450d7fe5111f3e2ba024b605e992cf2d35944d27169162107ef9c975f0c96f0e

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
Size

512KB
MD5

6ec28314060624b0022add23e7a6ec75
SHA1

8705f88541e8d5d72b3bf23c6ed9422e84d452a9
SHA256

450d7fe5111f3e2ba024b605e992cf2d35944d27169162107ef9c975f0c96f0e
SHA512

f9dc3f5f037aebd6aaaeb34b1436a8ccf9a659330c3420a1308f6a5dfb1b7bafc7f3113a30e53a45a6f2850a673a82193e191fe02d0aa58a5db7c88895757b58
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

fwqfsuzzuv.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	fwqfsuzzuv.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

fwqfsuzzuv.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fwqfsuzzuv.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

fwqfsuzzuv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	fwqfsuzzuv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	fwqfsuzzuv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	fwqfsuzzuv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	fwqfsuzzuv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	fwqfsuzzuv.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

fwqfsuzzuv.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	fwqfsuzzuv.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

Processes:

fwqfsuzzuv.exeidqrorxtnrqseqf.exedijorvef.exeyfkvifwyhvjkg.exedijorvef.exe

pid process

2676 fwqfsuzzuv.exe
2720 idqrorxtnrqseqf.exe
2796 dijorvef.exe
2656 yfkvifwyhvjkg.exe
2564 dijorvef.exe

pid	process
2676	fwqfsuzzuv.exe
2720	idqrorxtnrqseqf.exe
2796	dijorvef.exe
2656	yfkvifwyhvjkg.exe
2564	dijorvef.exe

Loads dropped DLL 5 IoCs

Processes:

6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exefwqfsuzzuv.exe

pid	process
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
2676	fwqfsuzzuv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

fwqfsuzzuv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	fwqfsuzzuv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	fwqfsuzzuv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	fwqfsuzzuv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	fwqfsuzzuv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	fwqfsuzzuv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	fwqfsuzzuv.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

idqrorxtnrqseqf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tssdruvm = "idqrorxtnrqseqf.exe"	idqrorxtnrqseqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yfkvifwyhvjkg.exe"	idqrorxtnrqseqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lrppnkmh = "fwqfsuzzuv.exe"	idqrorxtnrqseqf.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dijorvef.exefwqfsuzzuv.exedijorvef.exe

description	ioc	process
File opened (read-only)	\??\v:	dijorvef.exe
File opened (read-only)	\??\l:	fwqfsuzzuv.exe
File opened (read-only)	\??\i:	dijorvef.exe
File opened (read-only)	\??\n:	dijorvef.exe
File opened (read-only)	\??\z:	dijorvef.exe
File opened (read-only)	\??\q:	dijorvef.exe
File opened (read-only)	\??\a:	dijorvef.exe
File opened (read-only)	\??\n:	dijorvef.exe
File opened (read-only)	\??\u:	fwqfsuzzuv.exe
File opened (read-only)	\??\l:	dijorvef.exe
File opened (read-only)	\??\p:	dijorvef.exe
File opened (read-only)	\??\y:	dijorvef.exe
File opened (read-only)	\??\b:	dijorvef.exe
File opened (read-only)	\??\o:	dijorvef.exe
File opened (read-only)	\??\p:	dijorvef.exe
File opened (read-only)	\??\u:	dijorvef.exe
File opened (read-only)	\??\x:	dijorvef.exe
File opened (read-only)	\??\m:	fwqfsuzzuv.exe
File opened (read-only)	\??\p:	fwqfsuzzuv.exe
File opened (read-only)	\??\x:	fwqfsuzzuv.exe
File opened (read-only)	\??\j:	dijorvef.exe
File opened (read-only)	\??\r:	dijorvef.exe
File opened (read-only)	\??\w:	dijorvef.exe
File opened (read-only)	\??\i:	fwqfsuzzuv.exe
File opened (read-only)	\??\o:	fwqfsuzzuv.exe
File opened (read-only)	\??\u:	dijorvef.exe
File opened (read-only)	\??\x:	dijorvef.exe
File opened (read-only)	\??\k:	fwqfsuzzuv.exe
File opened (read-only)	\??\b:	dijorvef.exe
File opened (read-only)	\??\m:	dijorvef.exe
File opened (read-only)	\??\o:	dijorvef.exe
File opened (read-only)	\??\g:	dijorvef.exe
File opened (read-only)	\??\k:	dijorvef.exe
File opened (read-only)	\??\y:	dijorvef.exe
File opened (read-only)	\??\j:	fwqfsuzzuv.exe
File opened (read-only)	\??\t:	fwqfsuzzuv.exe
File opened (read-only)	\??\w:	fwqfsuzzuv.exe
File opened (read-only)	\??\e:	dijorvef.exe
File opened (read-only)	\??\h:	dijorvef.exe
File opened (read-only)	\??\q:	dijorvef.exe
File opened (read-only)	\??\b:	fwqfsuzzuv.exe
File opened (read-only)	\??\g:	fwqfsuzzuv.exe
File opened (read-only)	\??\r:	fwqfsuzzuv.exe
File opened (read-only)	\??\s:	fwqfsuzzuv.exe
File opened (read-only)	\??\i:	dijorvef.exe
File opened (read-only)	\??\e:	fwqfsuzzuv.exe
File opened (read-only)	\??\g:	dijorvef.exe
File opened (read-only)	\??\w:	dijorvef.exe
File opened (read-only)	\??\l:	dijorvef.exe
File opened (read-only)	\??\z:	dijorvef.exe
File opened (read-only)	\??\a:	fwqfsuzzuv.exe
File opened (read-only)	\??\y:	fwqfsuzzuv.exe
File opened (read-only)	\??\h:	fwqfsuzzuv.exe
File opened (read-only)	\??\k:	dijorvef.exe
File opened (read-only)	\??\t:	dijorvef.exe
File opened (read-only)	\??\e:	dijorvef.exe
File opened (read-only)	\??\m:	dijorvef.exe
File opened (read-only)	\??\s:	dijorvef.exe
File opened (read-only)	\??\q:	fwqfsuzzuv.exe
File opened (read-only)	\??\h:	dijorvef.exe
File opened (read-only)	\??\t:	dijorvef.exe
File opened (read-only)	\??\j:	dijorvef.exe
File opened (read-only)	\??\v:	fwqfsuzzuv.exe
File opened (read-only)	\??\z:	fwqfsuzzuv.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

fwqfsuzzuv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	fwqfsuzzuv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	fwqfsuzzuv.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1632-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
C:\Windows\SysWOW64\dijorvef.exe	autoit_exe
\Windows\SysWOW64\fwqfsuzzuv.exe	autoit_exe
\Windows\SysWOW64\idqrorxtnrqseqf.exe	autoit_exe
\Windows\SysWOW64\yfkvifwyhvjkg.exe	autoit_exe
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exefwqfsuzzuv.exe

description	ioc	process
File created	C:\Windows\SysWOW64\fwqfsuzzuv.exe	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fwqfsuzzuv.exe	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\idqrorxtnrqseqf.exe	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yfkvifwyhvjkg.exe	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\yfkvifwyhvjkg.exe	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	fwqfsuzzuv.exe
File created	C:\Windows\SysWOW64\idqrorxtnrqseqf.exe	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dijorvef.exe	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dijorvef.exe	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe

Drops file in Program Files directory 14 IoCs

Processes:

dijorvef.exedijorvef.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	dijorvef.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	dijorvef.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	dijorvef.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	dijorvef.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	dijorvef.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	dijorvef.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	dijorvef.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	dijorvef.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	dijorvef.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	dijorvef.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	dijorvef.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	dijorvef.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	dijorvef.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	dijorvef.exe

Drops file in Windows directory 4 IoCs

Processes:

WINWORD.EXE6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exeWINWORD.EXEfwqfsuzzuv.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452D7F9D5783596D3F77D577552DAD7CF465DF"	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD68B7FF1F22D8D27ED0A58A749162"	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	fwqfsuzzuv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	fwqfsuzzuv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	fwqfsuzzuv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FFF8482B82689131D7217E92BCE4E143584167366335D7EA"	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	fwqfsuzzuv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	fwqfsuzzuv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	fwqfsuzzuv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2516 WINWORD.EXE

pid	process
2516	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exefwqfsuzzuv.exedijorvef.exeidqrorxtnrqseqf.exeyfkvifwyhvjkg.exedijorvef.exe

pid	process
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
2676	fwqfsuzzuv.exe
2676	fwqfsuzzuv.exe
2676	fwqfsuzzuv.exe
2676	fwqfsuzzuv.exe
2676	fwqfsuzzuv.exe
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
2796	dijorvef.exe
2796	dijorvef.exe
2796	dijorvef.exe
2796	dijorvef.exe
2720	idqrorxtnrqseqf.exe
2720	idqrorxtnrqseqf.exe
2720	idqrorxtnrqseqf.exe
2720	idqrorxtnrqseqf.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2720	idqrorxtnrqseqf.exe
2564	dijorvef.exe
2564	dijorvef.exe
2564	dijorvef.exe
2564	dijorvef.exe
2720	idqrorxtnrqseqf.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2720	idqrorxtnrqseqf.exe
2720	idqrorxtnrqseqf.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2720	idqrorxtnrqseqf.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2720	idqrorxtnrqseqf.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2720	idqrorxtnrqseqf.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2720	idqrorxtnrqseqf.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2720	idqrorxtnrqseqf.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2720	idqrorxtnrqseqf.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2720	idqrorxtnrqseqf.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2720	idqrorxtnrqseqf.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2720	idqrorxtnrqseqf.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	2096	explorer.exe
Token: SeShutdownPrivilege	2096	explorer.exe
Token: SeShutdownPrivilege	2096	explorer.exe
Token: SeShutdownPrivilege	2096	explorer.exe
Token: SeShutdownPrivilege	2096	explorer.exe
Token: SeShutdownPrivilege	2096	explorer.exe
Token: SeShutdownPrivilege	2096	explorer.exe
Token: SeShutdownPrivilege	2096	explorer.exe
Token: SeShutdownPrivilege	2096	explorer.exe
Token: SeShutdownPrivilege	2096	explorer.exe
Token: SeShutdownPrivilege	2096	explorer.exe
Token: SeShutdownPrivilege	2096	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exefwqfsuzzuv.exedijorvef.exeidqrorxtnrqseqf.exeyfkvifwyhvjkg.exedijorvef.exeexplorer.exe

pid	process
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
2676	fwqfsuzzuv.exe
2676	fwqfsuzzuv.exe
2676	fwqfsuzzuv.exe
2796	dijorvef.exe
2796	dijorvef.exe
2796	dijorvef.exe
2720	idqrorxtnrqseqf.exe
2720	idqrorxtnrqseqf.exe
2720	idqrorxtnrqseqf.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2564	dijorvef.exe
2564	dijorvef.exe
2564	dijorvef.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe

Suspicious use of SendNotifyMessage 37 IoCs

Processes:

6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exefwqfsuzzuv.exedijorvef.exeidqrorxtnrqseqf.exeyfkvifwyhvjkg.exedijorvef.exeexplorer.exe

pid	process
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
2676	fwqfsuzzuv.exe
2676	fwqfsuzzuv.exe
2676	fwqfsuzzuv.exe
2796	dijorvef.exe
2796	dijorvef.exe
2796	dijorvef.exe
2720	idqrorxtnrqseqf.exe
2720	idqrorxtnrqseqf.exe
2720	idqrorxtnrqseqf.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2656	yfkvifwyhvjkg.exe
2564	dijorvef.exe
2564	dijorvef.exe
2564	dijorvef.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe
2096	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2516 WINWORD.EXE
2516 WINWORD.EXE

pid	process
2516	WINWORD.EXE
2516	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exefwqfsuzzuv.exeWINWORD.EXE

description	pid	process	target process
PID 1632 wrote to memory of 2676	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	fwqfsuzzuv.exe
PID 1632 wrote to memory of 2676	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	fwqfsuzzuv.exe
PID 1632 wrote to memory of 2676	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	fwqfsuzzuv.exe
PID 1632 wrote to memory of 2676	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	fwqfsuzzuv.exe
PID 1632 wrote to memory of 2720	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	idqrorxtnrqseqf.exe
PID 1632 wrote to memory of 2720	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	idqrorxtnrqseqf.exe
PID 1632 wrote to memory of 2720	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	idqrorxtnrqseqf.exe
PID 1632 wrote to memory of 2720	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	idqrorxtnrqseqf.exe
PID 1632 wrote to memory of 2796	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	dijorvef.exe
PID 1632 wrote to memory of 2796	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	dijorvef.exe
PID 1632 wrote to memory of 2796	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	dijorvef.exe
PID 1632 wrote to memory of 2796	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	dijorvef.exe
PID 1632 wrote to memory of 2656	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	yfkvifwyhvjkg.exe
PID 1632 wrote to memory of 2656	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	yfkvifwyhvjkg.exe
PID 1632 wrote to memory of 2656	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	yfkvifwyhvjkg.exe
PID 1632 wrote to memory of 2656	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	yfkvifwyhvjkg.exe
PID 2676 wrote to memory of 2564	2676	fwqfsuzzuv.exe	dijorvef.exe
PID 2676 wrote to memory of 2564	2676	fwqfsuzzuv.exe	dijorvef.exe
PID 2676 wrote to memory of 2564	2676	fwqfsuzzuv.exe	dijorvef.exe
PID 2676 wrote to memory of 2564	2676	fwqfsuzzuv.exe	dijorvef.exe
PID 1632 wrote to memory of 2516	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	WINWORD.EXE
PID 1632 wrote to memory of 2516	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	WINWORD.EXE
PID 1632 wrote to memory of 2516	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	WINWORD.EXE
PID 1632 wrote to memory of 2516	1632	6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe	WINWORD.EXE
PID 2516 wrote to memory of 2216	2516	WINWORD.EXE	splwow64.exe
PID 2516 wrote to memory of 2216	2516	WINWORD.EXE	splwow64.exe
PID 2516 wrote to memory of 2216	2516	WINWORD.EXE	splwow64.exe
PID 2516 wrote to memory of 2216	2516	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\fwqfsuzzuv.exe
fwqfsuzzuv.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\dijorvef.exe
C:\Windows\system32\dijorvef.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2564

C:\Windows\SysWOW64\idqrorxtnrqseqf.exe
idqrorxtnrqseqf.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2720

C:\Windows\SysWOW64\dijorvef.exe
dijorvef.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2796

C:\Windows\SysWOW64\yfkvifwyhvjkg.exe
yfkvifwyhvjkg.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2656

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:2216

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2096

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
Filesize
512KB

MD5
15e2955b207798b34d9d53303b0578f0

SHA1
abf5646310010f50a1558d010f7883a0ba5e288e

SHA256
297c2f063adb1a57eed9593bd6f8d8751ed725d4e979c8f68f2ce00b7de5c3bf

SHA512
2f165b2f1547bd20ee4fe881143879102ed33d14332d53e9a1c57acfea311193409d62d2f7a1db3681457ce4082172b51de8e6e2f0e52ca302f4f0f44fa2674d

Download Submit
C:\Windows\SysWOW64\dijorvef.exe
Filesize
512KB

MD5
7f2ef2d42005c1fa982dc665acc938e2

SHA1
48a7e69347a7b64314c1025a6a34e9622d5ce997

SHA256
2cd8e838fb58658ee9538a52cf58b7fd5276a28d3dac0a6352cb4478643c0fc8

SHA512
ccafd84ba8ebcaba6745ac781bcc059908764d8eaf729c41dfa043a73bc275973e8461af38b2547beb115921548424fd80a8f51a38ed7ea729ea99fb6515b418

Download Submit
C:\Windows\mydoc.rtf
Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\fwqfsuzzuv.exe
Filesize
512KB

MD5
37a90d6a3c9bb894a35f1d93e3f6c1ab

SHA1
78c620728bfc702b42646b08c4b1e95d563fa9c3

SHA256
fc2e2ad58779defcbc1c2beaca5232d0855fe9e309a0ca231403751d0bf9f098

SHA512
dc72b2ac0fbd42cde6aaf8762a14946fd2c6850600ed52bc16c0d628d93afe22fc43a902b028bf691a7ecd6fe02d9b27c54220c2aa98fbf34b9d5b63cb575e80

Download Submit
\Windows\SysWOW64\idqrorxtnrqseqf.exe
Filesize
512KB

MD5
d5e666708b3df1003b0fab7dc6a9c0ed

SHA1
c9664fa2db0fdc9f6b07e018ee5c8ab80dc42015

SHA256
05b79350d2db8f484811b94998f5895efa9454402fa825afc475ba731f8ec469

SHA512
0891f1ce9912e294a3e45d15a16abbcf90ee71987598fe18ba1b0933dd20be6e95ac93d70c6a468e545cf8b83066356c30854093cf75e2d85d72cb4612d02d8a

Download Submit
\Windows\SysWOW64\yfkvifwyhvjkg.exe
Filesize
512KB

MD5
655ec1ee8874dcba38ba09e035ec2c7d

SHA1
b1b2fb36ec997af37f604fe18dfa013fa2fc2324

SHA256
5ee6582fd1f9947353ef81520410da96eb8798c0349bcab1dc9c517fb39f2a73

SHA512
9d5c4d43e2a5d8f4c009d2191a11a1b5501ad7d2967e6b5b9f549352badeb74dd9235d673b3c075de3e31c074e9ca522936adfbf61a30f6e73ce67146feade6a

Download Submit
memory/1632-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2096-83-0x0000000002B30000-0x0000000002B40000-memory.dmp

Filesize
64KB

Download
memory/2516-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads