8b3b2054d960cd704fe424d65b49b2c0de130ce231ae370672f79f94ef5f2329

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
Size

512KB
MD5

6aab9bd82370095b5e1178ecd611e0ae
SHA1

b33a97878cc406b595a3a74c4508027d30dfc8e4
SHA256

8b3b2054d960cd704fe424d65b49b2c0de130ce231ae370672f79f94ef5f2329
SHA512

fe855e33ccf53688866e77132e50dfeefeec15595005aa7fed49109871b8f82aeef026c47923741fb35e705884e329346128cee5349443b60c3cad9ecac0fc25
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

jwvejgbxix.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	jwvejgbxix.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

jwvejgbxix.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jwvejgbxix.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

jwvejgbxix.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	jwvejgbxix.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	jwvejgbxix.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	jwvejgbxix.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	jwvejgbxix.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	jwvejgbxix.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

jwvejgbxix.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jwvejgbxix.exe

Executes dropped EXE 5 IoCs

Processes:

jwvejgbxix.execbisbksfrgljmqt.exewovtnmqa.execrzkgthgfjdaw.exewovtnmqa.exe

pid process

2612 jwvejgbxix.exe
2992 cbisbksfrgljmqt.exe
2636 wovtnmqa.exe
2624 crzkgthgfjdaw.exe
2752 wovtnmqa.exe

pid	process
2612	jwvejgbxix.exe
2992	cbisbksfrgljmqt.exe
2636	wovtnmqa.exe
2624	crzkgthgfjdaw.exe
2752	wovtnmqa.exe

Loads dropped DLL 5 IoCs

Processes:

6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exejwvejgbxix.exe

pid	process
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
2612	jwvejgbxix.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

jwvejgbxix.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	jwvejgbxix.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	jwvejgbxix.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	jwvejgbxix.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	jwvejgbxix.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	jwvejgbxix.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	jwvejgbxix.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cbisbksfrgljmqt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bgvrdozw = "jwvejgbxix.exe"	cbisbksfrgljmqt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cetomyhd = "cbisbksfrgljmqt.exe"	cbisbksfrgljmqt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "crzkgthgfjdaw.exe"	cbisbksfrgljmqt.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wovtnmqa.exewovtnmqa.exejwvejgbxix.exe

description	ioc	process
File opened (read-only)	\??\e:	wovtnmqa.exe
File opened (read-only)	\??\h:	wovtnmqa.exe
File opened (read-only)	\??\s:	wovtnmqa.exe
File opened (read-only)	\??\t:	wovtnmqa.exe
File opened (read-only)	\??\w:	wovtnmqa.exe
File opened (read-only)	\??\m:	wovtnmqa.exe
File opened (read-only)	\??\n:	wovtnmqa.exe
File opened (read-only)	\??\y:	wovtnmqa.exe
File opened (read-only)	\??\y:	wovtnmqa.exe
File opened (read-only)	\??\z:	wovtnmqa.exe
File opened (read-only)	\??\k:	jwvejgbxix.exe
File opened (read-only)	\??\m:	jwvejgbxix.exe
File opened (read-only)	\??\o:	wovtnmqa.exe
File opened (read-only)	\??\x:	wovtnmqa.exe
File opened (read-only)	\??\i:	wovtnmqa.exe
File opened (read-only)	\??\a:	wovtnmqa.exe
File opened (read-only)	\??\a:	wovtnmqa.exe
File opened (read-only)	\??\h:	wovtnmqa.exe
File opened (read-only)	\??\v:	wovtnmqa.exe
File opened (read-only)	\??\r:	wovtnmqa.exe
File opened (read-only)	\??\a:	jwvejgbxix.exe
File opened (read-only)	\??\o:	jwvejgbxix.exe
File opened (read-only)	\??\q:	jwvejgbxix.exe
File opened (read-only)	\??\z:	jwvejgbxix.exe
File opened (read-only)	\??\m:	wovtnmqa.exe
File opened (read-only)	\??\i:	jwvejgbxix.exe
File opened (read-only)	\??\k:	wovtnmqa.exe
File opened (read-only)	\??\p:	wovtnmqa.exe
File opened (read-only)	\??\u:	wovtnmqa.exe
File opened (read-only)	\??\g:	wovtnmqa.exe
File opened (read-only)	\??\e:	jwvejgbxix.exe
File opened (read-only)	\??\b:	wovtnmqa.exe
File opened (read-only)	\??\j:	wovtnmqa.exe
File opened (read-only)	\??\t:	wovtnmqa.exe
File opened (read-only)	\??\p:	jwvejgbxix.exe
File opened (read-only)	\??\w:	jwvejgbxix.exe
File opened (read-only)	\??\g:	wovtnmqa.exe
File opened (read-only)	\??\z:	wovtnmqa.exe
File opened (read-only)	\??\k:	wovtnmqa.exe
File opened (read-only)	\??\o:	wovtnmqa.exe
File opened (read-only)	\??\j:	jwvejgbxix.exe
File opened (read-only)	\??\s:	jwvejgbxix.exe
File opened (read-only)	\??\v:	jwvejgbxix.exe
File opened (read-only)	\??\q:	wovtnmqa.exe
File opened (read-only)	\??\b:	jwvejgbxix.exe
File opened (read-only)	\??\u:	jwvejgbxix.exe
File opened (read-only)	\??\l:	wovtnmqa.exe
File opened (read-only)	\??\x:	wovtnmqa.exe
File opened (read-only)	\??\p:	wovtnmqa.exe
File opened (read-only)	\??\v:	wovtnmqa.exe
File opened (read-only)	\??\n:	jwvejgbxix.exe
File opened (read-only)	\??\r:	jwvejgbxix.exe
File opened (read-only)	\??\t:	jwvejgbxix.exe
File opened (read-only)	\??\l:	wovtnmqa.exe
File opened (read-only)	\??\l:	jwvejgbxix.exe
File opened (read-only)	\??\w:	wovtnmqa.exe
File opened (read-only)	\??\b:	wovtnmqa.exe
File opened (read-only)	\??\q:	wovtnmqa.exe
File opened (read-only)	\??\g:	jwvejgbxix.exe
File opened (read-only)	\??\x:	jwvejgbxix.exe
File opened (read-only)	\??\y:	jwvejgbxix.exe
File opened (read-only)	\??\r:	wovtnmqa.exe
File opened (read-only)	\??\n:	wovtnmqa.exe
File opened (read-only)	\??\u:	wovtnmqa.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

jwvejgbxix.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	jwvejgbxix.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	jwvejgbxix.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1632-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
C:\Windows\SysWOW64\cbisbksfrgljmqt.exe	autoit_exe
\Windows\SysWOW64\jwvejgbxix.exe	autoit_exe
\Windows\SysWOW64\wovtnmqa.exe	autoit_exe
C:\Windows\SysWOW64\crzkgthgfjdaw.exe	autoit_exe
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	autoit_exe
C:\Users\Admin\Documents\WaitHide.doc.exe	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exejwvejgbxix.exe

description	ioc	process
File created	C:\Windows\SysWOW64\jwvejgbxix.exe	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cbisbksfrgljmqt.exe	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wovtnmqa.exe	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\crzkgthgfjdaw.exe	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\crzkgthgfjdaw.exe	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\jwvejgbxix.exe	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cbisbksfrgljmqt.exe	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wovtnmqa.exe	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	jwvejgbxix.exe

Drops file in Program Files directory 14 IoCs

Processes:

wovtnmqa.exewovtnmqa.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	wovtnmqa.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wovtnmqa.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wovtnmqa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wovtnmqa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wovtnmqa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	wovtnmqa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wovtnmqa.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wovtnmqa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wovtnmqa.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wovtnmqa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	wovtnmqa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	wovtnmqa.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wovtnmqa.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wovtnmqa.exe

Drops file in Windows directory 5 IoCs

Processes:

WINWORD.EXE6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXEjwvejgbxix.exe6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	jwvejgbxix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	jwvejgbxix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	jwvejgbxix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F36BB2FF1D22DAD20FD0A18B089014"	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B15A4493389F53BFBAA633EDD7BC"	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFACDF964F2E3830B3B4A81983997B38D028843640333E1BA459A09D5"	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	jwvejgbxix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFCFC4F2A851A9146D6587D9DBD95E13459366743633FD6EA"	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	jwvejgbxix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	jwvejgbxix.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2672 WINWORD.EXE

pid	process
2672	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exejwvejgbxix.execbisbksfrgljmqt.execrzkgthgfjdaw.exewovtnmqa.exewovtnmqa.exe

pid	process
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
2612	jwvejgbxix.exe
2612	jwvejgbxix.exe
2612	jwvejgbxix.exe
2612	jwvejgbxix.exe
2612	jwvejgbxix.exe
2992	cbisbksfrgljmqt.exe
2992	cbisbksfrgljmqt.exe
2992	cbisbksfrgljmqt.exe
2992	cbisbksfrgljmqt.exe
2992	cbisbksfrgljmqt.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2636	wovtnmqa.exe
2636	wovtnmqa.exe
2636	wovtnmqa.exe
2636	wovtnmqa.exe
2752	wovtnmqa.exe
2752	wovtnmqa.exe
2752	wovtnmqa.exe
2752	wovtnmqa.exe
2992	cbisbksfrgljmqt.exe
2992	cbisbksfrgljmqt.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2992	cbisbksfrgljmqt.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2992	cbisbksfrgljmqt.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2992	cbisbksfrgljmqt.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2992	cbisbksfrgljmqt.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2992	cbisbksfrgljmqt.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2992	cbisbksfrgljmqt.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2992	cbisbksfrgljmqt.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2992	cbisbksfrgljmqt.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2992	cbisbksfrgljmqt.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2992	cbisbksfrgljmqt.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exejwvejgbxix.execbisbksfrgljmqt.execrzkgthgfjdaw.exewovtnmqa.exewovtnmqa.exe

pid	process
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
2612	jwvejgbxix.exe
2612	jwvejgbxix.exe
2612	jwvejgbxix.exe
2992	cbisbksfrgljmqt.exe
2992	cbisbksfrgljmqt.exe
2992	cbisbksfrgljmqt.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2636	wovtnmqa.exe
2636	wovtnmqa.exe
2636	wovtnmqa.exe
2752	wovtnmqa.exe
2752	wovtnmqa.exe
2752	wovtnmqa.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exejwvejgbxix.execbisbksfrgljmqt.execrzkgthgfjdaw.exewovtnmqa.exewovtnmqa.exe

pid	process
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
2612	jwvejgbxix.exe
2612	jwvejgbxix.exe
2612	jwvejgbxix.exe
2992	cbisbksfrgljmqt.exe
2992	cbisbksfrgljmqt.exe
2992	cbisbksfrgljmqt.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2624	crzkgthgfjdaw.exe
2636	wovtnmqa.exe
2636	wovtnmqa.exe
2636	wovtnmqa.exe
2752	wovtnmqa.exe
2752	wovtnmqa.exe
2752	wovtnmqa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2672 WINWORD.EXE
2672 WINWORD.EXE

pid	process
2672	WINWORD.EXE
2672	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exejwvejgbxix.exeWINWORD.EXE

description	pid	process	target process
PID 1632 wrote to memory of 2612	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	jwvejgbxix.exe
PID 1632 wrote to memory of 2612	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	jwvejgbxix.exe
PID 1632 wrote to memory of 2612	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	jwvejgbxix.exe
PID 1632 wrote to memory of 2612	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	jwvejgbxix.exe
PID 1632 wrote to memory of 2992	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	cbisbksfrgljmqt.exe
PID 1632 wrote to memory of 2992	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	cbisbksfrgljmqt.exe
PID 1632 wrote to memory of 2992	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	cbisbksfrgljmqt.exe
PID 1632 wrote to memory of 2992	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	cbisbksfrgljmqt.exe
PID 1632 wrote to memory of 2636	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	wovtnmqa.exe
PID 1632 wrote to memory of 2636	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	wovtnmqa.exe
PID 1632 wrote to memory of 2636	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	wovtnmqa.exe
PID 1632 wrote to memory of 2636	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	wovtnmqa.exe
PID 1632 wrote to memory of 2624	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	crzkgthgfjdaw.exe
PID 1632 wrote to memory of 2624	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	crzkgthgfjdaw.exe
PID 1632 wrote to memory of 2624	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	crzkgthgfjdaw.exe
PID 1632 wrote to memory of 2624	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	crzkgthgfjdaw.exe
PID 2612 wrote to memory of 2752	2612	jwvejgbxix.exe	wovtnmqa.exe
PID 2612 wrote to memory of 2752	2612	jwvejgbxix.exe	wovtnmqa.exe
PID 2612 wrote to memory of 2752	2612	jwvejgbxix.exe	wovtnmqa.exe
PID 2612 wrote to memory of 2752	2612	jwvejgbxix.exe	wovtnmqa.exe
PID 1632 wrote to memory of 2672	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	WINWORD.EXE
PID 1632 wrote to memory of 2672	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	WINWORD.EXE
PID 1632 wrote to memory of 2672	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	WINWORD.EXE
PID 1632 wrote to memory of 2672	1632	6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe	WINWORD.EXE
PID 2672 wrote to memory of 1960	2672	WINWORD.EXE	splwow64.exe
PID 2672 wrote to memory of 1960	2672	WINWORD.EXE	splwow64.exe
PID 2672 wrote to memory of 1960	2672	WINWORD.EXE	splwow64.exe
PID 2672 wrote to memory of 1960	2672	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6aab9bd82370095b5e1178ecd611e0ae_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\jwvejgbxix.exe
jwvejgbxix.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\wovtnmqa.exe
C:\Windows\system32\wovtnmqa.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2752

C:\Windows\SysWOW64\cbisbksfrgljmqt.exe
cbisbksfrgljmqt.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2992

C:\Windows\SysWOW64\wovtnmqa.exe
wovtnmqa.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2636

C:\Windows\SysWOW64\crzkgthgfjdaw.exe
crzkgthgfjdaw.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2624

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1960

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
Filesize
512KB

MD5
3eeb46c781ba790cae668d2ebf93cecd

SHA1
ce4981b2961a557eeb2c42772816b90aa7b36ff8

SHA256
adb4f4fe34fbc37e7e595313017124c6435646c40a4546ccaecb5a75fdd223ca

SHA512
eb41796048b361d8ba580bddbe87811683426808f5ebf5ef4cd2e5c6c4055c9b3c8fbe302101591e5c3585ce5ca597c85622d68e94283fad16c63419cdef6646

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
480260807f8bbbdbc9766b21d4ec7a62

SHA1
a5b6dc40807ad87a2aaf78fee80bc3a2a00378cc

SHA256
4ba8847b74d219bfa9598a1d2ce59225b82493332d14369631f06038a4ff7c50

SHA512
d10447bbb133fae7e53e526e86d58409894226e2c35debdec0d555b02e8ef532b43c2cbc663e48a00020753a0beec0928682f8c0775ce7e9f8ca32516dab77f9

Download Submit
C:\Users\Admin\Documents\WaitHide.doc.exe
Filesize
512KB

MD5
b7f44f029fd4da4f447543443d243e97

SHA1
3c72e9a81cc7dbd90499a963a843de63f1f750f1

SHA256
242020da19906d26aecd2b019e4c3478f50a26084ed0332088bb1c5d14989e84

SHA512
b1d4cdf130d870ffff17222bba19daf4333f12603712629ddebc59e0153aea086336ea0d072b07cec7d914a94faeecef30bd5df7aa37f0a68ffe6c046196e31f

Download Submit
C:\Windows\SysWOW64\cbisbksfrgljmqt.exe
Filesize
512KB

MD5
f9f7a93c1ba10247e8e3e16c0d942d28

SHA1
a87bccaaf811163f87ac1bcd45d81b7ccade4245

SHA256
9d11874ab5563f90ef84ccdc7d9247b9ca5df73b7db4a4ab6eddca23e31a641d

SHA512
2a8098f4956a0c93a0922255030ab1f82e68035efc1c1297c59264663d622e13cf4d6f9b290e5c5a24e7110d60483e2e7021d52c28ed3cbb79502fbf3bddff29

Download Submit
C:\Windows\SysWOW64\crzkgthgfjdaw.exe
Filesize
512KB

MD5
c6af15024f3a6e030539885b2815da06

SHA1
e7d7696737dc25477d5d91d73d14cc817ac4e7dc

SHA256
2f1a0a6969b11e144e0b25b8b6a1ada3d241fd9c182252db17c167567cb78f5b

SHA512
2aa7da97bc5ce8401cf0ded48a28797235b1080ab5da63e7df3333266e269834fa5a5ee987d4f7df1625585e9e9aa612c48624412368c1ada9742728be3b18ad

Download Submit
C:\Windows\mydoc.rtf
Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\jwvejgbxix.exe
Filesize
512KB

MD5
c5f7eda1c1ea1985759070929c4713b4

SHA1
7f96237b8f06dadc4c286110bd4affb41541c54b

SHA256
9c230a2c813b7ef623d3dc31674a1f75cd73593630c3429cfcb76e82fdb451ad

SHA512
12beb3926be718feb6f3a965562854d3fbd76367c1cc76bb2637cc16d575195096bf3ef07d2d4d6776f3f845915622271ac0087f6a00f95ececedc442df5992f

Download Submit
\Windows\SysWOW64\wovtnmqa.exe
Filesize
512KB

MD5
13de2b1966933dff8f1094f603f61b64

SHA1
f20c22c133f56929b304e164ed217d1870888957

SHA256
a67239831d99bfb00f3df1ac5b4d920fe552e01ca6b18aaa9c176fe37b2427a4

SHA512
8b483a626a07b2526068ca220d5d40c6100f7ac5fb3f76bdfce9f21b6ce205fd9539b149dc2f7f52a1415133b9e1a8d8b11bdfa3bb67fd7bf01f71df54eafdde

Download Submit
memory/1632-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2672-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2672-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads