Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 02:23
Static task
static1
Behavioral task
behavioral1
Sample
696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe
-
Size
512KB
-
MD5
696ff618dc5de2b72fd61a9e0536f172
-
SHA1
853a0b14b1af1a81f43c3bf7c23e125740feb322
-
SHA256
d2cfff29a8f3ca64f2b28426ccc1b5f8750a2701b2f5b8f7b0c81ad2f3d4c714
-
SHA512
8c481f21dee562ce7d71e7aa7442e0fe3f490c34260140ed6e165d4bc8f7a19eb6205795a05a875fa4284f4efcc30b3fb44668c82efaf56b44756c4f99102fbf
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6m:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5F
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
dfcmuhqmpf.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dfcmuhqmpf.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
dfcmuhqmpf.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dfcmuhqmpf.exe -
Processes:
dfcmuhqmpf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dfcmuhqmpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" dfcmuhqmpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dfcmuhqmpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dfcmuhqmpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dfcmuhqmpf.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
dfcmuhqmpf.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfcmuhqmpf.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
Processes:
dfcmuhqmpf.exeacxaqidolztcexs.exeavyphmny.exeffscepovwsodk.exeavyphmny.exepid process 2132 dfcmuhqmpf.exe 2648 acxaqidolztcexs.exe 2596 avyphmny.exe 2444 ffscepovwsodk.exe 2628 avyphmny.exe -
Loads dropped DLL 5 IoCs
Processes:
696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exedfcmuhqmpf.exepid process 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2132 dfcmuhqmpf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
dfcmuhqmpf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dfcmuhqmpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dfcmuhqmpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dfcmuhqmpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" dfcmuhqmpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dfcmuhqmpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dfcmuhqmpf.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
acxaqidolztcexs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luogmvip = "dfcmuhqmpf.exe" acxaqidolztcexs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\clyghppt = "acxaqidolztcexs.exe" acxaqidolztcexs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ffscepovwsodk.exe" acxaqidolztcexs.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
avyphmny.exeavyphmny.exedfcmuhqmpf.exedescription ioc process File opened (read-only) \??\y: avyphmny.exe File opened (read-only) \??\k: avyphmny.exe File opened (read-only) \??\b: dfcmuhqmpf.exe File opened (read-only) \??\g: dfcmuhqmpf.exe File opened (read-only) \??\s: dfcmuhqmpf.exe File opened (read-only) \??\b: avyphmny.exe File opened (read-only) \??\i: avyphmny.exe File opened (read-only) \??\i: avyphmny.exe File opened (read-only) \??\z: avyphmny.exe File opened (read-only) \??\q: avyphmny.exe File opened (read-only) \??\g: avyphmny.exe File opened (read-only) \??\w: avyphmny.exe File opened (read-only) \??\x: avyphmny.exe File opened (read-only) \??\n: dfcmuhqmpf.exe File opened (read-only) \??\u: dfcmuhqmpf.exe File opened (read-only) \??\w: dfcmuhqmpf.exe File opened (read-only) \??\a: dfcmuhqmpf.exe File opened (read-only) \??\h: dfcmuhqmpf.exe File opened (read-only) \??\o: avyphmny.exe File opened (read-only) \??\t: avyphmny.exe File opened (read-only) \??\v: avyphmny.exe File opened (read-only) \??\l: avyphmny.exe File opened (read-only) \??\u: avyphmny.exe File opened (read-only) \??\v: avyphmny.exe File opened (read-only) \??\o: dfcmuhqmpf.exe File opened (read-only) \??\x: dfcmuhqmpf.exe File opened (read-only) \??\h: avyphmny.exe File opened (read-only) \??\b: avyphmny.exe File opened (read-only) \??\r: avyphmny.exe File opened (read-only) \??\l: dfcmuhqmpf.exe File opened (read-only) \??\z: dfcmuhqmpf.exe File opened (read-only) \??\u: avyphmny.exe File opened (read-only) \??\x: avyphmny.exe File opened (read-only) \??\j: avyphmny.exe File opened (read-only) \??\n: avyphmny.exe File opened (read-only) \??\q: avyphmny.exe File opened (read-only) \??\p: avyphmny.exe File opened (read-only) \??\s: avyphmny.exe File opened (read-only) \??\w: avyphmny.exe File opened (read-only) \??\m: avyphmny.exe File opened (read-only) \??\s: avyphmny.exe File opened (read-only) \??\r: dfcmuhqmpf.exe File opened (read-only) \??\y: dfcmuhqmpf.exe File opened (read-only) \??\e: dfcmuhqmpf.exe File opened (read-only) \??\i: dfcmuhqmpf.exe File opened (read-only) \??\j: dfcmuhqmpf.exe File opened (read-only) \??\p: dfcmuhqmpf.exe File opened (read-only) \??\r: avyphmny.exe File opened (read-only) \??\e: avyphmny.exe File opened (read-only) \??\p: avyphmny.exe File opened (read-only) \??\a: avyphmny.exe File opened (read-only) \??\e: avyphmny.exe File opened (read-only) \??\j: avyphmny.exe File opened (read-only) \??\k: avyphmny.exe File opened (read-only) \??\l: avyphmny.exe File opened (read-only) \??\n: avyphmny.exe File opened (read-only) \??\g: avyphmny.exe File opened (read-only) \??\z: avyphmny.exe File opened (read-only) \??\h: avyphmny.exe File opened (read-only) \??\o: avyphmny.exe File opened (read-only) \??\t: avyphmny.exe File opened (read-only) \??\m: dfcmuhqmpf.exe File opened (read-only) \??\q: dfcmuhqmpf.exe File opened (read-only) \??\t: dfcmuhqmpf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
dfcmuhqmpf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dfcmuhqmpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dfcmuhqmpf.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2864-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\acxaqidolztcexs.exe autoit_exe \Windows\SysWOW64\dfcmuhqmpf.exe autoit_exe \Windows\SysWOW64\avyphmny.exe autoit_exe C:\Windows\SysWOW64\ffscepovwsodk.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
dfcmuhqmpf.exe696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dfcmuhqmpf.exe File created C:\Windows\SysWOW64\dfcmuhqmpf.exe 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dfcmuhqmpf.exe 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe File created C:\Windows\SysWOW64\acxaqidolztcexs.exe 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe File created C:\Windows\SysWOW64\avyphmny.exe 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe File created C:\Windows\SysWOW64\ffscepovwsodk.exe 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\acxaqidolztcexs.exe 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\avyphmny.exe 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ffscepovwsodk.exe 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe -
Drops file in Program Files directory 21 IoCs
Processes:
avyphmny.exeavyphmny.exedescription ioc process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe avyphmny.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal avyphmny.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe avyphmny.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe avyphmny.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe avyphmny.exe File opened for modification C:\Program Files\UndoPublish.doc.exe avyphmny.exe File opened for modification C:\Program Files\UndoPublish.nal avyphmny.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe avyphmny.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal avyphmny.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe avyphmny.exe File created \??\c:\Program Files\UndoPublish.doc.exe avyphmny.exe File opened for modification \??\c:\Program Files\UndoPublish.doc.exe avyphmny.exe File opened for modification C:\Program Files\UndoPublish.doc.exe avyphmny.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe avyphmny.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe avyphmny.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe avyphmny.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe avyphmny.exe File opened for modification \??\c:\Program Files\UndoPublish.doc.exe avyphmny.exe File opened for modification C:\Program Files\UndoPublish.nal avyphmny.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal avyphmny.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal avyphmny.exe -
Drops file in Windows directory 4 IoCs
Processes:
696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
dfcmuhqmpf.exeWINWORD.EXE696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dfcmuhqmpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472C7E9C5183526D4276A777272CAC7C8E64DF" 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dfcmuhqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD68B0FE6B21DFD27DD1A88A09906A" 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dfcmuhqmpf.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dfcmuhqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dfcmuhqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC67D1490DAC7B8CC7FE4EC9E37CD" 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2440 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exedfcmuhqmpf.exeavyphmny.exeacxaqidolztcexs.exeavyphmny.exeffscepovwsodk.exepid process 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2132 dfcmuhqmpf.exe 2132 dfcmuhqmpf.exe 2132 dfcmuhqmpf.exe 2132 dfcmuhqmpf.exe 2132 dfcmuhqmpf.exe 2596 avyphmny.exe 2596 avyphmny.exe 2596 avyphmny.exe 2596 avyphmny.exe 2648 acxaqidolztcexs.exe 2648 acxaqidolztcexs.exe 2648 acxaqidolztcexs.exe 2648 acxaqidolztcexs.exe 2648 acxaqidolztcexs.exe 2628 avyphmny.exe 2444 ffscepovwsodk.exe 2444 ffscepovwsodk.exe 2628 avyphmny.exe 2444 ffscepovwsodk.exe 2628 avyphmny.exe 2444 ffscepovwsodk.exe 2628 avyphmny.exe 2444 ffscepovwsodk.exe 2444 ffscepovwsodk.exe 2648 acxaqidolztcexs.exe 2444 ffscepovwsodk.exe 2444 ffscepovwsodk.exe 2648 acxaqidolztcexs.exe 2648 acxaqidolztcexs.exe 2444 ffscepovwsodk.exe 2444 ffscepovwsodk.exe 2648 acxaqidolztcexs.exe 2444 ffscepovwsodk.exe 2444 ffscepovwsodk.exe 2648 acxaqidolztcexs.exe 2444 ffscepovwsodk.exe 2444 ffscepovwsodk.exe 2648 acxaqidolztcexs.exe 2444 ffscepovwsodk.exe 2444 ffscepovwsodk.exe 2648 acxaqidolztcexs.exe 2444 ffscepovwsodk.exe 2444 ffscepovwsodk.exe 2648 acxaqidolztcexs.exe 2444 ffscepovwsodk.exe 2444 ffscepovwsodk.exe 2648 acxaqidolztcexs.exe 2444 ffscepovwsodk.exe 2444 ffscepovwsodk.exe 2648 acxaqidolztcexs.exe 2444 ffscepovwsodk.exe 2444 ffscepovwsodk.exe 2648 acxaqidolztcexs.exe 2444 ffscepovwsodk.exe 2444 ffscepovwsodk.exe 2648 acxaqidolztcexs.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
Processes:
696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exedfcmuhqmpf.exeavyphmny.exeacxaqidolztcexs.exeffscepovwsodk.exeavyphmny.exeexplorer.exepid process 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2132 dfcmuhqmpf.exe 2132 dfcmuhqmpf.exe 2132 dfcmuhqmpf.exe 2596 avyphmny.exe 2596 avyphmny.exe 2596 avyphmny.exe 2648 acxaqidolztcexs.exe 2648 acxaqidolztcexs.exe 2648 acxaqidolztcexs.exe 2444 ffscepovwsodk.exe 2444 ffscepovwsodk.exe 2444 ffscepovwsodk.exe 2628 avyphmny.exe 2628 avyphmny.exe 2628 avyphmny.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe -
Suspicious use of SendNotifyMessage 37 IoCs
Processes:
696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exedfcmuhqmpf.exeavyphmny.exeacxaqidolztcexs.exeffscepovwsodk.exeavyphmny.exeexplorer.exepid process 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe 2132 dfcmuhqmpf.exe 2132 dfcmuhqmpf.exe 2132 dfcmuhqmpf.exe 2596 avyphmny.exe 2596 avyphmny.exe 2596 avyphmny.exe 2648 acxaqidolztcexs.exe 2648 acxaqidolztcexs.exe 2648 acxaqidolztcexs.exe 2444 ffscepovwsodk.exe 2444 ffscepovwsodk.exe 2444 ffscepovwsodk.exe 2628 avyphmny.exe 2628 avyphmny.exe 2628 avyphmny.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2440 WINWORD.EXE 2440 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exedfcmuhqmpf.exedescription pid process target process PID 2864 wrote to memory of 2132 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe dfcmuhqmpf.exe PID 2864 wrote to memory of 2132 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe dfcmuhqmpf.exe PID 2864 wrote to memory of 2132 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe dfcmuhqmpf.exe PID 2864 wrote to memory of 2132 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe dfcmuhqmpf.exe PID 2864 wrote to memory of 2648 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe acxaqidolztcexs.exe PID 2864 wrote to memory of 2648 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe acxaqidolztcexs.exe PID 2864 wrote to memory of 2648 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe acxaqidolztcexs.exe PID 2864 wrote to memory of 2648 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe acxaqidolztcexs.exe PID 2864 wrote to memory of 2596 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe avyphmny.exe PID 2864 wrote to memory of 2596 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe avyphmny.exe PID 2864 wrote to memory of 2596 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe avyphmny.exe PID 2864 wrote to memory of 2596 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe avyphmny.exe PID 2864 wrote to memory of 2444 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe ffscepovwsodk.exe PID 2864 wrote to memory of 2444 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe ffscepovwsodk.exe PID 2864 wrote to memory of 2444 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe ffscepovwsodk.exe PID 2864 wrote to memory of 2444 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe ffscepovwsodk.exe PID 2132 wrote to memory of 2628 2132 dfcmuhqmpf.exe avyphmny.exe PID 2132 wrote to memory of 2628 2132 dfcmuhqmpf.exe avyphmny.exe PID 2132 wrote to memory of 2628 2132 dfcmuhqmpf.exe avyphmny.exe PID 2132 wrote to memory of 2628 2132 dfcmuhqmpf.exe avyphmny.exe PID 2864 wrote to memory of 2440 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe WINWORD.EXE PID 2864 wrote to memory of 2440 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe WINWORD.EXE PID 2864 wrote to memory of 2440 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe WINWORD.EXE PID 2864 wrote to memory of 2440 2864 696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\696ff618dc5de2b72fd61a9e0536f172_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dfcmuhqmpf.exedfcmuhqmpf.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\avyphmny.exeC:\Windows\system32\avyphmny.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\acxaqidolztcexs.exeacxaqidolztcexs.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\avyphmny.exeavyphmny.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ffscepovwsodk.exeffscepovwsodk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
8Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
512KB
MD55dfd0c9b8feccdc7c0510124ad634294
SHA1e33f30f73fd8a1253972f42f9770d7324348bbd8
SHA256b5b1662e0a17278709539ca81ce7c52e4757d7be0911866e4ee8edfdf5528c72
SHA512d5a518e6f14382b26303fce5655fb2ab2bb5cc5b37c9bdf0bcb5854f1a4623f156ea798417579f70bae66a219b2bd34bcf20273b14cb82a9a7addb5be7bb37a0
-
C:\Windows\SysWOW64\acxaqidolztcexs.exeFilesize
512KB
MD5d320d7c776072ba2e08ba30c027f3d85
SHA1e4362d121d669b4317409c1e9a816a23afa18ad8
SHA2566f9aee4ac90a27ac164766e97c7a536aac8ad9499fe9a3d98ecc827089023843
SHA512bcb5eeb87dcdbbf163ccff370623b41f9feec5d92fee262b5b5e69bdc08a6e8a07c5c87e57093cb047af85c3d146c245a14410def5c42a9017738433b7e7e81d
-
C:\Windows\SysWOW64\ffscepovwsodk.exeFilesize
512KB
MD5b7e6bebca445642332bbfa46cfa688ea
SHA1e358292454713ba258b35c44b186530a762364f0
SHA2568cea15bd5a7caec148c51b2a61c35e3efaa1f4f803c62a8faff719de184e09e5
SHA512354b35fd09805f0e03c8e7636015e546b974df994ef12f26a532fb2ad3b4c4a44677830a39e6663deab5498a1ca0a53018ac3b8ff802f937661e6dfcf193d8f1
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\avyphmny.exeFilesize
512KB
MD5c1c13965161a1a155341287c1b2f9f0c
SHA17b34555eb1532ce434b9c6ccc299d670b83d4eec
SHA256777ad50cf7c91320c5e02b7a4b62fc19339cf4e2b6873d12f56721f3f29c7c0a
SHA512e4be8d028e679db70771415a0373600f4621ed4a7f1696cb0b1a719029290ce9d4432b7fc8a2ebe08b8ddaf2b5bad88dc650a3e39faa621abcd505f602575b06
-
\Windows\SysWOW64\dfcmuhqmpf.exeFilesize
512KB
MD521798cb528570c79d23809cd48c7cbc4
SHA152de335186790f35ae3b0fd63fb6a023ee41372c
SHA256edd9605c470c0c4f6dafe295d0afedbd85d1d393e5424fa354777bbae30d267d
SHA5128a4a46909c311f4c0693e7ea3128d68349d3474875923a6508339ad5a36f3f11c4e377a02d5f03874ca6fd9e7e0ee691e5e1f25f99e2bad19cf8b32c9d289edf
-
memory/2440-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2704-82-0x0000000002A10000-0x0000000002A20000-memory.dmpFilesize
64KB
-
memory/2864-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB