Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 14:01
Static task
static1
Behavioral task
behavioral1
Sample
6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe
-
Size
512KB
-
MD5
6ec28314060624b0022add23e7a6ec75
-
SHA1
8705f88541e8d5d72b3bf23c6ed9422e84d452a9
-
SHA256
450d7fe5111f3e2ba024b605e992cf2d35944d27169162107ef9c975f0c96f0e
-
SHA512
f9dc3f5f037aebd6aaaeb34b1436a8ccf9a659330c3420a1308f6a5dfb1b7bafc7f3113a30e53a45a6f2850a673a82193e191fe02d0aa58a5db7c88895757b58
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
zocylxnsrb.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zocylxnsrb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
zocylxnsrb.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zocylxnsrb.exe -
Processes:
zocylxnsrb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zocylxnsrb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zocylxnsrb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zocylxnsrb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zocylxnsrb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zocylxnsrb.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
zocylxnsrb.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zocylxnsrb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
zocylxnsrb.exetytzoksaosjopul.exefgmbpszp.exeysoutklllwvyf.exefgmbpszp.exepid process 4364 zocylxnsrb.exe 2612 tytzoksaosjopul.exe 3584 fgmbpszp.exe 5004 ysoutklllwvyf.exe 2864 fgmbpszp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
zocylxnsrb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zocylxnsrb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zocylxnsrb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zocylxnsrb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zocylxnsrb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zocylxnsrb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zocylxnsrb.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
tytzoksaosjopul.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cytusmed = "zocylxnsrb.exe" tytzoksaosjopul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mvlqfkvo = "tytzoksaosjopul.exe" tytzoksaosjopul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ysoutklllwvyf.exe" tytzoksaosjopul.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
zocylxnsrb.exefgmbpszp.exefgmbpszp.exedescription ioc process File opened (read-only) \??\a: zocylxnsrb.exe File opened (read-only) \??\i: zocylxnsrb.exe File opened (read-only) \??\j: fgmbpszp.exe File opened (read-only) \??\v: zocylxnsrb.exe File opened (read-only) \??\e: fgmbpszp.exe File opened (read-only) \??\t: fgmbpszp.exe File opened (read-only) \??\u: fgmbpszp.exe File opened (read-only) \??\w: fgmbpszp.exe File opened (read-only) \??\y: fgmbpszp.exe File opened (read-only) \??\g: zocylxnsrb.exe File opened (read-only) \??\g: fgmbpszp.exe File opened (read-only) \??\x: fgmbpszp.exe File opened (read-only) \??\p: zocylxnsrb.exe File opened (read-only) \??\z: fgmbpszp.exe File opened (read-only) \??\l: fgmbpszp.exe File opened (read-only) \??\s: fgmbpszp.exe File opened (read-only) \??\m: zocylxnsrb.exe File opened (read-only) \??\y: fgmbpszp.exe File opened (read-only) \??\o: fgmbpszp.exe File opened (read-only) \??\q: fgmbpszp.exe File opened (read-only) \??\b: fgmbpszp.exe File opened (read-only) \??\m: fgmbpszp.exe File opened (read-only) \??\u: zocylxnsrb.exe File opened (read-only) \??\v: fgmbpszp.exe File opened (read-only) \??\n: zocylxnsrb.exe File opened (read-only) \??\g: fgmbpszp.exe File opened (read-only) \??\h: zocylxnsrb.exe File opened (read-only) \??\x: zocylxnsrb.exe File opened (read-only) \??\y: zocylxnsrb.exe File opened (read-only) \??\z: zocylxnsrb.exe File opened (read-only) \??\e: fgmbpszp.exe File opened (read-only) \??\e: zocylxnsrb.exe File opened (read-only) \??\l: zocylxnsrb.exe File opened (read-only) \??\i: fgmbpszp.exe File opened (read-only) \??\l: fgmbpszp.exe File opened (read-only) \??\t: fgmbpszp.exe File opened (read-only) \??\x: fgmbpszp.exe File opened (read-only) \??\q: fgmbpszp.exe File opened (read-only) \??\r: fgmbpszp.exe File opened (read-only) \??\b: fgmbpszp.exe File opened (read-only) \??\k: fgmbpszp.exe File opened (read-only) \??\m: fgmbpszp.exe File opened (read-only) \??\v: fgmbpszp.exe File opened (read-only) \??\k: zocylxnsrb.exe File opened (read-only) \??\q: zocylxnsrb.exe File opened (read-only) \??\w: fgmbpszp.exe File opened (read-only) \??\j: fgmbpszp.exe File opened (read-only) \??\r: fgmbpszp.exe File opened (read-only) \??\r: zocylxnsrb.exe File opened (read-only) \??\n: fgmbpszp.exe File opened (read-only) \??\n: fgmbpszp.exe File opened (read-only) \??\z: fgmbpszp.exe File opened (read-only) \??\t: zocylxnsrb.exe File opened (read-only) \??\s: fgmbpszp.exe File opened (read-only) \??\u: fgmbpszp.exe File opened (read-only) \??\i: fgmbpszp.exe File opened (read-only) \??\p: fgmbpszp.exe File opened (read-only) \??\j: zocylxnsrb.exe File opened (read-only) \??\h: fgmbpszp.exe File opened (read-only) \??\o: fgmbpszp.exe File opened (read-only) \??\p: fgmbpszp.exe File opened (read-only) \??\w: zocylxnsrb.exe File opened (read-only) \??\k: fgmbpszp.exe File opened (read-only) \??\a: fgmbpszp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
zocylxnsrb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zocylxnsrb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zocylxnsrb.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1228-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\tytzoksaosjopul.exe autoit_exe C:\Windows\SysWOW64\zocylxnsrb.exe autoit_exe C:\Windows\SysWOW64\fgmbpszp.exe autoit_exe C:\Windows\SysWOW64\ysoutklllwvyf.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Desktop\SplitExit.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exezocylxnsrb.exefgmbpszp.exefgmbpszp.exedescription ioc process File opened for modification C:\Windows\SysWOW64\zocylxnsrb.exe 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fgmbpszp.exe 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe File created C:\Windows\SysWOW64\ysoutklllwvyf.exe 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ysoutklllwvyf.exe 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zocylxnsrb.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fgmbpszp.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fgmbpszp.exe File created C:\Windows\SysWOW64\zocylxnsrb.exe 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tytzoksaosjopul.exe 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe File created C:\Windows\SysWOW64\fgmbpszp.exe 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fgmbpszp.exe File created C:\Windows\SysWOW64\tytzoksaosjopul.exe 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
Processes:
fgmbpszp.exefgmbpszp.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fgmbpszp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal fgmbpszp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal fgmbpszp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fgmbpszp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fgmbpszp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fgmbpszp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fgmbpszp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fgmbpszp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal fgmbpszp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fgmbpszp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fgmbpszp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fgmbpszp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fgmbpszp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal fgmbpszp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fgmbpszp.exe -
Drops file in Windows directory 19 IoCs
Processes:
fgmbpszp.exefgmbpszp.exe6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fgmbpszp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fgmbpszp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fgmbpszp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fgmbpszp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fgmbpszp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fgmbpszp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fgmbpszp.exe File opened for modification C:\Windows\mydoc.rtf 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fgmbpszp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fgmbpszp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fgmbpszp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fgmbpszp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fgmbpszp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fgmbpszp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fgmbpszp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fgmbpszp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fgmbpszp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exezocylxnsrb.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F268C3FF1B22DDD173D0A38A7C9111" 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zocylxnsrb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zocylxnsrb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302C779C5182566A3077A770512DDD7CF564DB" 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B12D47E3399952CEB9D1339FD4BF" 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zocylxnsrb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zocylxnsrb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8F9BDFE10F293837F3B4A81983990B080038C43620349E2CE459E08A6" 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC70C1597DBC5B8B97C94ECE334C6" 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zocylxnsrb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zocylxnsrb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zocylxnsrb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zocylxnsrb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FCFF482F826D903CD72C7DE0BDE1E147584066416237D7E9" 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zocylxnsrb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zocylxnsrb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zocylxnsrb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zocylxnsrb.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4684 WINWORD.EXE 4684 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exetytzoksaosjopul.exezocylxnsrb.exefgmbpszp.exeysoutklllwvyf.exefgmbpszp.exepid process 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 2612 tytzoksaosjopul.exe 2612 tytzoksaosjopul.exe 2612 tytzoksaosjopul.exe 2612 tytzoksaosjopul.exe 2612 tytzoksaosjopul.exe 2612 tytzoksaosjopul.exe 4364 zocylxnsrb.exe 4364 zocylxnsrb.exe 2612 tytzoksaosjopul.exe 2612 tytzoksaosjopul.exe 4364 zocylxnsrb.exe 4364 zocylxnsrb.exe 4364 zocylxnsrb.exe 4364 zocylxnsrb.exe 4364 zocylxnsrb.exe 4364 zocylxnsrb.exe 4364 zocylxnsrb.exe 4364 zocylxnsrb.exe 2612 tytzoksaosjopul.exe 2612 tytzoksaosjopul.exe 3584 fgmbpszp.exe 3584 fgmbpszp.exe 3584 fgmbpszp.exe 3584 fgmbpszp.exe 3584 fgmbpszp.exe 3584 fgmbpszp.exe 3584 fgmbpszp.exe 3584 fgmbpszp.exe 5004 ysoutklllwvyf.exe 5004 ysoutklllwvyf.exe 5004 ysoutklllwvyf.exe 5004 ysoutklllwvyf.exe 5004 ysoutklllwvyf.exe 5004 ysoutklllwvyf.exe 5004 ysoutklllwvyf.exe 5004 ysoutklllwvyf.exe 5004 ysoutklllwvyf.exe 5004 ysoutklllwvyf.exe 5004 ysoutklllwvyf.exe 5004 ysoutklllwvyf.exe 2612 tytzoksaosjopul.exe 2612 tytzoksaosjopul.exe 2864 fgmbpszp.exe 2864 fgmbpszp.exe 2864 fgmbpszp.exe 2864 fgmbpszp.exe 2864 fgmbpszp.exe 2864 fgmbpszp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exezocylxnsrb.exetytzoksaosjopul.exefgmbpszp.exeysoutklllwvyf.exefgmbpszp.exepid process 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 4364 zocylxnsrb.exe 4364 zocylxnsrb.exe 4364 zocylxnsrb.exe 2612 tytzoksaosjopul.exe 2612 tytzoksaosjopul.exe 2612 tytzoksaosjopul.exe 3584 fgmbpszp.exe 3584 fgmbpszp.exe 3584 fgmbpszp.exe 5004 ysoutklllwvyf.exe 5004 ysoutklllwvyf.exe 5004 ysoutklllwvyf.exe 2864 fgmbpszp.exe 2864 fgmbpszp.exe 2864 fgmbpszp.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exezocylxnsrb.exetytzoksaosjopul.exefgmbpszp.exeysoutklllwvyf.exefgmbpszp.exepid process 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe 4364 zocylxnsrb.exe 4364 zocylxnsrb.exe 4364 zocylxnsrb.exe 2612 tytzoksaosjopul.exe 2612 tytzoksaosjopul.exe 2612 tytzoksaosjopul.exe 3584 fgmbpszp.exe 3584 fgmbpszp.exe 3584 fgmbpszp.exe 5004 ysoutklllwvyf.exe 5004 ysoutklllwvyf.exe 5004 ysoutklllwvyf.exe 2864 fgmbpszp.exe 2864 fgmbpszp.exe 2864 fgmbpszp.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4684 WINWORD.EXE 4684 WINWORD.EXE 4684 WINWORD.EXE 4684 WINWORD.EXE 4684 WINWORD.EXE 4684 WINWORD.EXE 4684 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exezocylxnsrb.exedescription pid process target process PID 1228 wrote to memory of 4364 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe zocylxnsrb.exe PID 1228 wrote to memory of 4364 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe zocylxnsrb.exe PID 1228 wrote to memory of 4364 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe zocylxnsrb.exe PID 1228 wrote to memory of 2612 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe tytzoksaosjopul.exe PID 1228 wrote to memory of 2612 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe tytzoksaosjopul.exe PID 1228 wrote to memory of 2612 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe tytzoksaosjopul.exe PID 1228 wrote to memory of 3584 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe fgmbpszp.exe PID 1228 wrote to memory of 3584 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe fgmbpszp.exe PID 1228 wrote to memory of 3584 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe fgmbpszp.exe PID 1228 wrote to memory of 5004 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe ysoutklllwvyf.exe PID 1228 wrote to memory of 5004 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe ysoutklllwvyf.exe PID 1228 wrote to memory of 5004 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe ysoutklllwvyf.exe PID 1228 wrote to memory of 4684 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe WINWORD.EXE PID 1228 wrote to memory of 4684 1228 6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe WINWORD.EXE PID 4364 wrote to memory of 2864 4364 zocylxnsrb.exe fgmbpszp.exe PID 4364 wrote to memory of 2864 4364 zocylxnsrb.exe fgmbpszp.exe PID 4364 wrote to memory of 2864 4364 zocylxnsrb.exe fgmbpszp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ec28314060624b0022add23e7a6ec75_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\zocylxnsrb.exezocylxnsrb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fgmbpszp.exeC:\Windows\system32\fgmbpszp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\tytzoksaosjopul.exetytzoksaosjopul.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\fgmbpszp.exefgmbpszp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ysoutklllwvyf.exeysoutklllwvyf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD51f583cbd565877aa87b92f007fdbb7c4
SHA17dc1ffcff1048b73541b7395401180e9e1f4b4d4
SHA25616b91cfc59b954980779670d94a7a8a4d601a5879dedcc34c39fa0778f4c4324
SHA5123bf6b82287a19308370f978de98d684d3c3869636deb297cb566f2e65ce5b203d604a60d07a31068a8751c0a1f6b49caaeb208ebf166b3f5b69e316c5342cf4f
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD58a2f284be82a4df4f654927d997a68dd
SHA1ba1ef848977f4436a614e2f7f798d1d7852f7f79
SHA256e197488a4b0c0a69ec7d67b49e85a7698aa6fc41de624c54c94db9162d690127
SHA5127d3dc03156d9c97225247a64f131a19efa307d02cb0c1c44f86d2ac4b3825080a26c9d27fe8bd1f77069c4ef78b41eeb3bd50fb2ffa9231cdaf3ded94e19e971
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD57e9a3b5e8cc752ad130e282accdb1bf7
SHA15a18667aea66448294f70188a71f4f4ed64b1034
SHA256eafe81628072764ea72eafbce91c575e6179b4124e4dbed37667d19e4a5f51c9
SHA5126e9499537005c7e5e975a5f75ca25a7ebe01ac47ccf22ebe2419faaf7943d8f8d9687f491752cd42b186dba7b2e3e96d23b4be5eea42c4dcfc95ab2d4903fd85
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5f7c3a8ae267ffae600d3fbfb8eb6934e
SHA1517f0ac918f95764a1a1ee111495d0b5f720b5db
SHA256f6ffb039e4add9e57537dd2d023536f0b6a0ab4cce69bc60d67a011a1837b4d1
SHA512fc04a8cd1ce4f20fe460aa65b272b2e0b212ffb319f232c035852d3468bad2aa332e0003a3917a39c2dc0710565c290d1979b79874f9cf04a8189f25d53ca89d
-
C:\Users\Admin\Desktop\SplitExit.doc.exeFilesize
512KB
MD56478e6d289ad2e1c6c3ff8ce7c0ff65c
SHA1caac7113b1fc776d91bb59d63da78b383a18c543
SHA25674a61781d54a72d5b81e1022e150e57c95b5bd987cb4e8c153dfed826119b50b
SHA51225659c28c86d64e4c83d8c5dca50d196c6ed020e3bbca803da62c932ff1dd5a9947c08c081a9730314f9e688c07d3a70361104b0b661a477085845b5d41de951
-
C:\Windows\SysWOW64\fgmbpszp.exeFilesize
512KB
MD5b72562f568d80788cfd03b5108d66cda
SHA10c50e3891d8ec6da91867c0cdcdbf37fb9c73336
SHA256bed1f51c061a616c20ea2c54b8213511c8badc55c26461180ee4d3376eb25997
SHA512f1b98d217791d4dc08690c0ddc4873cf7d67942f2a7e62429da574429dbdd717fcb19907e70b466cd21ffd4dab3cae99984c18d2810a6dc4fe5831ce015d55e0
-
C:\Windows\SysWOW64\tytzoksaosjopul.exeFilesize
512KB
MD5047499b898ce858d24bd27787c5a79c5
SHA1ee60fb71dc56cb3c10a3e214527233cec76d080d
SHA256f190943d7af4255151f6c4db09307a2540e60c2d7dff8db500a3b6de934417e9
SHA51236e837701388fa2ec580ed51cb8d28d78d80d0e9baf7673726045897a74f5f2e11ea2caff765158fce9001f73906ad348bef9a69f1129142f811e25bc7243240
-
C:\Windows\SysWOW64\ysoutklllwvyf.exeFilesize
512KB
MD5dc34a0c50c57d058a8e748a78b3b1197
SHA1ebfdeba92b175b01ea2cd10a95cd82d2e441d3dc
SHA25601a1ae856daf8bbe614842e4afac502c0aa7de67688325239ba67ace2b274c2c
SHA5126999ea55a5d6c7e65aea53eafdce3dfed7d4552805340bffce93d643e049aaf1a288c8d97fb3ea6a7beb8166d9c6330c84063446133664f430a8f256fef1fdb1
-
C:\Windows\SysWOW64\zocylxnsrb.exeFilesize
512KB
MD5ad7d6cceff2d474cdf36de93b866af85
SHA1959d7293df853cf8e8bc6cd94641f6f4e1d00d5e
SHA256de3f3d9d13b040b9a3f530a51a86678012f85dcb598c17ea2b628011f967ae0d
SHA512f777fb338404544366d6414ab92e3f4c3c53d90440a3d28d26a5fd31445d939b7fdebb16477dcf49033e070c7feaa78e28fec97d4f7803482f55c5784f41f51c
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD52191d14f2db3f970b6f80ea19a21c159
SHA10388e7edb16566267d37821ab574bfc58619747f
SHA256bd5666973f52ba6f62dd5a1c6eacedd7526d68e2773ee26a45645c1035f99fca
SHA512273bf490399be29aa74f822842dc2e03f55b55ba484fb434af2e61f7c2bf9277eea123535fd0c6ef37cb1abe9ba5135941c5041b734cec3afa536455e3fc8645
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5ed2093190ad57216a907dfcc9da5675e
SHA1458e53498fd31dee75ee6bd55e75483dc325b0a7
SHA2567d8f55b5c0da411f4986b680758816d6fe8eb748a8e3a69590b1b9896a7a71fd
SHA512d584ceb86f0c91f71c3e397a9c4fc7cec0212a4775430c5ede4dd710c347f6d3ab3cbac266b49686ad98048b2e1f0c3e4d4c33906daad6d5af58c52e11a46f96
-
memory/1228-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4684-37-0x00007FFD20850000-0x00007FFD20860000-memory.dmpFilesize
64KB
-
memory/4684-36-0x00007FFD20850000-0x00007FFD20860000-memory.dmpFilesize
64KB
-
memory/4684-38-0x00007FFD20850000-0x00007FFD20860000-memory.dmpFilesize
64KB
-
memory/4684-39-0x00007FFD20850000-0x00007FFD20860000-memory.dmpFilesize
64KB
-
memory/4684-35-0x00007FFD20850000-0x00007FFD20860000-memory.dmpFilesize
64KB
-
memory/4684-42-0x00007FFD1E400000-0x00007FFD1E410000-memory.dmpFilesize
64KB
-
memory/4684-43-0x00007FFD1E400000-0x00007FFD1E410000-memory.dmpFilesize
64KB
-
memory/4684-608-0x00007FFD20850000-0x00007FFD20860000-memory.dmpFilesize
64KB
-
memory/4684-607-0x00007FFD20850000-0x00007FFD20860000-memory.dmpFilesize
64KB
-
memory/4684-606-0x00007FFD20850000-0x00007FFD20860000-memory.dmpFilesize
64KB
-
memory/4684-605-0x00007FFD20850000-0x00007FFD20860000-memory.dmpFilesize
64KB