Analysis
-
max time kernel
149s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 03:29
Static task
static1
Behavioral task
behavioral1
Sample
0446e413d0015932fb6129acfc846917_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0446e413d0015932fb6129acfc846917_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
0446e413d0015932fb6129acfc846917_JaffaCakes118.exe
-
Size
512KB
-
MD5
0446e413d0015932fb6129acfc846917
-
SHA1
1bd1b53a8cd37078d2031b2b717f3f9b896ee403
-
SHA256
5803fefda64f73ecfceeb179720413aeb2cd9ba0fbc8084c0bd98db9a68c8894
-
SHA512
c33424fca6bd7b8543ef1d0f67b1607a3c9f08a924d83bc75ee19cf4133d631f92bf033766db717e7fb52badba67fdc9d500cc4e09348524e7a77c1208ca50f2
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm56
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
mjtjbperiz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mjtjbperiz.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
mjtjbperiz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mjtjbperiz.exe -
Processes:
mjtjbperiz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mjtjbperiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mjtjbperiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mjtjbperiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mjtjbperiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mjtjbperiz.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
mjtjbperiz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mjtjbperiz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0446e413d0015932fb6129acfc846917_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
mjtjbperiz.exefxshweovdwwbdwq.exeztniecfo.exentpptuhqlckpz.exeztniecfo.exepid process 1220 mjtjbperiz.exe 2180 fxshweovdwwbdwq.exe 5076 ztniecfo.exe 4748 ntpptuhqlckpz.exe 2168 ztniecfo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
mjtjbperiz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mjtjbperiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mjtjbperiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mjtjbperiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mjtjbperiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mjtjbperiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mjtjbperiz.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
fxshweovdwwbdwq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ntpptuhqlckpz.exe" fxshweovdwwbdwq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skxqfewr = "mjtjbperiz.exe" fxshweovdwwbdwq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iaxmdqty = "fxshweovdwwbdwq.exe" fxshweovdwwbdwq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ztniecfo.exeztniecfo.exemjtjbperiz.exedescription ioc process File opened (read-only) \??\r: ztniecfo.exe File opened (read-only) \??\q: ztniecfo.exe File opened (read-only) \??\t: ztniecfo.exe File opened (read-only) \??\w: ztniecfo.exe File opened (read-only) \??\b: mjtjbperiz.exe File opened (read-only) \??\j: mjtjbperiz.exe File opened (read-only) \??\o: ztniecfo.exe File opened (read-only) \??\i: mjtjbperiz.exe File opened (read-only) \??\r: mjtjbperiz.exe File opened (read-only) \??\h: ztniecfo.exe File opened (read-only) \??\s: mjtjbperiz.exe File opened (read-only) \??\t: mjtjbperiz.exe File opened (read-only) \??\j: ztniecfo.exe File opened (read-only) \??\n: ztniecfo.exe File opened (read-only) \??\r: ztniecfo.exe File opened (read-only) \??\v: ztniecfo.exe File opened (read-only) \??\u: mjtjbperiz.exe File opened (read-only) \??\b: ztniecfo.exe File opened (read-only) \??\m: ztniecfo.exe File opened (read-only) \??\i: ztniecfo.exe File opened (read-only) \??\p: ztniecfo.exe File opened (read-only) \??\g: ztniecfo.exe File opened (read-only) \??\l: mjtjbperiz.exe File opened (read-only) \??\m: mjtjbperiz.exe File opened (read-only) \??\o: mjtjbperiz.exe File opened (read-only) \??\q: ztniecfo.exe File opened (read-only) \??\x: ztniecfo.exe File opened (read-only) \??\y: ztniecfo.exe File opened (read-only) \??\o: ztniecfo.exe File opened (read-only) \??\g: mjtjbperiz.exe File opened (read-only) \??\h: mjtjbperiz.exe File opened (read-only) \??\p: mjtjbperiz.exe File opened (read-only) \??\e: ztniecfo.exe File opened (read-only) \??\v: ztniecfo.exe File opened (read-only) \??\z: ztniecfo.exe File opened (read-only) \??\y: mjtjbperiz.exe File opened (read-only) \??\b: ztniecfo.exe File opened (read-only) \??\k: ztniecfo.exe File opened (read-only) \??\e: mjtjbperiz.exe File opened (read-only) \??\q: mjtjbperiz.exe File opened (read-only) \??\w: mjtjbperiz.exe File opened (read-only) \??\k: mjtjbperiz.exe File opened (read-only) \??\s: ztniecfo.exe File opened (read-only) \??\s: ztniecfo.exe File opened (read-only) \??\n: mjtjbperiz.exe File opened (read-only) \??\w: ztniecfo.exe File opened (read-only) \??\i: ztniecfo.exe File opened (read-only) \??\a: mjtjbperiz.exe File opened (read-only) \??\z: mjtjbperiz.exe File opened (read-only) \??\a: ztniecfo.exe File opened (read-only) \??\v: mjtjbperiz.exe File opened (read-only) \??\l: ztniecfo.exe File opened (read-only) \??\t: ztniecfo.exe File opened (read-only) \??\g: ztniecfo.exe File opened (read-only) \??\j: ztniecfo.exe File opened (read-only) \??\n: ztniecfo.exe File opened (read-only) \??\h: ztniecfo.exe File opened (read-only) \??\l: ztniecfo.exe File opened (read-only) \??\u: ztniecfo.exe File opened (read-only) \??\x: mjtjbperiz.exe File opened (read-only) \??\m: ztniecfo.exe File opened (read-only) \??\u: ztniecfo.exe File opened (read-only) \??\p: ztniecfo.exe File opened (read-only) \??\x: ztniecfo.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
mjtjbperiz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mjtjbperiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mjtjbperiz.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1648-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\fxshweovdwwbdwq.exe autoit_exe C:\Windows\SysWOW64\mjtjbperiz.exe autoit_exe C:\Windows\SysWOW64\ztniecfo.exe autoit_exe C:\Windows\SysWOW64\ntpptuhqlckpz.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
ztniecfo.exe0446e413d0015932fb6129acfc846917_JaffaCakes118.exemjtjbperiz.exeztniecfo.exedescription ioc process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ztniecfo.exe File opened for modification C:\Windows\SysWOW64\mjtjbperiz.exe 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File created C:\Windows\SysWOW64\fxshweovdwwbdwq.exe 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fxshweovdwwbdwq.exe 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File created C:\Windows\SysWOW64\ztniecfo.exe 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ztniecfo.exe 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File created C:\Windows\SysWOW64\ntpptuhqlckpz.exe 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll mjtjbperiz.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ztniecfo.exe File created C:\Windows\SysWOW64\mjtjbperiz.exe 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ntpptuhqlckpz.exe 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ztniecfo.exe -
Drops file in Program Files directory 19 IoCs
Processes:
ztniecfo.exeztniecfo.exedescription ioc process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ztniecfo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ztniecfo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ztniecfo.exe File opened for modification \??\c:\Program Files\ReadDisable.doc.exe ztniecfo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ztniecfo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ztniecfo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ztniecfo.exe File created \??\c:\Program Files\ReadDisable.doc.exe ztniecfo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ztniecfo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ztniecfo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ztniecfo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ztniecfo.exe File opened for modification C:\Program Files\ReadDisable.doc.exe ztniecfo.exe File opened for modification C:\Program Files\ReadDisable.nal ztniecfo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ztniecfo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ztniecfo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ztniecfo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ztniecfo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ztniecfo.exe -
Drops file in Windows directory 19 IoCs
Processes:
ztniecfo.exeztniecfo.exeWINWORD.EXE0446e413d0015932fb6129acfc846917_JaffaCakes118.exedescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ztniecfo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ztniecfo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ztniecfo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ztniecfo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ztniecfo.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ztniecfo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ztniecfo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ztniecfo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ztniecfo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ztniecfo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ztniecfo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ztniecfo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ztniecfo.exe File opened for modification C:\Windows\mydoc.rtf 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ztniecfo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ztniecfo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ztniecfo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
mjtjbperiz.exe0446e413d0015932fb6129acfc846917_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mjtjbperiz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mjtjbperiz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mjtjbperiz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mjtjbperiz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mjtjbperiz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mjtjbperiz.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B02E47E039EB53CBBAD13293D7C9" 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFC834F5B826A903CD65B7D9DBC97E14759446735623ED69E" 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F26BC5FF6C22D9D209D0D28B7E9013" 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mjtjbperiz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mjtjbperiz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2C0D9D2D83556A3E77D070232DDC7D8765AA" 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAF9BCFE11F191840C3B4486ED3E97B08B03884216033BE1CA45E709D2" 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mjtjbperiz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mjtjbperiz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mjtjbperiz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C6091493DAB6B8C07FE5ECE537B9" 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mjtjbperiz.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1788 WINWORD.EXE 1788 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0446e413d0015932fb6129acfc846917_JaffaCakes118.exemjtjbperiz.exefxshweovdwwbdwq.exeztniecfo.exentpptuhqlckpz.exeztniecfo.exepid process 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1220 mjtjbperiz.exe 1220 mjtjbperiz.exe 1220 mjtjbperiz.exe 1220 mjtjbperiz.exe 1220 mjtjbperiz.exe 1220 mjtjbperiz.exe 1220 mjtjbperiz.exe 1220 mjtjbperiz.exe 1220 mjtjbperiz.exe 1220 mjtjbperiz.exe 2180 fxshweovdwwbdwq.exe 2180 fxshweovdwwbdwq.exe 2180 fxshweovdwwbdwq.exe 2180 fxshweovdwwbdwq.exe 2180 fxshweovdwwbdwq.exe 2180 fxshweovdwwbdwq.exe 2180 fxshweovdwwbdwq.exe 2180 fxshweovdwwbdwq.exe 2180 fxshweovdwwbdwq.exe 2180 fxshweovdwwbdwq.exe 5076 ztniecfo.exe 5076 ztniecfo.exe 5076 ztniecfo.exe 5076 ztniecfo.exe 5076 ztniecfo.exe 5076 ztniecfo.exe 5076 ztniecfo.exe 5076 ztniecfo.exe 4748 ntpptuhqlckpz.exe 4748 ntpptuhqlckpz.exe 4748 ntpptuhqlckpz.exe 4748 ntpptuhqlckpz.exe 4748 ntpptuhqlckpz.exe 4748 ntpptuhqlckpz.exe 4748 ntpptuhqlckpz.exe 4748 ntpptuhqlckpz.exe 4748 ntpptuhqlckpz.exe 4748 ntpptuhqlckpz.exe 4748 ntpptuhqlckpz.exe 4748 ntpptuhqlckpz.exe 2168 ztniecfo.exe 2168 ztniecfo.exe 2168 ztniecfo.exe 2168 ztniecfo.exe 2168 ztniecfo.exe 2168 ztniecfo.exe 2168 ztniecfo.exe 2168 ztniecfo.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
0446e413d0015932fb6129acfc846917_JaffaCakes118.exemjtjbperiz.exefxshweovdwwbdwq.exeztniecfo.exentpptuhqlckpz.exeztniecfo.exepid process 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1220 mjtjbperiz.exe 1220 mjtjbperiz.exe 1220 mjtjbperiz.exe 2180 fxshweovdwwbdwq.exe 2180 fxshweovdwwbdwq.exe 2180 fxshweovdwwbdwq.exe 5076 ztniecfo.exe 5076 ztniecfo.exe 5076 ztniecfo.exe 4748 ntpptuhqlckpz.exe 4748 ntpptuhqlckpz.exe 4748 ntpptuhqlckpz.exe 2168 ztniecfo.exe 2168 ztniecfo.exe 2168 ztniecfo.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
0446e413d0015932fb6129acfc846917_JaffaCakes118.exemjtjbperiz.exefxshweovdwwbdwq.exeztniecfo.exentpptuhqlckpz.exeztniecfo.exepid process 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe 1220 mjtjbperiz.exe 1220 mjtjbperiz.exe 1220 mjtjbperiz.exe 2180 fxshweovdwwbdwq.exe 2180 fxshweovdwwbdwq.exe 2180 fxshweovdwwbdwq.exe 5076 ztniecfo.exe 5076 ztniecfo.exe 5076 ztniecfo.exe 4748 ntpptuhqlckpz.exe 4748 ntpptuhqlckpz.exe 4748 ntpptuhqlckpz.exe 2168 ztniecfo.exe 2168 ztniecfo.exe 2168 ztniecfo.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1788 WINWORD.EXE 1788 WINWORD.EXE 1788 WINWORD.EXE 1788 WINWORD.EXE 1788 WINWORD.EXE 1788 WINWORD.EXE 1788 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
0446e413d0015932fb6129acfc846917_JaffaCakes118.exemjtjbperiz.exedescription pid process target process PID 1648 wrote to memory of 1220 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe mjtjbperiz.exe PID 1648 wrote to memory of 1220 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe mjtjbperiz.exe PID 1648 wrote to memory of 1220 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe mjtjbperiz.exe PID 1648 wrote to memory of 2180 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe fxshweovdwwbdwq.exe PID 1648 wrote to memory of 2180 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe fxshweovdwwbdwq.exe PID 1648 wrote to memory of 2180 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe fxshweovdwwbdwq.exe PID 1648 wrote to memory of 5076 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe ztniecfo.exe PID 1648 wrote to memory of 5076 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe ztniecfo.exe PID 1648 wrote to memory of 5076 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe ztniecfo.exe PID 1648 wrote to memory of 4748 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe ntpptuhqlckpz.exe PID 1648 wrote to memory of 4748 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe ntpptuhqlckpz.exe PID 1648 wrote to memory of 4748 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe ntpptuhqlckpz.exe PID 1648 wrote to memory of 1788 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe WINWORD.EXE PID 1648 wrote to memory of 1788 1648 0446e413d0015932fb6129acfc846917_JaffaCakes118.exe WINWORD.EXE PID 1220 wrote to memory of 2168 1220 mjtjbperiz.exe ztniecfo.exe PID 1220 wrote to memory of 2168 1220 mjtjbperiz.exe ztniecfo.exe PID 1220 wrote to memory of 2168 1220 mjtjbperiz.exe ztniecfo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0446e413d0015932fb6129acfc846917_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0446e413d0015932fb6129acfc846917_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\mjtjbperiz.exemjtjbperiz.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\ztniecfo.exeC:\Windows\system32\ztniecfo.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2168 -
C:\Windows\SysWOW64\fxshweovdwwbdwq.exefxshweovdwwbdwq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2180 -
C:\Windows\SysWOW64\ztniecfo.exeztniecfo.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5076 -
C:\Windows\SysWOW64\ntpptuhqlckpz.exentpptuhqlckpz.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4748 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1788
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5c9b821b2822b868e2fa1522892f3e7a3
SHA1174aad2883f4b82f85d005d6303d7aef2fbcbcae
SHA2562ac154c775d16d36e0a25a560921001fee557d5f39591e0d7541f6dcc32e93cf
SHA512b4721d65aac00a1801719b3eca459a3d95bfe1813b06e295c07a7b96cfc0067dc880685a13443e4bac5ada4e45d959a3aeabfa8cd7ae145f1b73a9bbb1572da3
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD51b08d1460498660405d5d4616b242303
SHA102a7c40aacbe0366c2c9610e0efbfcb91fa09177
SHA256de7c1489722e95bb2330a7f630fd0c93caa37bae8fb77cb098b6a410bed05be4
SHA512c09b316bdd87bef9c93e5011409ab4c3918b5bf7843c173d35cefba2dbd35f365c01df8daa6bed51e366dbde2e493663e7623d5228c5dc20d12753e723d81178
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD57da324b26de0c02e3d348c609b3b87cd
SHA1c7e4dcc46893e351c9e1eeb0160d39721c2b21d9
SHA2566bf5f5932ed1f8c81f6ded5448b056a6043a85891bf5dda3981aeb506b10b0b4
SHA5126c0e2fc8d8700f04ba2cb61f8acaca81d7ebaebce8e37210ec9016fe5261d1dc259dabd9399185066538acbd4919c531a2ef9d50165a02e12e9f8dbda93d952d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD55901049560fd388c71b9006539713ad5
SHA1fbd188818e25c59afc995ebcca70c6e113363fa3
SHA256637960a668215d4062fdc0eb415acc19ab47133d501e21621a2d9c80c66d0ac2
SHA5120818b92eb8a3f3ba31a8fefbcce9604ac66f6a8f1bf43abf22cda763efaa142735baa46565ed4c01c5a670be9149a7238359e9ea9b61bd00ba0ca4c7782eaefa
-
C:\Windows\SysWOW64\fxshweovdwwbdwq.exeFilesize
512KB
MD53a91c941f2b6353ca6882e1d1caf79f5
SHA1d5745219baa57d69acb77a4c9c52f8cbc1a3b6c4
SHA2568382365a940216f11bd9a5167a7ec1353f8f3e10ae1e8275e551b9387e60b2f3
SHA51224220f99606ef241f56af93f3613024aa46430a33e4ec4541bd6bbde537950ae68dec177714e03c0b0302b6ec8db378eb5c2a79f851fbab4e9e9343308379cae
-
C:\Windows\SysWOW64\mjtjbperiz.exeFilesize
512KB
MD563b28d71107492fa8d25e53decd898bc
SHA10128ca5fe0e318214695cb4c592bb80128cde6e9
SHA25633a91b47bf20d19f7e302829a0c53e2de2b8104dd6721636c6415f2f8af40b62
SHA5127a9e43237389161c7956d806c8d5b9193f607747627ed72cce5202f0fca9672960e9b62093e63dfd8e67de8252ade7489489f2808a1eaa78d06d4dd3041d2ed7
-
C:\Windows\SysWOW64\ntpptuhqlckpz.exeFilesize
512KB
MD595bd6ff71aa7defdf1b5e7dd7951cc14
SHA143893f5a1fbfe41c199146ee901492396cd3291d
SHA25658c938db66a2e62f3507200ed64551a30855a8a111847d12f7783bc19cd072a9
SHA51215e9575eab478eb0865a760739cca2bc4be82fdbdd41788ab029212c452c709203f765f876de9e1c4a38501cab1cef5b6a9f97a652d2e4543d6630dd08725d95
-
C:\Windows\SysWOW64\ztniecfo.exeFilesize
512KB
MD52825c76a9ad3741a23dcb5de16592095
SHA18790e5347f4f79558b669218b55dae2863a96d07
SHA256cc7256c7dbc54ba9bfdf01423b87238b29f50d7c0e9a2016cbd2813a622ac1e6
SHA5122a85bc215448a0a3eb2916b053e5137a489f90d09704ae6fa5c451b3a736ef5206dac305ff362cf49d6c38035eca50230ae4ab7d7999fcc8e8d4a8b06a067e1f
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5afe67595b6c6f90d06f18fb907e74e54
SHA11d9caf9663ff9167e460ce83b6986d131d2120c9
SHA256f0d1f2c1ec1cf9da240cd756cfab0fd016801f44aeba79fbbf7547ff040cfc05
SHA512b9fd48b24aa8a844d13a1587b54b912ee3c6ee6d18c36e838dfb592dca3e120872c843e346c7b3bd8612fb88dd2875e0a0ad7836e449e35e5679cfa5ffa79944
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD58f4a0e6daec23f4dcf85bd8fbbff5610
SHA1332752f4a0b7a5c0248e1b421ea576c0dd986a99
SHA256ba0e3b73ab2669e1da84fa3e38d7b0d23570442f991906d39dc3fc56b74a9b13
SHA5129fb79895593277b313975e95c7dace3866637dd1c0d40e6adea98bba885e4f9ca04db07e2d1f11c2ab294b5fa8e0bd8255eadc2d8625fce3a765976f6b26915c
-
memory/1648-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/1788-35-0x00007FFED2BF0000-0x00007FFED2C00000-memory.dmpFilesize
64KB
-
memory/1788-39-0x00007FFED2BF0000-0x00007FFED2C00000-memory.dmpFilesize
64KB
-
memory/1788-37-0x00007FFED2BF0000-0x00007FFED2C00000-memory.dmpFilesize
64KB
-
memory/1788-36-0x00007FFED2BF0000-0x00007FFED2C00000-memory.dmpFilesize
64KB
-
memory/1788-43-0x00007FFED0AB0000-0x00007FFED0AC0000-memory.dmpFilesize
64KB
-
memory/1788-38-0x00007FFED2BF0000-0x00007FFED2C00000-memory.dmpFilesize
64KB
-
memory/1788-40-0x00007FFED0AB0000-0x00007FFED0AC0000-memory.dmpFilesize
64KB
-
memory/1788-120-0x00007FFED2BF0000-0x00007FFED2C00000-memory.dmpFilesize
64KB
-
memory/1788-119-0x00007FFED2BF0000-0x00007FFED2C00000-memory.dmpFilesize
64KB
-
memory/1788-118-0x00007FFED2BF0000-0x00007FFED2C00000-memory.dmpFilesize
64KB
-
memory/1788-117-0x00007FFED2BF0000-0x00007FFED2C00000-memory.dmpFilesize
64KB