Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 21:29
Static task
static1
Behavioral task
behavioral1
Sample
6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe
-
Size
512KB
-
MD5
6fd9a7f9ea4230b01d37da830d9fc2d0
-
SHA1
7cb56b8b19c98b78857b9ff7a3ec91cf4d358970
-
SHA256
f18826b5d3d6f6f9fdde8c8a9639a47228ec8a276a1601bccf8aafe300b50948
-
SHA512
47d16ac61e43e42790dbb3f26d8b2cb669233f76e8fab1f3c0647163d9adfdbdffce9b06148f37530ec5fac40bd160e2c21933488f23f2372a3dc1708304a675
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6g:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm53
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
rejymzcpew.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rejymzcpew.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
rejymzcpew.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rejymzcpew.exe -
Processes:
rejymzcpew.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rejymzcpew.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rejymzcpew.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rejymzcpew.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rejymzcpew.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rejymzcpew.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
rejymzcpew.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rejymzcpew.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
rejymzcpew.exemtbsqdazxszlplg.exezntesjtg.exejqhksfrdmxvnh.exezntesjtg.exepid process 4656 rejymzcpew.exe 924 mtbsqdazxszlplg.exe 3932 zntesjtg.exe 856 jqhksfrdmxvnh.exe 3928 zntesjtg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
rejymzcpew.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rejymzcpew.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rejymzcpew.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rejymzcpew.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rejymzcpew.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rejymzcpew.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rejymzcpew.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
mtbsqdazxszlplg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yztzrros = "mtbsqdazxszlplg.exe" mtbsqdazxszlplg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jqhksfrdmxvnh.exe" mtbsqdazxszlplg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vyrvufaj = "rejymzcpew.exe" mtbsqdazxszlplg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rejymzcpew.exezntesjtg.exezntesjtg.exedescription ioc process File opened (read-only) \??\l: rejymzcpew.exe File opened (read-only) \??\j: zntesjtg.exe File opened (read-only) \??\t: rejymzcpew.exe File opened (read-only) \??\n: zntesjtg.exe File opened (read-only) \??\t: zntesjtg.exe File opened (read-only) \??\v: zntesjtg.exe File opened (read-only) \??\a: zntesjtg.exe File opened (read-only) \??\w: zntesjtg.exe File opened (read-only) \??\y: zntesjtg.exe File opened (read-only) \??\m: zntesjtg.exe File opened (read-only) \??\u: rejymzcpew.exe File opened (read-only) \??\k: zntesjtg.exe File opened (read-only) \??\e: zntesjtg.exe File opened (read-only) \??\q: zntesjtg.exe File opened (read-only) \??\r: zntesjtg.exe File opened (read-only) \??\a: rejymzcpew.exe File opened (read-only) \??\y: rejymzcpew.exe File opened (read-only) \??\g: zntesjtg.exe File opened (read-only) \??\j: zntesjtg.exe File opened (read-only) \??\x: zntesjtg.exe File opened (read-only) \??\o: zntesjtg.exe File opened (read-only) \??\v: zntesjtg.exe File opened (read-only) \??\h: rejymzcpew.exe File opened (read-only) \??\z: zntesjtg.exe File opened (read-only) \??\b: zntesjtg.exe File opened (read-only) \??\n: zntesjtg.exe File opened (read-only) \??\e: rejymzcpew.exe File opened (read-only) \??\v: rejymzcpew.exe File opened (read-only) \??\i: zntesjtg.exe File opened (read-only) \??\s: zntesjtg.exe File opened (read-only) \??\u: zntesjtg.exe File opened (read-only) \??\w: zntesjtg.exe File opened (read-only) \??\b: rejymzcpew.exe File opened (read-only) \??\q: rejymzcpew.exe File opened (read-only) \??\b: zntesjtg.exe File opened (read-only) \??\h: zntesjtg.exe File opened (read-only) \??\k: zntesjtg.exe File opened (read-only) \??\s: rejymzcpew.exe File opened (read-only) \??\w: rejymzcpew.exe File opened (read-only) \??\l: zntesjtg.exe File opened (read-only) \??\a: zntesjtg.exe File opened (read-only) \??\o: zntesjtg.exe File opened (read-only) \??\s: zntesjtg.exe File opened (read-only) \??\u: zntesjtg.exe File opened (read-only) \??\l: zntesjtg.exe File opened (read-only) \??\p: zntesjtg.exe File opened (read-only) \??\x: zntesjtg.exe File opened (read-only) \??\z: zntesjtg.exe File opened (read-only) \??\p: rejymzcpew.exe File opened (read-only) \??\x: rejymzcpew.exe File opened (read-only) \??\e: zntesjtg.exe File opened (read-only) \??\h: zntesjtg.exe File opened (read-only) \??\i: rejymzcpew.exe File opened (read-only) \??\o: rejymzcpew.exe File opened (read-only) \??\z: rejymzcpew.exe File opened (read-only) \??\q: zntesjtg.exe File opened (read-only) \??\t: zntesjtg.exe File opened (read-only) \??\k: rejymzcpew.exe File opened (read-only) \??\r: zntesjtg.exe File opened (read-only) \??\g: zntesjtg.exe File opened (read-only) \??\i: zntesjtg.exe File opened (read-only) \??\y: zntesjtg.exe File opened (read-only) \??\m: zntesjtg.exe File opened (read-only) \??\p: zntesjtg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
rejymzcpew.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rejymzcpew.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rejymzcpew.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3012-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\mtbsqdazxszlplg.exe autoit_exe C:\Windows\SysWOW64\rejymzcpew.exe autoit_exe C:\Windows\SysWOW64\jqhksfrdmxvnh.exe autoit_exe C:\Windows\SysWOW64\zntesjtg.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
zntesjtg.exe6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exerejymzcpew.exezntesjtg.exedescription ioc process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zntesjtg.exe File created C:\Windows\SysWOW64\rejymzcpew.exe 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mtbsqdazxszlplg.exe 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe File created C:\Windows\SysWOW64\zntesjtg.exe 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe File created C:\Windows\SysWOW64\jqhksfrdmxvnh.exe 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jqhksfrdmxvnh.exe 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rejymzcpew.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zntesjtg.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zntesjtg.exe File opened for modification C:\Windows\SysWOW64\rejymzcpew.exe 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe File created C:\Windows\SysWOW64\mtbsqdazxszlplg.exe 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zntesjtg.exe 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
zntesjtg.exezntesjtg.exedescription ioc process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zntesjtg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zntesjtg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zntesjtg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zntesjtg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zntesjtg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zntesjtg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zntesjtg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zntesjtg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zntesjtg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zntesjtg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zntesjtg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zntesjtg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zntesjtg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zntesjtg.exe -
Drops file in Windows directory 19 IoCs
Processes:
zntesjtg.exezntesjtg.exeWINWORD.EXE6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exedescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zntesjtg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zntesjtg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zntesjtg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zntesjtg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zntesjtg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zntesjtg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zntesjtg.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zntesjtg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zntesjtg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zntesjtg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zntesjtg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zntesjtg.exe File opened for modification C:\Windows\mydoc.rtf 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zntesjtg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zntesjtg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zntesjtg.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zntesjtg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exerejymzcpew.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412C7D9C2382566A3177A170252DDE7DF465DE" 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rejymzcpew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rejymzcpew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rejymzcpew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768C3FF6622DED10CD0A88A789160" 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C77B14E6DBB1B9BD7FE6ED9137CA" 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rejymzcpew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rejymzcpew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rejymzcpew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rejymzcpew.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8F9B0F916F2E3840E3B45869A3EE2B3FE038C4262034CE2CE42EC08D4" 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B15D4495399852CDBAA733EAD7BE" 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFCF94828851A9042D7217E97BD90E144583066416330D79C" 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rejymzcpew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rejymzcpew.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rejymzcpew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rejymzcpew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rejymzcpew.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 5060 WINWORD.EXE 5060 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exerejymzcpew.exemtbsqdazxszlplg.exezntesjtg.exejqhksfrdmxvnh.exezntesjtg.exepid process 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 4656 rejymzcpew.exe 4656 rejymzcpew.exe 4656 rejymzcpew.exe 4656 rejymzcpew.exe 4656 rejymzcpew.exe 4656 rejymzcpew.exe 4656 rejymzcpew.exe 4656 rejymzcpew.exe 4656 rejymzcpew.exe 4656 rejymzcpew.exe 924 mtbsqdazxszlplg.exe 924 mtbsqdazxszlplg.exe 924 mtbsqdazxszlplg.exe 924 mtbsqdazxszlplg.exe 924 mtbsqdazxszlplg.exe 924 mtbsqdazxszlplg.exe 924 mtbsqdazxszlplg.exe 924 mtbsqdazxszlplg.exe 924 mtbsqdazxszlplg.exe 924 mtbsqdazxszlplg.exe 3932 zntesjtg.exe 3932 zntesjtg.exe 3932 zntesjtg.exe 3932 zntesjtg.exe 3932 zntesjtg.exe 3932 zntesjtg.exe 3932 zntesjtg.exe 3932 zntesjtg.exe 856 jqhksfrdmxvnh.exe 856 jqhksfrdmxvnh.exe 856 jqhksfrdmxvnh.exe 856 jqhksfrdmxvnh.exe 856 jqhksfrdmxvnh.exe 856 jqhksfrdmxvnh.exe 856 jqhksfrdmxvnh.exe 856 jqhksfrdmxvnh.exe 856 jqhksfrdmxvnh.exe 856 jqhksfrdmxvnh.exe 856 jqhksfrdmxvnh.exe 856 jqhksfrdmxvnh.exe 924 mtbsqdazxszlplg.exe 924 mtbsqdazxszlplg.exe 3928 zntesjtg.exe 3928 zntesjtg.exe 3928 zntesjtg.exe 3928 zntesjtg.exe 3928 zntesjtg.exe 3928 zntesjtg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exerejymzcpew.exemtbsqdazxszlplg.exezntesjtg.exejqhksfrdmxvnh.exezntesjtg.exepid process 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 4656 rejymzcpew.exe 4656 rejymzcpew.exe 4656 rejymzcpew.exe 924 mtbsqdazxszlplg.exe 924 mtbsqdazxszlplg.exe 924 mtbsqdazxszlplg.exe 3932 zntesjtg.exe 3932 zntesjtg.exe 3932 zntesjtg.exe 856 jqhksfrdmxvnh.exe 856 jqhksfrdmxvnh.exe 856 jqhksfrdmxvnh.exe 3928 zntesjtg.exe 3928 zntesjtg.exe 3928 zntesjtg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exerejymzcpew.exemtbsqdazxszlplg.exezntesjtg.exejqhksfrdmxvnh.exezntesjtg.exepid process 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe 4656 rejymzcpew.exe 4656 rejymzcpew.exe 4656 rejymzcpew.exe 924 mtbsqdazxszlplg.exe 924 mtbsqdazxszlplg.exe 924 mtbsqdazxszlplg.exe 3932 zntesjtg.exe 3932 zntesjtg.exe 3932 zntesjtg.exe 856 jqhksfrdmxvnh.exe 856 jqhksfrdmxvnh.exe 856 jqhksfrdmxvnh.exe 3928 zntesjtg.exe 3928 zntesjtg.exe 3928 zntesjtg.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exerejymzcpew.exedescription pid process target process PID 3012 wrote to memory of 4656 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe rejymzcpew.exe PID 3012 wrote to memory of 4656 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe rejymzcpew.exe PID 3012 wrote to memory of 4656 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe rejymzcpew.exe PID 3012 wrote to memory of 924 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe mtbsqdazxszlplg.exe PID 3012 wrote to memory of 924 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe mtbsqdazxszlplg.exe PID 3012 wrote to memory of 924 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe mtbsqdazxszlplg.exe PID 3012 wrote to memory of 3932 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe zntesjtg.exe PID 3012 wrote to memory of 3932 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe zntesjtg.exe PID 3012 wrote to memory of 3932 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe zntesjtg.exe PID 3012 wrote to memory of 856 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe jqhksfrdmxvnh.exe PID 3012 wrote to memory of 856 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe jqhksfrdmxvnh.exe PID 3012 wrote to memory of 856 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe jqhksfrdmxvnh.exe PID 3012 wrote to memory of 5060 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe WINWORD.EXE PID 3012 wrote to memory of 5060 3012 6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe WINWORD.EXE PID 4656 wrote to memory of 3928 4656 rejymzcpew.exe zntesjtg.exe PID 4656 wrote to memory of 3928 4656 rejymzcpew.exe zntesjtg.exe PID 4656 wrote to memory of 3928 4656 rejymzcpew.exe zntesjtg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\rejymzcpew.exerejymzcpew.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\zntesjtg.exeC:\Windows\system32\zntesjtg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3928 -
C:\Windows\SysWOW64\mtbsqdazxszlplg.exemtbsqdazxszlplg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:924 -
C:\Windows\SysWOW64\zntesjtg.exezntesjtg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3932 -
C:\Windows\SysWOW64\jqhksfrdmxvnh.exejqhksfrdmxvnh.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:856 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5060
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5a144c19fcdf605b7ad40ad75abcdbc9c
SHA125babb42311e6ef8a6854d98ceca94d51d7687b0
SHA256364e34d56c96015794a106d1b4e2653529ca056c36977f553e47ca91b0f86959
SHA512f0306d41d0e412770a38132a46b889366523e549c8d897816d285981db88e508751961286d2ca8fcaa0eb71e4160afd6f406e6bbac74a70c0aa7a936f4da1b0e
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5447c0f86468b1b399d786e7cd0f9f9cb
SHA1b0d71d9a1df612180b16e9cc06a346dd6b29ae0b
SHA256707960465de7b6ec9834e374da2612178b8d0cfdfb699645d18bffeee7c1c0ea
SHA5122c34bff5dbd3c38c902de36d3a78aa6b2e57666cc44fba8e33e35b88fb0d80c824bb08ad8e3fea297503ffd82167e95ffcf834dab859a858f9f468090b2e7f6d
-
C:\Users\Admin\AppData\Local\Temp\TCD824A.tmp\gb.xslFilesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD541c9a73104fc9ebb3f1bedb44d037ffd
SHA1fbda03cc7edb1d06e058afb31a82bbfcd970cd30
SHA256fe219a3fd70cddf0e7d3d49ebef5f5220c9fa4eec7cdf60af2cf88e87e310116
SHA51219f322299fd7566c2ffd39f99de8b691b9c3292dbd1afa725d73820ddb247ef7b75c263b579f70b9f28c53096668a4cbc86f7383827632be4b9ef3d057737c9b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD506750688ed1af046ab7f577d4c8ffae8
SHA1f681063c1da80ca296a155d14504087b7b708ab4
SHA2566a17d51ff178373299ed933b2b5adf546662077fbfead56d233c44393e49eab3
SHA512396c59cc0656eb2128b85a57806a4174a41c8ca50e320562256576157cb61e7c1a7e257e467b47566f01a8756c1725d739e43fb3bc45ae9847d87518bb539d18
-
C:\Windows\SysWOW64\jqhksfrdmxvnh.exeFilesize
512KB
MD5fb8d006ff546f32cfd02cc9683294110
SHA14a2a180951d4b500785ab3fe11bded4bd0bbdba9
SHA25667096ddb3e64839a1c5d0a0297d4b15fac54d667fc1a6241499baf00f9c18a39
SHA512d188efa46ab636a3f8798d6e3027229d6d2ac07255039bebc2bf816880bf649a412faadf0f3ac9f3daf9e310d681dfff123830b30f60659112a18023872f4fa8
-
C:\Windows\SysWOW64\mtbsqdazxszlplg.exeFilesize
512KB
MD52cc00701cca979076e5901bed8ec7341
SHA169b4a65af4ab9f20b906d53c4528efc08e15e1e5
SHA256c1df8fec4c424a1babcae22e6aa98b514e8563f801977f9bcc7b849e5d8b17ed
SHA512defab434ea3c4fd77d95fe56431e68b5651f9a6aa3251d24e5f42c22933a1d1fea089ae591c8ff7db517fca80d43038f3d45693584dc5cd8ec09de65e169581b
-
C:\Windows\SysWOW64\rejymzcpew.exeFilesize
512KB
MD583ca10dd139615a4846a043c16b47a09
SHA105e1b1005a54d34776881655a2de38ae839ae7e2
SHA25630e6425917efb312287d2f146850e1e964a0d04c2bbb9524ca9a831ba57c1b7a
SHA512020c5d455ca2f7d90b110693c7e163a35104fa0336a1cd90057a6e0f7ce9a0ca3fda59175b6ef19b31fade29ba5114f9c0d18b977fdecc9147785606dac65a01
-
C:\Windows\SysWOW64\zntesjtg.exeFilesize
512KB
MD54c8614dbb126ac17ba44f479c9bc90e6
SHA14c9fe416e4e27950014fe68cca5515568eb6469f
SHA25600719e79a25e7995eb99e473992ad00a9da84ac245f179486c5162543061c1e3
SHA51285be64c17f64029966d50374a1aaa50d3c8f31422877c8b0685799db99a355a938fd27896eabf3ff329c7e0a18f0e2c623d7a6ab39c295cb06a598c87266a48f
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5599e8fa74da19659a268dbc6cf0f4f5a
SHA144751ceb9d3be8c59ff66e542267f2d20104fdfd
SHA2568f1bb3a690c55851b5744530d11619efba2f9fca2dac51900ed480ab20f675fe
SHA51205f529ca3c277c0fbdaa5057c34940539079e9ce2e5e5c14ea9eb6e439674000d2c7eb218ee35506bd5665842f9974ae005a4d605d2e2ad773d8eb97bf0e17d5
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD59ed610d388bbfc5cee6c7afd1433bb9d
SHA129f155b4554f6df4fcf6eb96e84a16807c814e42
SHA256168a7efe93800b591b3af45eef495edac3d6c2107d43932258b8a2db88c94cab
SHA512c50be0b3a4db441394ea407d786ca3eeaf3f838e74fd5c46188ded7cd9084c9477dc6a9d82365fb6e3e0251ab663e57853fd7dda247decd174e3f3038a85e0ff
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5a5c0ebbed7f16ec5b17c33a777a9bbfc
SHA1931a43a22bc00d340f9ff10449df404620cba257
SHA256266ba77eb1025ea670b736e1fb6d9a59da875bac9ccb51eced872ff292817448
SHA5124c0c0751f23978865be87ad9b851b12ded2373fffe65372ef095422f885c1fb09eb9119139f4271c584e93353d8a21dfef169c12f7e95d3aa7e116c4c3c3964f
-
memory/3012-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/5060-39-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmpFilesize
64KB
-
memory/5060-37-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmpFilesize
64KB
-
memory/5060-36-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmpFilesize
64KB
-
memory/5060-35-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmpFilesize
64KB
-
memory/5060-38-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmpFilesize
64KB
-
memory/5060-41-0x00007FFEC5640000-0x00007FFEC5650000-memory.dmpFilesize
64KB
-
memory/5060-40-0x00007FFEC5640000-0x00007FFEC5650000-memory.dmpFilesize
64KB
-
memory/5060-604-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmpFilesize
64KB
-
memory/5060-603-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmpFilesize
64KB
-
memory/5060-602-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmpFilesize
64KB
-
memory/5060-601-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmpFilesize
64KB