Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 06:21
Static task
static1
Behavioral task
behavioral1
Sample
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe
-
Size
512KB
-
MD5
6a042aa5266e3263592ebf6fcdfc51b0
-
SHA1
c62dcaa0d589027701bb26c675923496c34aef40
-
SHA256
146c72ff0fff7af77b6ae5f865500138bc513095b9279bc79607403772f6aafd
-
SHA512
60471e27abe0713e9c2727345b30138b2a4bdc02743f2a675323a3d5ce35491768bfa07cf2e355aa29f160d07ae259597d1f1933396a7d55ba301fbc9f554770
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6p:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5E
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
ncildwcmpp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ncildwcmpp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
ncildwcmpp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ncildwcmpp.exe -
Processes:
ncildwcmpp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ncildwcmpp.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ncildwcmpp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ncildwcmpp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
ncildwcmpp.exeiqethasbmrtapqp.exedtykovlz.exeulugvwdfgqsff.exedtykovlz.exepid process 4844 ncildwcmpp.exe 1964 iqethasbmrtapqp.exe 3468 dtykovlz.exe 5008 ulugvwdfgqsff.exe 2864 dtykovlz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ncildwcmpp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ncildwcmpp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
iqethasbmrtapqp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ulugvwdfgqsff.exe" iqethasbmrtapqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nagscrxa = "ncildwcmpp.exe" iqethasbmrtapqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zzlyivos = "iqethasbmrtapqp.exe" iqethasbmrtapqp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ncildwcmpp.exedtykovlz.exedtykovlz.exedescription ioc process File opened (read-only) \??\i: ncildwcmpp.exe File opened (read-only) \??\o: ncildwcmpp.exe File opened (read-only) \??\n: dtykovlz.exe File opened (read-only) \??\y: dtykovlz.exe File opened (read-only) \??\t: dtykovlz.exe File opened (read-only) \??\b: ncildwcmpp.exe File opened (read-only) \??\y: ncildwcmpp.exe File opened (read-only) \??\q: ncildwcmpp.exe File opened (read-only) \??\u: dtykovlz.exe File opened (read-only) \??\a: dtykovlz.exe File opened (read-only) \??\n: dtykovlz.exe File opened (read-only) \??\b: dtykovlz.exe File opened (read-only) \??\r: dtykovlz.exe File opened (read-only) \??\l: dtykovlz.exe File opened (read-only) \??\p: dtykovlz.exe File opened (read-only) \??\z: dtykovlz.exe File opened (read-only) \??\l: dtykovlz.exe File opened (read-only) \??\w: dtykovlz.exe File opened (read-only) \??\s: ncildwcmpp.exe File opened (read-only) \??\m: dtykovlz.exe File opened (read-only) \??\h: dtykovlz.exe File opened (read-only) \??\r: dtykovlz.exe File opened (read-only) \??\g: dtykovlz.exe File opened (read-only) \??\q: dtykovlz.exe File opened (read-only) \??\u: dtykovlz.exe File opened (read-only) \??\a: ncildwcmpp.exe File opened (read-only) \??\x: ncildwcmpp.exe File opened (read-only) \??\g: dtykovlz.exe File opened (read-only) \??\i: dtykovlz.exe File opened (read-only) \??\m: dtykovlz.exe File opened (read-only) \??\g: ncildwcmpp.exe File opened (read-only) \??\t: dtykovlz.exe File opened (read-only) \??\b: dtykovlz.exe File opened (read-only) \??\e: dtykovlz.exe File opened (read-only) \??\p: dtykovlz.exe File opened (read-only) \??\n: ncildwcmpp.exe File opened (read-only) \??\x: dtykovlz.exe File opened (read-only) \??\v: dtykovlz.exe File opened (read-only) \??\z: ncildwcmpp.exe File opened (read-only) \??\e: dtykovlz.exe File opened (read-only) \??\s: dtykovlz.exe File opened (read-only) \??\j: dtykovlz.exe File opened (read-only) \??\s: dtykovlz.exe File opened (read-only) \??\a: dtykovlz.exe File opened (read-only) \??\l: ncildwcmpp.exe File opened (read-only) \??\u: ncildwcmpp.exe File opened (read-only) \??\k: dtykovlz.exe File opened (read-only) \??\x: dtykovlz.exe File opened (read-only) \??\h: ncildwcmpp.exe File opened (read-only) \??\m: ncildwcmpp.exe File opened (read-only) \??\w: ncildwcmpp.exe File opened (read-only) \??\h: dtykovlz.exe File opened (read-only) \??\o: dtykovlz.exe File opened (read-only) \??\o: dtykovlz.exe File opened (read-only) \??\y: dtykovlz.exe File opened (read-only) \??\z: dtykovlz.exe File opened (read-only) \??\e: ncildwcmpp.exe File opened (read-only) \??\k: ncildwcmpp.exe File opened (read-only) \??\r: ncildwcmpp.exe File opened (read-only) \??\i: dtykovlz.exe File opened (read-only) \??\w: dtykovlz.exe File opened (read-only) \??\j: ncildwcmpp.exe File opened (read-only) \??\t: ncildwcmpp.exe File opened (read-only) \??\v: ncildwcmpp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ncildwcmpp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ncildwcmpp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ncildwcmpp.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4564-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\iqethasbmrtapqp.exe autoit_exe C:\Windows\SysWOW64\ncildwcmpp.exe autoit_exe C:\Windows\SysWOW64\dtykovlz.exe autoit_exe C:\Windows\SysWOW64\ulugvwdfgqsff.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\CopyRead.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
dtykovlz.exe6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exencildwcmpp.exedtykovlz.exedescription ioc process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dtykovlz.exe File opened for modification C:\Windows\SysWOW64\ncildwcmpp.exe 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe File created C:\Windows\SysWOW64\iqethasbmrtapqp.exe 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe File created C:\Windows\SysWOW64\dtykovlz.exe 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe File created C:\Windows\SysWOW64\ulugvwdfgqsff.exe 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ncildwcmpp.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dtykovlz.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dtykovlz.exe File created C:\Windows\SysWOW64\ncildwcmpp.exe 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\iqethasbmrtapqp.exe 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dtykovlz.exe 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ulugvwdfgqsff.exe 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
Processes:
dtykovlz.exedtykovlz.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dtykovlz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dtykovlz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dtykovlz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dtykovlz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dtykovlz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dtykovlz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dtykovlz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dtykovlz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dtykovlz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dtykovlz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dtykovlz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dtykovlz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dtykovlz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dtykovlz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dtykovlz.exe -
Drops file in Windows directory 19 IoCs
Processes:
WINWORD.EXEdtykovlz.exedtykovlz.exe6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exedescription ioc process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dtykovlz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dtykovlz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dtykovlz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dtykovlz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dtykovlz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dtykovlz.exe File opened for modification C:\Windows\mydoc.rtf 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dtykovlz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dtykovlz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dtykovlz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dtykovlz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dtykovlz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dtykovlz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dtykovlz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dtykovlz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dtykovlz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dtykovlz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exencildwcmpp.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342C7B9C2083536A4177D770252CAC7C8E65D9" 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCF9CCF913F2E283783B4081983993B0F9038F42130338E2CE459A09D1" 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B02E44E739E953B8B9D43299D4CC" 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BB4FE1A22DBD273D1D38B0E916B" 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ncildwcmpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ncildwcmpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ncildwcmpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ncildwcmpp.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FF8B4F5C856F9045D6207D91BD92E135584666446341D7E9" 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC77B1597DBB2B8CD7FE2ED9137CA" 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ncildwcmpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ncildwcmpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ncildwcmpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ncildwcmpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ncildwcmpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ncildwcmpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ncildwcmpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ncildwcmpp.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3668 WINWORD.EXE 3668 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exeiqethasbmrtapqp.exencildwcmpp.exeulugvwdfgqsff.exedtykovlz.exedtykovlz.exepid process 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 1964 iqethasbmrtapqp.exe 1964 iqethasbmrtapqp.exe 1964 iqethasbmrtapqp.exe 1964 iqethasbmrtapqp.exe 1964 iqethasbmrtapqp.exe 1964 iqethasbmrtapqp.exe 1964 iqethasbmrtapqp.exe 1964 iqethasbmrtapqp.exe 4844 ncildwcmpp.exe 4844 ncildwcmpp.exe 4844 ncildwcmpp.exe 4844 ncildwcmpp.exe 4844 ncildwcmpp.exe 4844 ncildwcmpp.exe 4844 ncildwcmpp.exe 4844 ncildwcmpp.exe 4844 ncildwcmpp.exe 4844 ncildwcmpp.exe 1964 iqethasbmrtapqp.exe 1964 iqethasbmrtapqp.exe 5008 ulugvwdfgqsff.exe 5008 ulugvwdfgqsff.exe 5008 ulugvwdfgqsff.exe 5008 ulugvwdfgqsff.exe 5008 ulugvwdfgqsff.exe 5008 ulugvwdfgqsff.exe 5008 ulugvwdfgqsff.exe 5008 ulugvwdfgqsff.exe 5008 ulugvwdfgqsff.exe 5008 ulugvwdfgqsff.exe 5008 ulugvwdfgqsff.exe 5008 ulugvwdfgqsff.exe 3468 dtykovlz.exe 3468 dtykovlz.exe 3468 dtykovlz.exe 3468 dtykovlz.exe 3468 dtykovlz.exe 3468 dtykovlz.exe 3468 dtykovlz.exe 3468 dtykovlz.exe 1964 iqethasbmrtapqp.exe 1964 iqethasbmrtapqp.exe 2864 dtykovlz.exe 2864 dtykovlz.exe 2864 dtykovlz.exe 2864 dtykovlz.exe 2864 dtykovlz.exe 2864 dtykovlz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exeiqethasbmrtapqp.exencildwcmpp.exeulugvwdfgqsff.exedtykovlz.exedtykovlz.exepid process 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 1964 iqethasbmrtapqp.exe 1964 iqethasbmrtapqp.exe 1964 iqethasbmrtapqp.exe 4844 ncildwcmpp.exe 4844 ncildwcmpp.exe 4844 ncildwcmpp.exe 5008 ulugvwdfgqsff.exe 3468 dtykovlz.exe 5008 ulugvwdfgqsff.exe 3468 dtykovlz.exe 5008 ulugvwdfgqsff.exe 3468 dtykovlz.exe 2864 dtykovlz.exe 2864 dtykovlz.exe 2864 dtykovlz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exeiqethasbmrtapqp.exencildwcmpp.exeulugvwdfgqsff.exedtykovlz.exedtykovlz.exepid process 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe 1964 iqethasbmrtapqp.exe 1964 iqethasbmrtapqp.exe 1964 iqethasbmrtapqp.exe 4844 ncildwcmpp.exe 4844 ncildwcmpp.exe 4844 ncildwcmpp.exe 5008 ulugvwdfgqsff.exe 3468 dtykovlz.exe 5008 ulugvwdfgqsff.exe 3468 dtykovlz.exe 5008 ulugvwdfgqsff.exe 3468 dtykovlz.exe 2864 dtykovlz.exe 2864 dtykovlz.exe 2864 dtykovlz.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3668 WINWORD.EXE 3668 WINWORD.EXE 3668 WINWORD.EXE 3668 WINWORD.EXE 3668 WINWORD.EXE 3668 WINWORD.EXE 3668 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exencildwcmpp.exedescription pid process target process PID 4564 wrote to memory of 4844 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe ncildwcmpp.exe PID 4564 wrote to memory of 4844 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe ncildwcmpp.exe PID 4564 wrote to memory of 4844 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe ncildwcmpp.exe PID 4564 wrote to memory of 1964 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe iqethasbmrtapqp.exe PID 4564 wrote to memory of 1964 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe iqethasbmrtapqp.exe PID 4564 wrote to memory of 1964 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe iqethasbmrtapqp.exe PID 4564 wrote to memory of 3468 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe dtykovlz.exe PID 4564 wrote to memory of 3468 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe dtykovlz.exe PID 4564 wrote to memory of 3468 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe dtykovlz.exe PID 4564 wrote to memory of 5008 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe ulugvwdfgqsff.exe PID 4564 wrote to memory of 5008 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe ulugvwdfgqsff.exe PID 4564 wrote to memory of 5008 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe ulugvwdfgqsff.exe PID 4564 wrote to memory of 3668 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe WINWORD.EXE PID 4564 wrote to memory of 3668 4564 6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe WINWORD.EXE PID 4844 wrote to memory of 2864 4844 ncildwcmpp.exe dtykovlz.exe PID 4844 wrote to memory of 2864 4844 ncildwcmpp.exe dtykovlz.exe PID 4844 wrote to memory of 2864 4844 ncildwcmpp.exe dtykovlz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ncildwcmpp.exencildwcmpp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dtykovlz.exeC:\Windows\system32\dtykovlz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\iqethasbmrtapqp.exeiqethasbmrtapqp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\dtykovlz.exedtykovlz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ulugvwdfgqsff.exeulugvwdfgqsff.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5ff90827a26a0e69c13697f5d1a0ad041
SHA102ff8d74a04c40094d0e56e9fedd3b8a26203a7d
SHA256b990c0fa07e8622cf58045be559e5c3874853d7f135259afc295b1733198a28a
SHA512bb09251b2664f2cc29ea558e203bc7695ae9e186afbfc99cbb8122be253649c5bf26c49318ea156c324bc9968b2756c04c935b492b9f4d2d5ef43dc7797d9a0b
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD563ac0e44151931b1aed2601a9c747b4a
SHA1ce703b901d7f46ff4d4b22e49e92aa7e16acef58
SHA256f57a5f29ee74f6aa05283bce42b3208cca6c41fafa03f995e38fc275b8698940
SHA51296a356ab6918bfbf96ab79b478ecabbdf4eaf5c565ae9994e34e518ce8288a4a4f84d397dd69badb3262f355da7b2312c5738bb46934207f43f675c68bfbb220
-
C:\Users\Admin\AppData\Local\Temp\TCD88EC.tmp\iso690.xslFilesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD5506d7890424e69489a5be1afef5580c5
SHA1cba816211e3120c37d2714d61354265337eae683
SHA256d66db9598aaad84b8312523932d2c802eab42979172e4e1c84262688fed362e1
SHA51268f6ca745d8e50478c4ff4d2072e021187b40e94c3be42f17142f22b79d5150cdd6992cfe12a6119b3ad4ce7d43ea193a303fcffeed35ec7b765bb8f9348515c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5799165fda008e74f295789842d959918
SHA1cd8cd9d2d10ccdc92726511dd30c61dda116d24e
SHA256520998c74c9488a41d6168c1bef93b8d8ff25613c143a6310d40e50a7ae452e1
SHA5125622ddf77c82f1b72bcfa9b498ec8701e0ef96d1cbdf2a7baec0bf53a84ecb68e816ea93f3d5942f03b44cb15d1d50ea096cef29053dad7582f8b809aaee1a23
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD595f1b499231b577dad605c6b119fe85c
SHA17f7e3e20025b5328f12a85b1b4eb804361675c82
SHA256c6f3845755d546ea9c17030ecc2b3fc650707494f5a55badc37142e56da3b98d
SHA512aee674d7e86229a9b5b06710c6d48141695ecb2ca687744aaf3e8ffb2784ee8712396aad72f4f218a1292ba3b0b7598e3cb87da8b83637174d5811c5f9715300
-
C:\Users\Admin\Documents\CopyRead.doc.exeFilesize
512KB
MD58191b500553ed9b40940cc02a9f8c60f
SHA11f678ce8526cf94accf31615d8ef857b44e9cc82
SHA256f25526ce87046a57e8a499864429ed3ebad3f6fe8ab25d995d93166d6df6fd45
SHA512fb2e33370ff18637ed6155780a9583d6aad8e8dab2ecefbb530c34be60103b27a35f65629b9d6acf4e23abf2d264b9c610e6de8723a8207fb84e405c6fc42b8b
-
C:\Windows\SysWOW64\dtykovlz.exeFilesize
512KB
MD5ad81effec2b0659837d83d9074cd5c60
SHA1fc703c4b16640ba3f847224230b7ba4f01211d96
SHA2560f8b7626f7bf640224920417b4a102116de3505361217287767a85edcb0f88a7
SHA512a7f3065137bf991b35264df92196593f89a7058fc0d0ef9a1d3f21b5e522eb017179cb204244e9ee5ae8bf41aa6924153901daaba095cb3290448bfebed92a48
-
C:\Windows\SysWOW64\iqethasbmrtapqp.exeFilesize
512KB
MD53e0d18cd6b15b6b03483529111dbcb18
SHA1bec6a6c0cde0711101a84f4023757984b86ab140
SHA256652dd43dd1ca09eaa3ae149f81fdc8b9d50da28a82f96ed182bc8ece0821c759
SHA5122e177c5a192e700ef490f2933f428698435b8f71c224811204a3c7051e7b961372a1ae52c3d27527080a0e53de76eb90886d16fc8df73c652c4212e74539d184
-
C:\Windows\SysWOW64\ncildwcmpp.exeFilesize
512KB
MD573313ec682ef2057d297b5ade1bce5eb
SHA11612be935eedf97bcdad0a14a0ab94f674dabb64
SHA256616c2cea467cdad8a4b89e6e7b0ccef78c87abf3887a9b323dbe2c2ff639e54d
SHA5121e14d8fa2a12d5462ce08fa4240aeb4f79ef933d5f034c35324e058ff362fc27344c5afad981302cda2fb7ac683bffd4f045e95a461bad460d0f105699fc6ad5
-
C:\Windows\SysWOW64\ulugvwdfgqsff.exeFilesize
512KB
MD5ba706a8b03e554bef8f8a6d6431f1093
SHA16e0445a396a8f78b15e2c6ea547d7fbff59edc1c
SHA256c59c62389a33f6d8ec003aeda2e8fcf858138c0798a93b8f0929302a4046c7a5
SHA5125794f44473b208ea16b51961717a060b070a0203b52a150b6282fec9a10c5f9d06248684d996be5b87ba71b3d0b052e2a202c392024d564a76ab3178f881b3c8
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5f85b9c4f1c62658d5e794df3f53ad2fd
SHA111618be8b212ae7c12d701d61bb9d63d278280ef
SHA256b2956937ecd295945cb3a0c40ea392aa8fddb5b101ddb2b9c7e69d58b26e9187
SHA51269f21f31adcfeb495d3117ee4ff99dc906fd6c50540e894cd51a939a2b174a15a7ef08dcf23bd620d0d8273c6c7f75ba474f3a8a8a777a086c47af710a570a8e
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD59fd0fe521b6e6495c26e86e9101a6450
SHA1676a553fcf99e7153594e3f40e158f5e197cbfbd
SHA2564ecd7f03e7c652a522126bc9176c6c68dd6160803294219bdda6bf83770c3d91
SHA5124dd919420ccdbcc8a9ebe82db2a93b42a9280fd227d0ab66da369660b080fc79f1a02c67b498ab7c9b113e144851edb089d00695923492bff33ecc66c4723886
-
memory/3668-36-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmpFilesize
64KB
-
memory/3668-39-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmpFilesize
64KB
-
memory/3668-38-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmpFilesize
64KB
-
memory/3668-37-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmpFilesize
64KB
-
memory/3668-42-0x00007FF8708E0000-0x00007FF8708F0000-memory.dmpFilesize
64KB
-
memory/3668-35-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmpFilesize
64KB
-
memory/3668-43-0x00007FF8708E0000-0x00007FF8708F0000-memory.dmpFilesize
64KB
-
memory/3668-606-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmpFilesize
64KB
-
memory/3668-605-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmpFilesize
64KB
-
memory/3668-604-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmpFilesize
64KB
-
memory/3668-603-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmpFilesize
64KB
-
memory/4564-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB