Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 02:46
Static task
static1
Behavioral task
behavioral1
Sample
6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe
-
Size
512KB
-
MD5
6d17cb1c6d930030874aa1e3e5b62963
-
SHA1
841eca2e02ab32f999dfdde2cec00b0400a1ad3b
-
SHA256
bb5af4afda3a286a98cb5eb134ae1d04c46ac269006eff35088b03977cfedf4a
-
SHA512
52a83d6557bd75abcbc8c271e973587e1e4a64f1dec4d80e648533e3d114832d6c99ea05111fc22ecd68132824e13d50934f91b8402741fe64e1347c3f4a2b8b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5D
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
lulupkvlcb.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lulupkvlcb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
lulupkvlcb.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lulupkvlcb.exe -
Processes:
lulupkvlcb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lulupkvlcb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" lulupkvlcb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lulupkvlcb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lulupkvlcb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lulupkvlcb.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
lulupkvlcb.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lulupkvlcb.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
Processes:
lulupkvlcb.exesdqpyrffedbobad.exejaqucurm.exerfrrckwwbxgzp.exejaqucurm.exepid process 2132 lulupkvlcb.exe 2116 sdqpyrffedbobad.exe 2636 jaqucurm.exe 2584 rfrrckwwbxgzp.exe 2188 jaqucurm.exe -
Loads dropped DLL 5 IoCs
Processes:
6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exelulupkvlcb.exepid process 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2132 lulupkvlcb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
lulupkvlcb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lulupkvlcb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lulupkvlcb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" lulupkvlcb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lulupkvlcb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" lulupkvlcb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lulupkvlcb.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
sdqpyrffedbobad.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rfrrckwwbxgzp.exe" sdqpyrffedbobad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dciqwtmm = "lulupkvlcb.exe" sdqpyrffedbobad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iocpegpc = "sdqpyrffedbobad.exe" sdqpyrffedbobad.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
lulupkvlcb.exejaqucurm.exejaqucurm.exedescription ioc process File opened (read-only) \??\n: lulupkvlcb.exe File opened (read-only) \??\x: lulupkvlcb.exe File opened (read-only) \??\b: jaqucurm.exe File opened (read-only) \??\k: jaqucurm.exe File opened (read-only) \??\s: jaqucurm.exe File opened (read-only) \??\u: jaqucurm.exe File opened (read-only) \??\i: lulupkvlcb.exe File opened (read-only) \??\k: lulupkvlcb.exe File opened (read-only) \??\n: jaqucurm.exe File opened (read-only) \??\q: jaqucurm.exe File opened (read-only) \??\w: jaqucurm.exe File opened (read-only) \??\o: lulupkvlcb.exe File opened (read-only) \??\y: lulupkvlcb.exe File opened (read-only) \??\g: jaqucurm.exe File opened (read-only) \??\h: jaqucurm.exe File opened (read-only) \??\v: jaqucurm.exe File opened (read-only) \??\b: lulupkvlcb.exe File opened (read-only) \??\g: jaqucurm.exe File opened (read-only) \??\j: jaqucurm.exe File opened (read-only) \??\z: jaqucurm.exe File opened (read-only) \??\h: lulupkvlcb.exe File opened (read-only) \??\v: lulupkvlcb.exe File opened (read-only) \??\w: lulupkvlcb.exe File opened (read-only) \??\q: lulupkvlcb.exe File opened (read-only) \??\a: jaqucurm.exe File opened (read-only) \??\o: jaqucurm.exe File opened (read-only) \??\p: jaqucurm.exe File opened (read-only) \??\x: jaqucurm.exe File opened (read-only) \??\l: jaqucurm.exe File opened (read-only) \??\x: jaqucurm.exe File opened (read-only) \??\l: lulupkvlcb.exe File opened (read-only) \??\s: jaqucurm.exe File opened (read-only) \??\w: jaqucurm.exe File opened (read-only) \??\t: lulupkvlcb.exe File opened (read-only) \??\l: jaqucurm.exe File opened (read-only) \??\i: jaqucurm.exe File opened (read-only) \??\y: jaqucurm.exe File opened (read-only) \??\b: jaqucurm.exe File opened (read-only) \??\n: jaqucurm.exe File opened (read-only) \??\o: jaqucurm.exe File opened (read-only) \??\p: lulupkvlcb.exe File opened (read-only) \??\m: lulupkvlcb.exe File opened (read-only) \??\z: lulupkvlcb.exe File opened (read-only) \??\e: jaqucurm.exe File opened (read-only) \??\r: jaqucurm.exe File opened (read-only) \??\z: jaqucurm.exe File opened (read-only) \??\g: lulupkvlcb.exe File opened (read-only) \??\s: lulupkvlcb.exe File opened (read-only) \??\m: jaqucurm.exe File opened (read-only) \??\p: jaqucurm.exe File opened (read-only) \??\q: jaqucurm.exe File opened (read-only) \??\j: lulupkvlcb.exe File opened (read-only) \??\r: lulupkvlcb.exe File opened (read-only) \??\u: jaqucurm.exe File opened (read-only) \??\y: jaqucurm.exe File opened (read-only) \??\a: lulupkvlcb.exe File opened (read-only) \??\h: jaqucurm.exe File opened (read-only) \??\r: jaqucurm.exe File opened (read-only) \??\a: jaqucurm.exe File opened (read-only) \??\i: jaqucurm.exe File opened (read-only) \??\e: jaqucurm.exe File opened (read-only) \??\v: jaqucurm.exe File opened (read-only) \??\k: jaqucurm.exe File opened (read-only) \??\m: jaqucurm.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
lulupkvlcb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" lulupkvlcb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" lulupkvlcb.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2784-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\sdqpyrffedbobad.exe autoit_exe \Windows\SysWOW64\lulupkvlcb.exe autoit_exe \Windows\SysWOW64\jaqucurm.exe autoit_exe \Windows\SysWOW64\rfrrckwwbxgzp.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exelulupkvlcb.exedescription ioc process File opened for modification C:\Windows\SysWOW64\sdqpyrffedbobad.exe 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rfrrckwwbxgzp.exe 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lulupkvlcb.exe File created C:\Windows\SysWOW64\lulupkvlcb.exe 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lulupkvlcb.exe 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe File created C:\Windows\SysWOW64\sdqpyrffedbobad.exe 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe File created C:\Windows\SysWOW64\jaqucurm.exe 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jaqucurm.exe 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe File created C:\Windows\SysWOW64\rfrrckwwbxgzp.exe 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
jaqucurm.exejaqucurm.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jaqucurm.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jaqucurm.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jaqucurm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal jaqucurm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jaqucurm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal jaqucurm.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jaqucurm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal jaqucurm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jaqucurm.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jaqucurm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jaqucurm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal jaqucurm.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jaqucurm.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jaqucurm.exe -
Drops file in Windows directory 4 IoCs
Processes:
6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXElulupkvlcb.exeexplorer.exe6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat lulupkvlcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" lulupkvlcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" lulupkvlcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFAB0FE17F29984793A43869D3997B08A02F043110349E1CC429A08D5" 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2544 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exelulupkvlcb.exejaqucurm.exesdqpyrffedbobad.exerfrrckwwbxgzp.exejaqucurm.exepid process 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2132 lulupkvlcb.exe 2132 lulupkvlcb.exe 2132 lulupkvlcb.exe 2132 lulupkvlcb.exe 2132 lulupkvlcb.exe 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2636 jaqucurm.exe 2636 jaqucurm.exe 2636 jaqucurm.exe 2636 jaqucurm.exe 2116 sdqpyrffedbobad.exe 2116 sdqpyrffedbobad.exe 2116 sdqpyrffedbobad.exe 2116 sdqpyrffedbobad.exe 2116 sdqpyrffedbobad.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2188 jaqucurm.exe 2188 jaqucurm.exe 2188 jaqucurm.exe 2188 jaqucurm.exe 2116 sdqpyrffedbobad.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2116 sdqpyrffedbobad.exe 2116 sdqpyrffedbobad.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2116 sdqpyrffedbobad.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2116 sdqpyrffedbobad.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2116 sdqpyrffedbobad.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2116 sdqpyrffedbobad.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2116 sdqpyrffedbobad.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2116 sdqpyrffedbobad.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2116 sdqpyrffedbobad.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2116 sdqpyrffedbobad.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2116 sdqpyrffedbobad.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 1924 explorer.exe Token: SeShutdownPrivilege 1924 explorer.exe Token: SeShutdownPrivilege 1924 explorer.exe Token: SeShutdownPrivilege 1924 explorer.exe Token: SeShutdownPrivilege 1924 explorer.exe Token: SeShutdownPrivilege 1924 explorer.exe Token: SeShutdownPrivilege 1924 explorer.exe Token: SeShutdownPrivilege 1924 explorer.exe Token: SeShutdownPrivilege 1924 explorer.exe Token: SeShutdownPrivilege 1924 explorer.exe Token: SeShutdownPrivilege 1924 explorer.exe Token: SeShutdownPrivilege 1924 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
Processes:
6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exelulupkvlcb.exejaqucurm.exesdqpyrffedbobad.exerfrrckwwbxgzp.exejaqucurm.exeexplorer.exepid process 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2132 lulupkvlcb.exe 2132 lulupkvlcb.exe 2132 lulupkvlcb.exe 2636 jaqucurm.exe 2636 jaqucurm.exe 2636 jaqucurm.exe 2116 sdqpyrffedbobad.exe 2116 sdqpyrffedbobad.exe 2116 sdqpyrffedbobad.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2188 jaqucurm.exe 2188 jaqucurm.exe 2188 jaqucurm.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe -
Suspicious use of SendNotifyMessage 34 IoCs
Processes:
6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exelulupkvlcb.exejaqucurm.exesdqpyrffedbobad.exerfrrckwwbxgzp.exeexplorer.exepid process 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe 2132 lulupkvlcb.exe 2132 lulupkvlcb.exe 2132 lulupkvlcb.exe 2636 jaqucurm.exe 2636 jaqucurm.exe 2636 jaqucurm.exe 2116 sdqpyrffedbobad.exe 2116 sdqpyrffedbobad.exe 2116 sdqpyrffedbobad.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 2584 rfrrckwwbxgzp.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe 1924 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2544 WINWORD.EXE 2544 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exelulupkvlcb.exedescription pid process target process PID 2784 wrote to memory of 2132 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe lulupkvlcb.exe PID 2784 wrote to memory of 2132 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe lulupkvlcb.exe PID 2784 wrote to memory of 2132 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe lulupkvlcb.exe PID 2784 wrote to memory of 2132 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe lulupkvlcb.exe PID 2784 wrote to memory of 2116 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe sdqpyrffedbobad.exe PID 2784 wrote to memory of 2116 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe sdqpyrffedbobad.exe PID 2784 wrote to memory of 2116 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe sdqpyrffedbobad.exe PID 2784 wrote to memory of 2116 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe sdqpyrffedbobad.exe PID 2784 wrote to memory of 2636 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe jaqucurm.exe PID 2784 wrote to memory of 2636 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe jaqucurm.exe PID 2784 wrote to memory of 2636 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe jaqucurm.exe PID 2784 wrote to memory of 2636 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe jaqucurm.exe PID 2784 wrote to memory of 2584 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe rfrrckwwbxgzp.exe PID 2784 wrote to memory of 2584 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe rfrrckwwbxgzp.exe PID 2784 wrote to memory of 2584 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe rfrrckwwbxgzp.exe PID 2784 wrote to memory of 2584 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe rfrrckwwbxgzp.exe PID 2132 wrote to memory of 2188 2132 lulupkvlcb.exe jaqucurm.exe PID 2132 wrote to memory of 2188 2132 lulupkvlcb.exe jaqucurm.exe PID 2132 wrote to memory of 2188 2132 lulupkvlcb.exe jaqucurm.exe PID 2132 wrote to memory of 2188 2132 lulupkvlcb.exe jaqucurm.exe PID 2784 wrote to memory of 2544 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe WINWORD.EXE PID 2784 wrote to memory of 2544 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe WINWORD.EXE PID 2784 wrote to memory of 2544 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe WINWORD.EXE PID 2784 wrote to memory of 2544 2784 6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lulupkvlcb.exelulupkvlcb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\jaqucurm.exeC:\Windows\system32\jaqucurm.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\sdqpyrffedbobad.exesdqpyrffedbobad.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\jaqucurm.exejaqucurm.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\rfrrckwwbxgzp.exerfrrckwwbxgzp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
8Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
512KB
MD53b9cccd6ef117cde0b72a668540879ee
SHA111206a065b8ce71aeae7a77c8c1a040d55b653ee
SHA256817d16d946320c85d418c0c3b3a8b165978b2fd3ca798dc47ad92ee8c4290072
SHA51283e1f77a1f2aa8048da1ca80f576cee47312398414d2286cffe9c09e8fd7a0a3b68544fcb266ee09244f5e7d27d5995352354b011a7db19cbfe50ff3610dbb79
-
C:\Windows\SysWOW64\sdqpyrffedbobad.exeFilesize
512KB
MD5a09b1cd2bf266d9f34a9396b49f830e6
SHA179915494720a7804783464680f51574b723ea8fb
SHA25630522213d8aca0d824054dc32d358caf0bd8731afd674ab1d39326e4d72714ea
SHA512703461838cb5cc97f829198ad62a4cbd35d7ff681417c19bb8944c97b0714523a061f48d5fab82627a949f55889199393d0cdd9acdf16c61112a0a15d3f74098
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\jaqucurm.exeFilesize
512KB
MD5bb5eb5930f18ffa805ea65557762168b
SHA135f80ef532eb93442a34113224126d72faba6e0d
SHA25698bb24737ae7d1f616916eb5693ebcd293f9ef341eaf5375c9c7594ddbe781cf
SHA51264c99b209740459cf47d8453e80e0af5ae64239d7d2d08991128eb210db3c18ef88ac59eab33ba3a6a6126764aed4e174e8b449affc4dbfe7fc20fdb6515eb6c
-
\Windows\SysWOW64\lulupkvlcb.exeFilesize
512KB
MD5a24374cea1739afb42868681030baefe
SHA1671970291ddac0c758f7aaf289cac6563874fc73
SHA256251e47d38d4f7658afc168ad6c7f0099e224fcb16f85607c37c13d247c0c3b87
SHA512b9308ef585eba58cdaad99e8ab1eaef3f347d9609875218829f74d409a1bd45c2d3d66d336c7652a6ca38f6497cdcd3fd9d944bbf20c57526e1aaa2e05c08009
-
\Windows\SysWOW64\rfrrckwwbxgzp.exeFilesize
512KB
MD500f935469d6d217a1842e0ff5eaf4a50
SHA178b141d82801661bf189d79588b858f95903abf1
SHA256e589e02d0ef70aefbe1c8b09c4d580d1d44323c09ac35a207b25523b5aed561e
SHA5128368119927e260a5bd358855d2b49d1e7e9f4ed9272f08ee35a4e90094f764e2eacb912c17a99b05f7e92f7a1d9e2a7515a084dba6e04ed14af6494a37a8a96a
-
memory/1924-79-0x0000000002AE0000-0x0000000002AF0000-memory.dmpFilesize
64KB
-
memory/2544-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2784-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB