94f819267346b4dab1bd972e27f
SHA11fe7e4ae1a32ec849c6e13768ec3dd448152ea66
SHA256cbd534317b3d83b11942b65a52144edc8a3d4076f7ffebf7d2f624cd969502aa
SHA51244feefc6ec77d2182efb99a78ca79ebbbe7fdec73c7839180aa068f8302d3d563e8026a609b2ffcc5cb9f7ebb3ac16f663c78763d8ce8587d3fd26715f02cff3
-
Filesize
512KB
MD5fb4f90b4b0942d9a3804d60cc76026f7
SHA1293bcc0344325555c379ca04461ff63c86f6bf42
SHA256f669b45bfb7d116b16075b40cbf4832a90dabefef87c7c7158e7f7879d7220f8
SHA5123dae8e97436c6906abd153246b68658b8159df79c11b0d18e749a7014845a49e3532257144c59c7c5328415f3ed7133b3fbcfb09e1c8df7546169bd4efbbd17f
-
Filesize
512KB
MD50c25a1c55ae28f84c50fd8c9a982972c
SHA19a5efe9ae3f6d7987e7b426ee942db29c33bfa08
SHA256668bda50140c8df84d006540456210424b75f95d87c53c940da2f20d0711c9cb
SHA512b0d8fa2deca6209b4decfbebad6ade1a57cdc46ff3aa35cdc76b56ddbc76c80c89567628977ad321514c3c6ba6018b4086e5adaf1be7d2b17ed38de068ed62de
-
Filesize
512KB
MD5415c10eb17d4c0620b42becb85c51975
SHA13ba54837bc5e8c6b2a09ef001e921911dc97a543
SHA25607be243c2e079140b98fd6c80386e1d8c650fc6ecdcc6deba763e1c75f9fbfd4
SHA5121f831b122cd04835a10848f138c299b5557533306b44e4df8e5ed19c55edb97a386393394b769e4291f515a8bd4b874e4cf76615a936ea900d7b86f35c28fadb
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD573967538c657a7d9061b2ce1462a1df7
SHA1ac182dc92ba6ca9c66f9c34185238d599e3659dc
SHA25647ae9dc4d9b5cc660265db1b4ad82f137d29b2f72d77398dd38ff86504badb48
SHA5127beab4360584130f3f87bb2366c421ace3821ced48f9f050ea8fe24c0ff18ed031ca2a94101ea8061ebd2d655a82ea297427a59f5c3c5cd8340dd370b38672b1
-
Filesize
512KB
MD59dbb906811848a691d0ddf31be21d494
SHA184a4fa861b91f6ea6a51934dd34ff3b83b3eb14b
SHA25642c1446231aa0e1c9a4e52207b6f7539f440d6e4cc96619a4670fac61a84b982
SHA5123966b70b504ad091ff01f84313e39f1b3f8919c34f22b7994b42595d8468568e00b3d9a088d7ada7f1968c244c38355c31e3afdb6cf2b0d4f38b8d8278e19034
-
Filesize
512KB
MD54eb67480704af9e5405b1382e8264480
SHA172ec0032331666b7837481030791206cef494bcc
SHA2562199b3bd3ac85b663523992426b44df61e93fb4e7674062bf36872732cfa23c5
SHA512571abde9dad8f357507b656397f5f1ce38c9be2331722c0a00ce8423646f8e1ff7a07f48b5cfa78c5338f259277155a6a42237ff824821d229ef336962d4cc54