Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 16:16
Static task
static1
Behavioral task
behavioral1
Sample
63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe
-
Size
512KB
-
MD5
63ed84c1682a771e720f854e921a11c7
-
SHA1
e04bb2e2eb9f740ab1b03f1a0e8544babcdcaca1
-
SHA256
42ad0ede449b2c85265a9b8f2fb43fb705002149dc11bf2f4b96ae3f9ddb445b
-
SHA512
85b13efa01460a1293944860af5d94a13048fccdcfaae532a6c8388f385dac317327120510719e3c6da54d8fdd5a62189e811d8614ace4d633e10fa512a6163f
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6d:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
xpqriqhtsa.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" xpqriqhtsa.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
xpqriqhtsa.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xpqriqhtsa.exe -
Processes:
xpqriqhtsa.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xpqriqhtsa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xpqriqhtsa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xpqriqhtsa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xpqriqhtsa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xpqriqhtsa.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
xpqriqhtsa.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xpqriqhtsa.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
xpqriqhtsa.exetsqbtttmwtrlfou.exeozvonurj.exeahakykduvxnte.exeozvonurj.exepid process 3612 xpqriqhtsa.exe 2208 tsqbtttmwtrlfou.exe 1636 ozvonurj.exe 1148 ahakykduvxnte.exe 2692 ozvonurj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
xpqriqhtsa.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" xpqriqhtsa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xpqriqhtsa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xpqriqhtsa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xpqriqhtsa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xpqriqhtsa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xpqriqhtsa.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
tsqbtttmwtrlfou.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rnhenfii = "xpqriqhtsa.exe" tsqbtttmwtrlfou.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yulkkyeg = "tsqbtttmwtrlfou.exe" tsqbtttmwtrlfou.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ahakykduvxnte.exe" tsqbtttmwtrlfou.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
xpqriqhtsa.exeozvonurj.exeozvonurj.exedescription ioc process File opened (read-only) \??\h: xpqriqhtsa.exe File opened (read-only) \??\y: xpqriqhtsa.exe File opened (read-only) \??\h: ozvonurj.exe File opened (read-only) \??\v: ozvonurj.exe File opened (read-only) \??\y: ozvonurj.exe File opened (read-only) \??\w: xpqriqhtsa.exe File opened (read-only) \??\m: ozvonurj.exe File opened (read-only) \??\u: ozvonurj.exe File opened (read-only) \??\w: ozvonurj.exe File opened (read-only) \??\g: xpqriqhtsa.exe File opened (read-only) \??\n: xpqriqhtsa.exe File opened (read-only) \??\p: xpqriqhtsa.exe File opened (read-only) \??\x: ozvonurj.exe File opened (read-only) \??\l: xpqriqhtsa.exe File opened (read-only) \??\p: ozvonurj.exe File opened (read-only) \??\i: ozvonurj.exe File opened (read-only) \??\i: ozvonurj.exe File opened (read-only) \??\n: ozvonurj.exe File opened (read-only) \??\w: ozvonurj.exe File opened (read-only) \??\k: xpqriqhtsa.exe File opened (read-only) \??\m: xpqriqhtsa.exe File opened (read-only) \??\z: ozvonurj.exe File opened (read-only) \??\k: ozvonurj.exe File opened (read-only) \??\r: ozvonurj.exe File opened (read-only) \??\u: xpqriqhtsa.exe File opened (read-only) \??\g: ozvonurj.exe File opened (read-only) \??\s: ozvonurj.exe File opened (read-only) \??\u: ozvonurj.exe File opened (read-only) \??\z: ozvonurj.exe File opened (read-only) \??\b: xpqriqhtsa.exe File opened (read-only) \??\e: xpqriqhtsa.exe File opened (read-only) \??\s: xpqriqhtsa.exe File opened (read-only) \??\r: ozvonurj.exe File opened (read-only) \??\m: ozvonurj.exe File opened (read-only) \??\q: ozvonurj.exe File opened (read-only) \??\s: ozvonurj.exe File opened (read-only) \??\t: ozvonurj.exe File opened (read-only) \??\j: xpqriqhtsa.exe File opened (read-only) \??\o: xpqriqhtsa.exe File opened (read-only) \??\q: xpqriqhtsa.exe File opened (read-only) \??\a: ozvonurj.exe File opened (read-only) \??\l: ozvonurj.exe File opened (read-only) \??\q: ozvonurj.exe File opened (read-only) \??\a: ozvonurj.exe File opened (read-only) \??\o: ozvonurj.exe File opened (read-only) \??\p: ozvonurj.exe File opened (read-only) \??\n: ozvonurj.exe File opened (read-only) \??\y: ozvonurj.exe File opened (read-only) \??\b: ozvonurj.exe File opened (read-only) \??\l: ozvonurj.exe File opened (read-only) \??\a: xpqriqhtsa.exe File opened (read-only) \??\j: ozvonurj.exe File opened (read-only) \??\j: ozvonurj.exe File opened (read-only) \??\r: xpqriqhtsa.exe File opened (read-only) \??\t: xpqriqhtsa.exe File opened (read-only) \??\v: xpqriqhtsa.exe File opened (read-only) \??\z: xpqriqhtsa.exe File opened (read-only) \??\k: ozvonurj.exe File opened (read-only) \??\x: ozvonurj.exe File opened (read-only) \??\x: xpqriqhtsa.exe File opened (read-only) \??\e: ozvonurj.exe File opened (read-only) \??\t: ozvonurj.exe File opened (read-only) \??\b: ozvonurj.exe File opened (read-only) \??\h: ozvonurj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
xpqriqhtsa.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" xpqriqhtsa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" xpqriqhtsa.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4380-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\tsqbtttmwtrlfou.exe autoit_exe C:\Windows\SysWOW64\xpqriqhtsa.exe autoit_exe C:\Windows\SysWOW64\ozvonurj.exe autoit_exe C:\Windows\SysWOW64\ahakykduvxnte.exe autoit_exe \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Music\MoveProtect.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exexpqriqhtsa.exeozvonurj.exeozvonurj.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ozvonurj.exe 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe File created C:\Windows\SysWOW64\ahakykduvxnte.exe 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ahakykduvxnte.exe 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll xpqriqhtsa.exe File opened for modification C:\Windows\SysWOW64\xpqriqhtsa.exe 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe File created C:\Windows\SysWOW64\tsqbtttmwtrlfou.exe 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tsqbtttmwtrlfou.exe 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe File created C:\Windows\SysWOW64\ozvonurj.exe 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ozvonurj.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ozvonurj.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ozvonurj.exe File created C:\Windows\SysWOW64\xpqriqhtsa.exe 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
Processes:
ozvonurj.exeozvonurj.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ozvonurj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ozvonurj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ozvonurj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ozvonurj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ozvonurj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ozvonurj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ozvonurj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ozvonurj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ozvonurj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ozvonurj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ozvonurj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ozvonurj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ozvonurj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ozvonurj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ozvonurj.exe -
Drops file in Windows directory 19 IoCs
Processes:
ozvonurj.exeozvonurj.exe63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exeWINWORD.EXEdescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ozvonurj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ozvonurj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ozvonurj.exe File opened for modification C:\Windows\mydoc.rtf 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ozvonurj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ozvonurj.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ozvonurj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ozvonurj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ozvonurj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ozvonurj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ozvonurj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ozvonurj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ozvonurj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ozvonurj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ozvonurj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ozvonurj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ozvonurj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exexpqriqhtsa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C7741597DAB0B8CF7F92EDE234CE" 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat xpqriqhtsa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" xpqriqhtsa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs xpqriqhtsa.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B020449339ED53BFB9D733E8D7CC" 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc xpqriqhtsa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf xpqriqhtsa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" xpqriqhtsa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8F9CEFE17F1E084743A45819F39E3B38803F04211034CE1C842EF09D6" 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FF8F4858851A9031D72C7D91BC93E634583067326243D791" 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh xpqriqhtsa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" xpqriqhtsa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg xpqriqhtsa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" xpqriqhtsa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322D789D5782226A3577D1702E2DDA7CF664D8" 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F36BC2FE6C21DDD27ED0A88A099163" 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" xpqriqhtsa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" xpqriqhtsa.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3228 WINWORD.EXE 3228 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exexpqriqhtsa.exetsqbtttmwtrlfou.exeahakykduvxnte.exeozvonurj.exeozvonurj.exepid process 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 3612 xpqriqhtsa.exe 3612 xpqriqhtsa.exe 3612 xpqriqhtsa.exe 3612 xpqriqhtsa.exe 3612 xpqriqhtsa.exe 3612 xpqriqhtsa.exe 3612 xpqriqhtsa.exe 3612 xpqriqhtsa.exe 3612 xpqriqhtsa.exe 3612 xpqriqhtsa.exe 2208 tsqbtttmwtrlfou.exe 2208 tsqbtttmwtrlfou.exe 2208 tsqbtttmwtrlfou.exe 2208 tsqbtttmwtrlfou.exe 1148 ahakykduvxnte.exe 2208 tsqbtttmwtrlfou.exe 1148 ahakykduvxnte.exe 2208 tsqbtttmwtrlfou.exe 2208 tsqbtttmwtrlfou.exe 2208 tsqbtttmwtrlfou.exe 1148 ahakykduvxnte.exe 1148 ahakykduvxnte.exe 1148 ahakykduvxnte.exe 1148 ahakykduvxnte.exe 1148 ahakykduvxnte.exe 1148 ahakykduvxnte.exe 1148 ahakykduvxnte.exe 1148 ahakykduvxnte.exe 1148 ahakykduvxnte.exe 1148 ahakykduvxnte.exe 1636 ozvonurj.exe 1636 ozvonurj.exe 1636 ozvonurj.exe 1636 ozvonurj.exe 1636 ozvonurj.exe 1636 ozvonurj.exe 1636 ozvonurj.exe 1636 ozvonurj.exe 2208 tsqbtttmwtrlfou.exe 2208 tsqbtttmwtrlfou.exe 2692 ozvonurj.exe 2692 ozvonurj.exe 2692 ozvonurj.exe 2692 ozvonurj.exe 2692 ozvonurj.exe 2692 ozvonurj.exe 2692 ozvonurj.exe 2692 ozvonurj.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exexpqriqhtsa.exeahakykduvxnte.exetsqbtttmwtrlfou.exeozvonurj.exeozvonurj.exepid process 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 3612 xpqriqhtsa.exe 3612 xpqriqhtsa.exe 3612 xpqriqhtsa.exe 1148 ahakykduvxnte.exe 2208 tsqbtttmwtrlfou.exe 1148 ahakykduvxnte.exe 2208 tsqbtttmwtrlfou.exe 2208 tsqbtttmwtrlfou.exe 1148 ahakykduvxnte.exe 1636 ozvonurj.exe 1636 ozvonurj.exe 1636 ozvonurj.exe 2692 ozvonurj.exe 2692 ozvonurj.exe 2692 ozvonurj.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exexpqriqhtsa.exeahakykduvxnte.exetsqbtttmwtrlfou.exeozvonurj.exeozvonurj.exepid process 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe 3612 xpqriqhtsa.exe 3612 xpqriqhtsa.exe 3612 xpqriqhtsa.exe 1148 ahakykduvxnte.exe 2208 tsqbtttmwtrlfou.exe 1148 ahakykduvxnte.exe 2208 tsqbtttmwtrlfou.exe 2208 tsqbtttmwtrlfou.exe 1148 ahakykduvxnte.exe 1636 ozvonurj.exe 1636 ozvonurj.exe 1636 ozvonurj.exe 2692 ozvonurj.exe 2692 ozvonurj.exe 2692 ozvonurj.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3228 WINWORD.EXE 3228 WINWORD.EXE 3228 WINWORD.EXE 3228 WINWORD.EXE 3228 WINWORD.EXE 3228 WINWORD.EXE 3228 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exexpqriqhtsa.exedescription pid process target process PID 4380 wrote to memory of 3612 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe xpqriqhtsa.exe PID 4380 wrote to memory of 3612 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe xpqriqhtsa.exe PID 4380 wrote to memory of 3612 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe xpqriqhtsa.exe PID 4380 wrote to memory of 2208 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe tsqbtttmwtrlfou.exe PID 4380 wrote to memory of 2208 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe tsqbtttmwtrlfou.exe PID 4380 wrote to memory of 2208 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe tsqbtttmwtrlfou.exe PID 4380 wrote to memory of 1636 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe ozvonurj.exe PID 4380 wrote to memory of 1636 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe ozvonurj.exe PID 4380 wrote to memory of 1636 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe ozvonurj.exe PID 4380 wrote to memory of 1148 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe ahakykduvxnte.exe PID 4380 wrote to memory of 1148 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe ahakykduvxnte.exe PID 4380 wrote to memory of 1148 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe ahakykduvxnte.exe PID 4380 wrote to memory of 3228 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe WINWORD.EXE PID 4380 wrote to memory of 3228 4380 63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe WINWORD.EXE PID 3612 wrote to memory of 2692 3612 xpqriqhtsa.exe ozvonurj.exe PID 3612 wrote to memory of 2692 3612 xpqriqhtsa.exe ozvonurj.exe PID 3612 wrote to memory of 2692 3612 xpqriqhtsa.exe ozvonurj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xpqriqhtsa.exexpqriqhtsa.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ozvonurj.exeC:\Windows\system32\ozvonurj.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\tsqbtttmwtrlfou.exetsqbtttmwtrlfou.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ozvonurj.exeozvonurj.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ahakykduvxnte.exeahakykduvxnte.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5209bbe9e33b7d9d872932c0738dac10e
SHA1ea9927308b459f9c17853157cdd40aaa7d5b59b6
SHA256d6ac85ea7dfba644e9dace9f48d54d19300e9b5cf608572feaaab44941670a0d
SHA512ac91ed79cca665a617934d943a2cf1376910ece76e03b3e618fc5e36d116cc045d5b1ee58ca35e86f3514801832f5d897b8a12cb06ee7ce0a5964efabfc134a1
-
C:\Users\Admin\AppData\Local\Temp\TCD812D.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5669206ab021d8a4b46eabb9a5814c0f2
SHA1997a98fadee4410614f77f493ba8a78dc2b2043a
SHA2569a60189e82dfa13b527755edc1ff9d10ad4b90224d95eef99730e137c91d6843
SHA5126cb895b6754104a83fcd47c8701f692d96486f136d1436dfbc2559b609b2eaa039572a6cfd67062077d5841c0772ec24a3610a5e66663231e91bfca6b42d2ecc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5d25c77fdeb68f294df7f18fe0157cd4d
SHA1275e533ec756e5c8f2096f3d019098a5f1b7a916
SHA256219c11973d885c544ed4ed97c0b677ce89059461cb3484cbd4f726e19caf45aa
SHA5129d3084568e3a558e9d96525e6713799cbf62e1f4e0d5f9d4ecffb0ca89fe973c37daf86b9043747ac50c65e298f3cf8c234820d75daf1c902a2d7883d0ebddd7
-
C:\Users\Admin\Music\MoveProtect.doc.exeFilesize
512KB
MD54664ba6d6c4c0c44493425c9c4112cee
SHA127b93648ae40586995768b3945b4d4a0ba0daa74
SHA256c5b6dc6b6353c037d3c77d8114175b2d40d88b2e98498d39a3273638decdd851
SHA512f74d5eb158e6534823be9033d41d798bcc77dfeb81ce36bc0a0fbffcbd5f9d814595b5ba0e695e753ae087e77f54132bcac932fce1f0c7e05bfb8a10a35d428e
-
C:\Windows\SysWOW64\ahakykduvxnte.exeFilesize
512KB
MD531d4993f8da424ec5696ea4fff5d6d91
SHA15c2a21a6deb7dd23a7ffc54754803eea11e25e15
SHA2564a89758e5a9cb091057d4ccf9616a0b4f02a5dd4c58bc10e1c258f012a540f91
SHA512aa3c1c6478c47a7ca1fca0364e4cc8a120370fe4544c4887898c3b175bccf59c19ea22b3e92170bc8be80c630c71b251f1486c895c38e4e74a95bb70f7e3928d
-
C:\Windows\SysWOW64\ozvonurj.exeFilesize
512KB
MD5e78348d8dc0f3986804101ae77726e59
SHA1b7eb8abe27bc9a83119828f6f691a3bda789799a
SHA256721f92c6eb8c440490d8cad3edf2ec16aae8e32440deb4c64e640105752c0ccd
SHA5126497803c110a29c59fecbdda7add7f13378e6a7d131faebbcc425745806474d6557b05760a02d363ca2864e9204e36f391816259819f7ec0b53a7086f7f0a846
-
C:\Windows\SysWOW64\tsqbtttmwtrlfou.exeFilesize
512KB
MD5817c38cc47c816c0e90a6804212fffd1
SHA1cb9113bd4bf85cde4eeb9bf01f78271ddc3e959a
SHA2564781cedf375b697403c522dcc40354b2efc2b4c217d0d8d7cf6dcd86cd7ae5e8
SHA512326b987a2a9f510d59cb142ad6806f98d153c35f7030914fcbcaafa7bada16e895193242b4afb908c50d7d456011ad0aef0fa824212fa0078466f9d2bad107f5
-
C:\Windows\SysWOW64\xpqriqhtsa.exeFilesize
512KB
MD5b1cbc0295f3856be412bcd3fdb53f47f
SHA1cc4549700aefd1432051d7d1000d3ced2b66215e
SHA256f096a6c73a2854f5fafa3281cf96de4a9dddd9f5b93b62655dfda1e9931af59d
SHA512641854d9f198fb3e7665b8cbf8251e5ea03e58ae629a6f9fee8aaf2d9b60eff29fcd0f48f26c19e0b6d39089f57495eefbb5dcabfaa5cf9e6f286209e8bfd83e
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD517005d3b01306dabb093d7a67b493da8
SHA1d0764e9a69edb1f486c8bd446f11c08db47e3cd6
SHA25616ab994e368d519260554f4e0c194710fa856ac177a78fdace5e2a48772cf169
SHA512a08f26f91bbea321ee488943e442ee3a1a6d955f148eee2c9e54c5913337b453d6605119d32ad1abb1b89d25cb7818c42e898b3bd7b4994d78e803b2d910783a
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD51149e6de231742904ed8959afe64f475
SHA193839800668fa6c5b5204e6addcffa1015eadc55
SHA256eed203a60862282787ba0d65b233f11917a62ad5e9c528e76f0d892d9ba6518d
SHA512ff3f3274fd53edd7adcc2d9536e6ee89401e06955db030256d240fd3a1b7052016211a18233b667ae88e8fa4af4b5c84e519343d3788936772ae70e792f721c6
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD52904afdca30de29592d3ad9b2f3c50de
SHA183901b7d460de5cd5d187e1a34932ed5bca9b9e1
SHA256a367fe3ba1d681520a6852bdf8658b2e6b1fdf4795570f8d05d214eb2bd622a1
SHA512e9f38039020f0e1cae10c9090a90829aeb97e25768ec76ad3051a33ca751a929b671c3d71d22d23bba207215b8b7d755c29e24e92762a7deff47679432414101
-
memory/3228-40-0x00007FFC85E90000-0x00007FFC85EA0000-memory.dmpFilesize
64KB
-
memory/3228-39-0x00007FFC88570000-0x00007FFC88580000-memory.dmpFilesize
64KB
-
memory/3228-38-0x00007FFC88570000-0x00007FFC88580000-memory.dmpFilesize
64KB
-
memory/3228-36-0x00007FFC88570000-0x00007FFC88580000-memory.dmpFilesize
64KB
-
memory/3228-37-0x00007FFC88570000-0x00007FFC88580000-memory.dmpFilesize
64KB
-
memory/3228-43-0x00007FFC85E90000-0x00007FFC85EA0000-memory.dmpFilesize
64KB
-
memory/3228-35-0x00007FFC88570000-0x00007FFC88580000-memory.dmpFilesize
64KB
-
memory/3228-598-0x00007FFC88570000-0x00007FFC88580000-memory.dmpFilesize
64KB
-
memory/3228-599-0x00007FFC88570000-0x00007FFC88580000-memory.dmpFilesize
64KB
-
memory/3228-600-0x00007FFC88570000-0x00007FFC88580000-memory.dmpFilesize
64KB
-
memory/3228-597-0x00007FFC88570000-0x00007FFC88580000-memory.dmpFilesize
64KB
-
memory/4380-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB