24fa4395dfaedd03b6cd5cb14a5ed0fae1706e1a40717a2ac41e4d8cc152735f

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
Size

512KB
MD5

63a271d1562d1e00a3903e6e48bc33dc
SHA1

91da9c4745c73bd1987d3005d9f52aec9027095d
SHA256

24fa4395dfaedd03b6cd5cb14a5ed0fae1706e1a40717a2ac41e4d8cc152735f
SHA512

88726b6edd6f9b8d278229559373dec2620ee3fad553f9e452e44c647a944a20ad12c79b5ad4826a642baa461ce23cc9bbb61f7a730d11ad1eb0cbbea1080efa
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6C:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5f

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

dbemmlmzpq.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	dbemmlmzpq.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

dbemmlmzpq.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dbemmlmzpq.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

dbemmlmzpq.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	dbemmlmzpq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	dbemmlmzpq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	dbemmlmzpq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	dbemmlmzpq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	dbemmlmzpq.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

dbemmlmzpq.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dbemmlmzpq.exe

Executes dropped EXE 5 IoCs

Processes:

dbemmlmzpq.exekbrfxcsskbckotm.exejduxdecz.exeojyryyhyukrcn.exejduxdecz.exe

pid process

2540 dbemmlmzpq.exe
2552 kbrfxcsskbckotm.exe
2720 jduxdecz.exe
2580 ojyryyhyukrcn.exe
2612 jduxdecz.exe

pid	process
2540	dbemmlmzpq.exe
2552	kbrfxcsskbckotm.exe
2720	jduxdecz.exe
2580	ojyryyhyukrcn.exe
2612	jduxdecz.exe

Loads dropped DLL 5 IoCs

Processes:

63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exedbemmlmzpq.exe

pid	process
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2540	dbemmlmzpq.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

dbemmlmzpq.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	dbemmlmzpq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	dbemmlmzpq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	dbemmlmzpq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	dbemmlmzpq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	dbemmlmzpq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	dbemmlmzpq.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

kbrfxcsskbckotm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ojyryyhyukrcn.exe"	kbrfxcsskbckotm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jewxcjlg = "dbemmlmzpq.exe"	kbrfxcsskbckotm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gnzoqqfg = "kbrfxcsskbckotm.exe"	kbrfxcsskbckotm.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dbemmlmzpq.exejduxdecz.exejduxdecz.exe

description	ioc	process
File opened (read-only)	\??\n:	dbemmlmzpq.exe
File opened (read-only)	\??\u:	dbemmlmzpq.exe
File opened (read-only)	\??\p:	jduxdecz.exe
File opened (read-only)	\??\y:	jduxdecz.exe
File opened (read-only)	\??\m:	dbemmlmzpq.exe
File opened (read-only)	\??\q:	dbemmlmzpq.exe
File opened (read-only)	\??\i:	jduxdecz.exe
File opened (read-only)	\??\l:	dbemmlmzpq.exe
File opened (read-only)	\??\q:	jduxdecz.exe
File opened (read-only)	\??\k:	jduxdecz.exe
File opened (read-only)	\??\t:	jduxdecz.exe
File opened (read-only)	\??\p:	jduxdecz.exe
File opened (read-only)	\??\a:	jduxdecz.exe
File opened (read-only)	\??\r:	jduxdecz.exe
File opened (read-only)	\??\s:	jduxdecz.exe
File opened (read-only)	\??\u:	jduxdecz.exe
File opened (read-only)	\??\i:	dbemmlmzpq.exe
File opened (read-only)	\??\b:	jduxdecz.exe
File opened (read-only)	\??\h:	jduxdecz.exe
File opened (read-only)	\??\m:	jduxdecz.exe
File opened (read-only)	\??\z:	jduxdecz.exe
File opened (read-only)	\??\k:	dbemmlmzpq.exe
File opened (read-only)	\??\l:	jduxdecz.exe
File opened (read-only)	\??\n:	jduxdecz.exe
File opened (read-only)	\??\y:	jduxdecz.exe
File opened (read-only)	\??\n:	jduxdecz.exe
File opened (read-only)	\??\j:	jduxdecz.exe
File opened (read-only)	\??\h:	jduxdecz.exe
File opened (read-only)	\??\l:	jduxdecz.exe
File opened (read-only)	\??\s:	dbemmlmzpq.exe
File opened (read-only)	\??\u:	jduxdecz.exe
File opened (read-only)	\??\t:	jduxdecz.exe
File opened (read-only)	\??\y:	dbemmlmzpq.exe
File opened (read-only)	\??\i:	jduxdecz.exe
File opened (read-only)	\??\j:	jduxdecz.exe
File opened (read-only)	\??\v:	jduxdecz.exe
File opened (read-only)	\??\j:	dbemmlmzpq.exe
File opened (read-only)	\??\e:	jduxdecz.exe
File opened (read-only)	\??\z:	dbemmlmzpq.exe
File opened (read-only)	\??\b:	jduxdecz.exe
File opened (read-only)	\??\g:	jduxdecz.exe
File opened (read-only)	\??\m:	jduxdecz.exe
File opened (read-only)	\??\g:	dbemmlmzpq.exe
File opened (read-only)	\??\v:	dbemmlmzpq.exe
File opened (read-only)	\??\g:	jduxdecz.exe
File opened (read-only)	\??\x:	jduxdecz.exe
File opened (read-only)	\??\h:	dbemmlmzpq.exe
File opened (read-only)	\??\e:	dbemmlmzpq.exe
File opened (read-only)	\??\p:	dbemmlmzpq.exe
File opened (read-only)	\??\e:	jduxdecz.exe
File opened (read-only)	\??\r:	jduxdecz.exe
File opened (read-only)	\??\s:	jduxdecz.exe
File opened (read-only)	\??\a:	jduxdecz.exe
File opened (read-only)	\??\b:	dbemmlmzpq.exe
File opened (read-only)	\??\r:	dbemmlmzpq.exe
File opened (read-only)	\??\w:	dbemmlmzpq.exe
File opened (read-only)	\??\k:	jduxdecz.exe
File opened (read-only)	\??\z:	jduxdecz.exe
File opened (read-only)	\??\x:	jduxdecz.exe
File opened (read-only)	\??\a:	dbemmlmzpq.exe
File opened (read-only)	\??\v:	jduxdecz.exe
File opened (read-only)	\??\w:	jduxdecz.exe
File opened (read-only)	\??\q:	jduxdecz.exe
File opened (read-only)	\??\x:	dbemmlmzpq.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

dbemmlmzpq.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	dbemmlmzpq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	dbemmlmzpq.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2368-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
C:\Windows\SysWOW64\kbrfxcsskbckotm.exe	autoit_exe
\Windows\SysWOW64\dbemmlmzpq.exe	autoit_exe
C:\Windows\SysWOW64\jduxdecz.exe	autoit_exe
\Windows\SysWOW64\ojyryyhyukrcn.exe	autoit_exe
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exedbemmlmzpq.exe

description	ioc	process
File created	C:\Windows\SysWOW64\kbrfxcsskbckotm.exe	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\jduxdecz.exe	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ojyryyhyukrcn.exe	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ojyryyhyukrcn.exe	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dbemmlmzpq.exe	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\kbrfxcsskbckotm.exe	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\jduxdecz.exe	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	dbemmlmzpq.exe
File created	C:\Windows\SysWOW64\dbemmlmzpq.exe	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe

Drops file in Program Files directory 15 IoCs

Processes:

jduxdecz.exejduxdecz.exe

description	ioc	process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	jduxdecz.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jduxdecz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	jduxdecz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	jduxdecz.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	jduxdecz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jduxdecz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jduxdecz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	jduxdecz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	jduxdecz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jduxdecz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jduxdecz.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jduxdecz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	jduxdecz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	jduxdecz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	jduxdecz.exe

Drops file in Windows directory 5 IoCs

Processes:

WINWORD.EXE63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

dbemmlmzpq.exeWINWORD.EXE63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	dbemmlmzpq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	dbemmlmzpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	dbemmlmzpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	dbemmlmzpq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	dbemmlmzpq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472C7A9C2C83526A3176DC70542DAD7C8E65D8"	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	dbemmlmzpq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	dbemmlmzpq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	dbemmlmzpq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B12E449238EA53CABAD732EFD4CC"	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC67F1491DAB4B9BC7FE5EDE334CE"	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2452 WINWORD.EXE

pid	process
2452	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exekbrfxcsskbckotm.exedbemmlmzpq.exeojyryyhyukrcn.exejduxdecz.exejduxdecz.exe

pid	process
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2552	kbrfxcsskbckotm.exe
2552	kbrfxcsskbckotm.exe
2552	kbrfxcsskbckotm.exe
2552	kbrfxcsskbckotm.exe
2552	kbrfxcsskbckotm.exe
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2540	dbemmlmzpq.exe
2540	dbemmlmzpq.exe
2540	dbemmlmzpq.exe
2540	dbemmlmzpq.exe
2540	dbemmlmzpq.exe
2552	kbrfxcsskbckotm.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe
2720	jduxdecz.exe
2720	jduxdecz.exe
2720	jduxdecz.exe
2720	jduxdecz.exe
2612	jduxdecz.exe
2612	jduxdecz.exe
2612	jduxdecz.exe
2612	jduxdecz.exe
2552	kbrfxcsskbckotm.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe
2552	kbrfxcsskbckotm.exe
2552	kbrfxcsskbckotm.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe
2552	kbrfxcsskbckotm.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe
2552	kbrfxcsskbckotm.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe
2552	kbrfxcsskbckotm.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe
2552	kbrfxcsskbckotm.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe
2552	kbrfxcsskbckotm.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe
2552	kbrfxcsskbckotm.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe
2552	kbrfxcsskbckotm.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe
2552	kbrfxcsskbckotm.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exekbrfxcsskbckotm.exedbemmlmzpq.exeojyryyhyukrcn.exejduxdecz.exejduxdecz.exe

pid	process
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2552	kbrfxcsskbckotm.exe
2540	dbemmlmzpq.exe
2552	kbrfxcsskbckotm.exe
2552	kbrfxcsskbckotm.exe
2540	dbemmlmzpq.exe
2540	dbemmlmzpq.exe
2580	ojyryyhyukrcn.exe
2720	jduxdecz.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe
2720	jduxdecz.exe
2720	jduxdecz.exe
2612	jduxdecz.exe
2612	jduxdecz.exe
2612	jduxdecz.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exekbrfxcsskbckotm.exedbemmlmzpq.exeojyryyhyukrcn.exejduxdecz.exejduxdecz.exe

pid	process
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
2552	kbrfxcsskbckotm.exe
2540	dbemmlmzpq.exe
2552	kbrfxcsskbckotm.exe
2552	kbrfxcsskbckotm.exe
2540	dbemmlmzpq.exe
2540	dbemmlmzpq.exe
2580	ojyryyhyukrcn.exe
2720	jduxdecz.exe
2580	ojyryyhyukrcn.exe
2580	ojyryyhyukrcn.exe
2720	jduxdecz.exe
2720	jduxdecz.exe
2612	jduxdecz.exe
2612	jduxdecz.exe
2612	jduxdecz.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2452 WINWORD.EXE
2452 WINWORD.EXE

pid	process
2452	WINWORD.EXE
2452	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exekbrfxcsskbckotm.exedbemmlmzpq.exeWINWORD.EXE

description	pid	process	target process
PID 2368 wrote to memory of 2540	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	dbemmlmzpq.exe
PID 2368 wrote to memory of 2540	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	dbemmlmzpq.exe
PID 2368 wrote to memory of 2540	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	dbemmlmzpq.exe
PID 2368 wrote to memory of 2540	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	dbemmlmzpq.exe
PID 2368 wrote to memory of 2552	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	kbrfxcsskbckotm.exe
PID 2368 wrote to memory of 2552	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	kbrfxcsskbckotm.exe
PID 2368 wrote to memory of 2552	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	kbrfxcsskbckotm.exe
PID 2368 wrote to memory of 2552	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	kbrfxcsskbckotm.exe
PID 2552 wrote to memory of 2860	2552	kbrfxcsskbckotm.exe	cmd.exe
PID 2552 wrote to memory of 2860	2552	kbrfxcsskbckotm.exe	cmd.exe
PID 2552 wrote to memory of 2860	2552	kbrfxcsskbckotm.exe	cmd.exe
PID 2552 wrote to memory of 2860	2552	kbrfxcsskbckotm.exe	cmd.exe
PID 2368 wrote to memory of 2720	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	jduxdecz.exe
PID 2368 wrote to memory of 2720	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	jduxdecz.exe
PID 2368 wrote to memory of 2720	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	jduxdecz.exe
PID 2368 wrote to memory of 2720	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	jduxdecz.exe
PID 2368 wrote to memory of 2580	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	ojyryyhyukrcn.exe
PID 2368 wrote to memory of 2580	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	ojyryyhyukrcn.exe
PID 2368 wrote to memory of 2580	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	ojyryyhyukrcn.exe
PID 2368 wrote to memory of 2580	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	ojyryyhyukrcn.exe
PID 2540 wrote to memory of 2612	2540	dbemmlmzpq.exe	jduxdecz.exe
PID 2540 wrote to memory of 2612	2540	dbemmlmzpq.exe	jduxdecz.exe
PID 2540 wrote to memory of 2612	2540	dbemmlmzpq.exe	jduxdecz.exe
PID 2540 wrote to memory of 2612	2540	dbemmlmzpq.exe	jduxdecz.exe
PID 2368 wrote to memory of 2452	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	WINWORD.EXE
PID 2368 wrote to memory of 2452	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	WINWORD.EXE
PID 2368 wrote to memory of 2452	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	WINWORD.EXE
PID 2368 wrote to memory of 2452	2368	63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe	WINWORD.EXE
PID 2452 wrote to memory of 1060	2452	WINWORD.EXE	splwow64.exe
PID 2452 wrote to memory of 1060	2452	WINWORD.EXE	splwow64.exe
PID 2452 wrote to memory of 1060	2452	WINWORD.EXE	splwow64.exe
PID 2452 wrote to memory of 1060	2452	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63a271d1562d1e00a3903e6e48bc33dc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\dbemmlmzpq.exe
dbemmlmzpq.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\jduxdecz.exe
C:\Windows\system32\jduxdecz.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2612

C:\Windows\SysWOW64\kbrfxcsskbckotm.exe
kbrfxcsskbckotm.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ojyryyhyukrcn.exe
3⤵
PID:2860

C:\Windows\SysWOW64\jduxdecz.exe
jduxdecz.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2720

C:\Windows\SysWOW64\ojyryyhyukrcn.exe
ojyryyhyukrcn.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2580

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1060

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
Filesize
512KB

MD5
4d50eb9cd53392e8cf694cef7e92086d

SHA1
9043a49381499c3deb00dc7628f63e5ddbfd4e42

SHA256
695e463fd13a9016a2f526a64ca37c1a07da9dcbb67fd47a9adf8d5e55e11927

SHA512
18738dc0c7a64701356c39ab1d5be8b9131ffcc621661260e5b449f6ebe8e58687c2a6ce808cd7fec0dd81f4db959f135dafa4389afb719f59850162f7d6a305

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
6df27674ec720b3cdfc0691f8c07ad3a

SHA1
2b2d37d756e0d5965aec84de7661e22141777b32

SHA256
171ac16b50a00eeeb8187a72f12317e831fb7416de423300d0f6f27a577a45c8

SHA512
71d293c1c66077a7534e87b11cf50303e5b306fc5a43190144fd154d29fc2f5ea38f43f9144e82dc3556923bac8a80d2b22b3ca9b73920db7269cab278bbd19e

Download Submit
C:\Windows\SysWOW64\jduxdecz.exe
Filesize
512KB

MD5
23e1638848876a2c2b4d31755e87bd97

SHA1
db3f84944d6f8e3a3d99cc640c05150103a74a90

SHA256
46b86044be1ab9ab8cc0ea83997cdb81c6c1033019f2f5d03934f51884f8f11f

SHA512
aa331b206d353f7c93f3e892c8fcc24a7a410d91e292e9b5029b2f04922d3d96a939dc6f4c7a459adca56e6cfd815a0c9ebc5f7ecd5434efbb971b920b1cb934

Download Submit
C:\Windows\SysWOW64\kbrfxcsskbckotm.exe
Filesize
512KB

MD5
1970d0861d997ee9aa0aa9544d63fb7d

SHA1
9ea2aafcf5e4ca7f1e123fb611123a8bd6a9bc6b

SHA256
07491ccb61ced5ef21b204e0bbd594bc2ea815127b4a6492f2a6902652417442

SHA512
2b32a139fcf81b236dbdab46d55bc57350ceac0ec6180ea1d05502759632b1eb7a95990be8f2e9d6baba43e95e458e67885b7af4639707ad073d7444c4f3dc7c

Download Submit
C:\Windows\mydoc.rtf
Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\dbemmlmzpq.exe
Filesize
512KB

MD5
267a38b4d31bb0d1df33a2d554584a63

SHA1
468eb8887ddcdcbb4d836ae8770d61971a372055

SHA256
5a3a326bfd26221b328e0f09435d39c1915151cb6629bd998c43c847f84feb18

SHA512
8afc0897f3ea9f6d059b18bd4039730aeb0bb45900984217036bc55ea44d323d3faa16ccbb4042d462253ab022e80d96f10b67946f3304d9ef1573f4a11995ae

Download Submit
\Windows\SysWOW64\ojyryyhyukrcn.exe
Filesize
512KB

MD5
7e2c35c5f09c279be0c17e800e3abcec

SHA1
9d7883ce506f1d7f0f12822e50ce844a469c7886

SHA256
58503f14b9f2631289de9564bd9dd3904530359bec1cdffb1ec5cfad1fb4f367

SHA512
eedfe1cd9183c74cc1b918e462b856f3b7ab288b8d68dc00d2f79a309e884e48ba88991c1ed240ee70c97ff13d7d9143756e0d59af7773f9215109a045959c78

Download Submit
memory/2368-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2452-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2452-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads