Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 15:29
Static task
static1
Behavioral task
behavioral1
Sample
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe
-
Size
512KB
-
MD5
6efbd040de315fa09810caf92722ba6c
-
SHA1
007eab42ac0aee941486b8bf78b57c3385e1174b
-
SHA256
40e8d566afd8269708d7dcd017cacb6150ad77bdcc98c9d41f112c5adeed1bb8
-
SHA512
b462a4e51941aa7826046c9927c2276a88360d1e58c2bb51e4dd0cda4b79567201272a2f4c21b531ff519dbd9c996caf863e5b6c1bc984cfa789982f808640ec
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5p
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
ftreqhpfep.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ftreqhpfep.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
ftreqhpfep.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ftreqhpfep.exe -
Processes:
ftreqhpfep.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ftreqhpfep.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ftreqhpfep.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ftreqhpfep.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
ftreqhpfep.exeoqdxadvjiapbnqr.exeqlizuhzz.exedexrapzpbvoij.exeqlizuhzz.exepid process 3752 ftreqhpfep.exe 832 oqdxadvjiapbnqr.exe 3512 qlizuhzz.exe 1224 dexrapzpbvoij.exe 5072 qlizuhzz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ftreqhpfep.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ftreqhpfep.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
oqdxadvjiapbnqr.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\glmibftd = "ftreqhpfep.exe" oqdxadvjiapbnqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ivzuwhov = "oqdxadvjiapbnqr.exe" oqdxadvjiapbnqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dexrapzpbvoij.exe" oqdxadvjiapbnqr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ftreqhpfep.exeqlizuhzz.exeqlizuhzz.exedescription ioc process File opened (read-only) \??\n: ftreqhpfep.exe File opened (read-only) \??\a: qlizuhzz.exe File opened (read-only) \??\q: qlizuhzz.exe File opened (read-only) \??\q: ftreqhpfep.exe File opened (read-only) \??\x: ftreqhpfep.exe File opened (read-only) \??\m: qlizuhzz.exe File opened (read-only) \??\x: qlizuhzz.exe File opened (read-only) \??\y: qlizuhzz.exe File opened (read-only) \??\z: qlizuhzz.exe File opened (read-only) \??\w: qlizuhzz.exe File opened (read-only) \??\y: qlizuhzz.exe File opened (read-only) \??\u: qlizuhzz.exe File opened (read-only) \??\m: ftreqhpfep.exe File opened (read-only) \??\u: ftreqhpfep.exe File opened (read-only) \??\w: ftreqhpfep.exe File opened (read-only) \??\z: ftreqhpfep.exe File opened (read-only) \??\h: qlizuhzz.exe File opened (read-only) \??\t: qlizuhzz.exe File opened (read-only) \??\k: ftreqhpfep.exe File opened (read-only) \??\g: qlizuhzz.exe File opened (read-only) \??\v: qlizuhzz.exe File opened (read-only) \??\m: qlizuhzz.exe File opened (read-only) \??\v: qlizuhzz.exe File opened (read-only) \??\i: qlizuhzz.exe File opened (read-only) \??\e: qlizuhzz.exe File opened (read-only) \??\p: qlizuhzz.exe File opened (read-only) \??\q: qlizuhzz.exe File opened (read-only) \??\w: qlizuhzz.exe File opened (read-only) \??\e: qlizuhzz.exe File opened (read-only) \??\l: qlizuhzz.exe File opened (read-only) \??\n: qlizuhzz.exe File opened (read-only) \??\l: ftreqhpfep.exe File opened (read-only) \??\t: ftreqhpfep.exe File opened (read-only) \??\y: ftreqhpfep.exe File opened (read-only) \??\z: qlizuhzz.exe File opened (read-only) \??\o: qlizuhzz.exe File opened (read-only) \??\j: ftreqhpfep.exe File opened (read-only) \??\r: qlizuhzz.exe File opened (read-only) \??\s: qlizuhzz.exe File opened (read-only) \??\g: ftreqhpfep.exe File opened (read-only) \??\h: ftreqhpfep.exe File opened (read-only) \??\p: ftreqhpfep.exe File opened (read-only) \??\i: qlizuhzz.exe File opened (read-only) \??\v: ftreqhpfep.exe File opened (read-only) \??\b: qlizuhzz.exe File opened (read-only) \??\p: qlizuhzz.exe File opened (read-only) \??\r: qlizuhzz.exe File opened (read-only) \??\s: qlizuhzz.exe File opened (read-only) \??\u: qlizuhzz.exe File opened (read-only) \??\b: ftreqhpfep.exe File opened (read-only) \??\r: ftreqhpfep.exe File opened (read-only) \??\l: qlizuhzz.exe File opened (read-only) \??\g: qlizuhzz.exe File opened (read-only) \??\h: qlizuhzz.exe File opened (read-only) \??\t: qlizuhzz.exe File opened (read-only) \??\a: ftreqhpfep.exe File opened (read-only) \??\i: ftreqhpfep.exe File opened (read-only) \??\a: qlizuhzz.exe File opened (read-only) \??\b: qlizuhzz.exe File opened (read-only) \??\j: qlizuhzz.exe File opened (read-only) \??\o: qlizuhzz.exe File opened (read-only) \??\o: ftreqhpfep.exe File opened (read-only) \??\j: qlizuhzz.exe File opened (read-only) \??\k: qlizuhzz.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ftreqhpfep.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ftreqhpfep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ftreqhpfep.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3756-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\oqdxadvjiapbnqr.exe autoit_exe C:\Windows\SysWOW64\dexrapzpbvoij.exe autoit_exe C:\Windows\SysWOW64\qlizuhzz.exe autoit_exe C:\Windows\SysWOW64\ftreqhpfep.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exeftreqhpfep.exeqlizuhzz.exeqlizuhzz.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ftreqhpfep.exe 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qlizuhzz.exe 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe File created C:\Windows\SysWOW64\dexrapzpbvoij.exe 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dexrapzpbvoij.exe 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ftreqhpfep.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qlizuhzz.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qlizuhzz.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qlizuhzz.exe File created C:\Windows\SysWOW64\ftreqhpfep.exe 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe File created C:\Windows\SysWOW64\oqdxadvjiapbnqr.exe 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\oqdxadvjiapbnqr.exe 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe File created C:\Windows\SysWOW64\qlizuhzz.exe 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
Processes:
qlizuhzz.exeqlizuhzz.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qlizuhzz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qlizuhzz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qlizuhzz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qlizuhzz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qlizuhzz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qlizuhzz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qlizuhzz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qlizuhzz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qlizuhzz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qlizuhzz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qlizuhzz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qlizuhzz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qlizuhzz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qlizuhzz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qlizuhzz.exe -
Drops file in Windows directory 19 IoCs
Processes:
qlizuhzz.exeqlizuhzz.exe6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exeWINWORD.EXEdescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qlizuhzz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qlizuhzz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qlizuhzz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qlizuhzz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qlizuhzz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qlizuhzz.exe File opened for modification C:\Windows\mydoc.rtf 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qlizuhzz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qlizuhzz.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qlizuhzz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qlizuhzz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qlizuhzz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qlizuhzz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qlizuhzz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qlizuhzz.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qlizuhzz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qlizuhzz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exeftreqhpfep.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C70C1491DBBEB9BA7C95ED9137CF" 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ftreqhpfep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ftreqhpfep.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB15F47E738E852CBBAA1339FD4CC" 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ftreqhpfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ftreqhpfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ftreqhpfep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ftreqhpfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ftreqhpfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAF9CCF910F291830E3B45819D39E2B0FD028A4268033BE1BF459A09A8" 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FF824F2882139140D65C7EE6BC94E130584167316337D79E" 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F66BB9FE6921D1D272D0A88B7D9111" 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ftreqhpfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ftreqhpfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452D7C9D5283236D4676A777262CD87DF465D9" 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ftreqhpfep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ftreqhpfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ftreqhpfep.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3784 WINWORD.EXE 3784 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exeqlizuhzz.exeoqdxadvjiapbnqr.exeftreqhpfep.exedexrapzpbvoij.exeqlizuhzz.exepid process 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3512 qlizuhzz.exe 3512 qlizuhzz.exe 3512 qlizuhzz.exe 3512 qlizuhzz.exe 3512 qlizuhzz.exe 3512 qlizuhzz.exe 3512 qlizuhzz.exe 3512 qlizuhzz.exe 832 oqdxadvjiapbnqr.exe 832 oqdxadvjiapbnqr.exe 832 oqdxadvjiapbnqr.exe 832 oqdxadvjiapbnqr.exe 832 oqdxadvjiapbnqr.exe 832 oqdxadvjiapbnqr.exe 832 oqdxadvjiapbnqr.exe 832 oqdxadvjiapbnqr.exe 3752 ftreqhpfep.exe 3752 ftreqhpfep.exe 3752 ftreqhpfep.exe 3752 ftreqhpfep.exe 3752 ftreqhpfep.exe 3752 ftreqhpfep.exe 3752 ftreqhpfep.exe 3752 ftreqhpfep.exe 3752 ftreqhpfep.exe 3752 ftreqhpfep.exe 832 oqdxadvjiapbnqr.exe 832 oqdxadvjiapbnqr.exe 1224 dexrapzpbvoij.exe 1224 dexrapzpbvoij.exe 1224 dexrapzpbvoij.exe 1224 dexrapzpbvoij.exe 1224 dexrapzpbvoij.exe 1224 dexrapzpbvoij.exe 1224 dexrapzpbvoij.exe 1224 dexrapzpbvoij.exe 1224 dexrapzpbvoij.exe 1224 dexrapzpbvoij.exe 1224 dexrapzpbvoij.exe 1224 dexrapzpbvoij.exe 5072 qlizuhzz.exe 5072 qlizuhzz.exe 5072 qlizuhzz.exe 5072 qlizuhzz.exe 5072 qlizuhzz.exe 5072 qlizuhzz.exe 5072 qlizuhzz.exe 5072 qlizuhzz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exeqlizuhzz.exeoqdxadvjiapbnqr.exedexrapzpbvoij.exeftreqhpfep.exeqlizuhzz.exepid process 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3512 qlizuhzz.exe 3512 qlizuhzz.exe 3512 qlizuhzz.exe 832 oqdxadvjiapbnqr.exe 1224 dexrapzpbvoij.exe 3752 ftreqhpfep.exe 832 oqdxadvjiapbnqr.exe 1224 dexrapzpbvoij.exe 3752 ftreqhpfep.exe 832 oqdxadvjiapbnqr.exe 1224 dexrapzpbvoij.exe 3752 ftreqhpfep.exe 5072 qlizuhzz.exe 5072 qlizuhzz.exe 5072 qlizuhzz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exeqlizuhzz.exeoqdxadvjiapbnqr.exedexrapzpbvoij.exeftreqhpfep.exeqlizuhzz.exepid process 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe 3512 qlizuhzz.exe 3512 qlizuhzz.exe 3512 qlizuhzz.exe 832 oqdxadvjiapbnqr.exe 1224 dexrapzpbvoij.exe 3752 ftreqhpfep.exe 832 oqdxadvjiapbnqr.exe 1224 dexrapzpbvoij.exe 3752 ftreqhpfep.exe 832 oqdxadvjiapbnqr.exe 1224 dexrapzpbvoij.exe 3752 ftreqhpfep.exe 5072 qlizuhzz.exe 5072 qlizuhzz.exe 5072 qlizuhzz.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3784 WINWORD.EXE 3784 WINWORD.EXE 3784 WINWORD.EXE 3784 WINWORD.EXE 3784 WINWORD.EXE 3784 WINWORD.EXE 3784 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exeftreqhpfep.exedescription pid process target process PID 3756 wrote to memory of 3752 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe ftreqhpfep.exe PID 3756 wrote to memory of 3752 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe ftreqhpfep.exe PID 3756 wrote to memory of 3752 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe ftreqhpfep.exe PID 3756 wrote to memory of 832 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe oqdxadvjiapbnqr.exe PID 3756 wrote to memory of 832 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe oqdxadvjiapbnqr.exe PID 3756 wrote to memory of 832 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe oqdxadvjiapbnqr.exe PID 3756 wrote to memory of 3512 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe qlizuhzz.exe PID 3756 wrote to memory of 3512 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe qlizuhzz.exe PID 3756 wrote to memory of 3512 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe qlizuhzz.exe PID 3756 wrote to memory of 1224 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe dexrapzpbvoij.exe PID 3756 wrote to memory of 1224 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe dexrapzpbvoij.exe PID 3756 wrote to memory of 1224 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe dexrapzpbvoij.exe PID 3756 wrote to memory of 3784 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe WINWORD.EXE PID 3756 wrote to memory of 3784 3756 6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe WINWORD.EXE PID 3752 wrote to memory of 5072 3752 ftreqhpfep.exe qlizuhzz.exe PID 3752 wrote to memory of 5072 3752 ftreqhpfep.exe qlizuhzz.exe PID 3752 wrote to memory of 5072 3752 ftreqhpfep.exe qlizuhzz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ftreqhpfep.exeftreqhpfep.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\qlizuhzz.exeC:\Windows\system32\qlizuhzz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\oqdxadvjiapbnqr.exeoqdxadvjiapbnqr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\qlizuhzz.exeqlizuhzz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\dexrapzpbvoij.exedexrapzpbvoij.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD51dd24e622b5fba1ceecd31f7c8457e47
SHA1f5f170f5d6655545d87aff33891391440f994f6d
SHA2568656300a1c4b83f9d7cd43c664ddec3ff773947420f5448d78ec214807ab8f98
SHA512bb57381d37912fe58b94299e04637e89e7aae152f3bf4c7d45480fa98132e823b6b56e4f63bfa8bef4fef4479d547f14c15d90201ffb5c6ce245dc40ea053dd6
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5a26ee202afe6a85d90cb936028f6a984
SHA1c69b1a121a7f9d614849f2ae549c5201afb3ff16
SHA2568d73a7404e511a90004cc81fbef509ca8f365c32a15fbea45831b022fef729b3
SHA512912df29a6f773821e49bf384811e28ed2ebf2a522a32951435705094541882c0822150cf03a95cfa5365b40368eaac5cf688a9f49a91d9b583d261724d952fbb
-
C:\Users\Admin\AppData\Local\Temp\TCDBB28.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD5c0458d84c21e6a33d9dd19954db113e2
SHA1ed281badb74c7dc0d4cc42e7bdfb1442c2b7fca2
SHA2569f644dd6e8fd46e1607d736deaae1ef28b2b043d7c1fcf97fda64f4044b047cb
SHA512de0ad401e167d9220d2fd8d08f5f14ca22e68b0e6260ab7b5fdf17e8db8aa442ed9f5326f84f65e4ae93650c182f6e09639d83e8a3798fdb2389ac0422a82f34
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UE5BDNCEHVXYOTRV5FOL.tempFilesize
3KB
MD5212636dab92a043d014d461e888e0331
SHA1a6255212081a85fc036ccd784930d905bae7bfea
SHA256775e58bbb0edcea56c24382d6f75fafea8465f37ffa15ac6a8a8f306a10d0436
SHA5121a7c5ff83bd13c8782c1b06658bdf80442c4fabdb4c28a852409283c1f680c76550094d7c5d62fd69788ae7cb36ccd2a0bf8f89ec560855672ab718994b0f7e7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD51f15f0806056a89fe6ac1f4b5886252d
SHA1a49ee55e1b38a8ea8a7c0331bd78b502848a98fa
SHA256239d2ceab6ef4f5601fd64bf0fe4d611d0d166297c0c9171ff82926c16bd32c7
SHA512b9744db77245f80ce8bd30dd52d6cd0ad5eaa2a25af763d3728b1dc69609c97b4f9c434718998fcf51ecd6742c8327f1f4319cb32d8054aed6ee215bdcc418ef
-
C:\Windows\SysWOW64\dexrapzpbvoij.exeFilesize
512KB
MD56ebdb4e4d023a2b1d204bb2274401ca4
SHA1e43648bb90092a83b43ad686edf9c545e43f46b4
SHA256b4a70fcca68a2dc6abdec40ace1a8df9aed9af9adcb2bf84c4cbf125ff15dd43
SHA5127c8452e663dd084a695ca87bfd5203dda2c8b76947dd9be902f988f2929f385e098ad961f0b9361de8d822b5250bf8bd121e7b40db4ed73f8c63373e83a8c683
-
C:\Windows\SysWOW64\ftreqhpfep.exeFilesize
512KB
MD5a4b68c7559deb73def035201486c9fe5
SHA1f3a251c44c2f4e57f812d015f0ac95a5440f6391
SHA256292003ded43114dc3d4b39461303648ae29ad228f06fb487230a70b3d25868bc
SHA512e4238691512565e2ac06faf4e794a62e548e0009c5a2468fb92810a45a0469e10b4b7b1833c976f6114033696af3f553403c701473fa86d83816acd3e2a09888
-
C:\Windows\SysWOW64\oqdxadvjiapbnqr.exeFilesize
512KB
MD57f77951fbf7f39331dc831dc5527f0e0
SHA1c623570f27207388c30e829e88581d33359f55f0
SHA2562ab2dc9ad4e74758d176c111f2ec7db5847db53c2f7b880a5db8f1ba0bad28db
SHA5129da64043d3ce99bc43dc0897287c8c952c4c22071aace40f3aed2c671c198784d37857aac9dd78d9902f89c052c24fa95ee7910c09d017c0a9941e1529373af4
-
C:\Windows\SysWOW64\qlizuhzz.exeFilesize
512KB
MD568afa2f21e8c2869be88e283009d9eb8
SHA12944a1b813ccf486f12ddade197d715df9766002
SHA256fb251f242b4f55b809833cc1c95eb2f80437c8d4abc83ff76ad5745b60e26e93
SHA51298bb1212a68cae4b3e83cf0f2241568481c4a0703bdc8820536236a477d96a6143144a6e702d07b058764200d626def3f7a3294accae2c91912e1978378f42f8
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5bc733a2c81ab0a023af06decb52b7c3f
SHA13f28dca199c22d9116a60e0981405f59bf43eda4
SHA2560fbacd1ecddc394316795476d0f1ac9a7b2d9445fc6fd75d9a8ef8be42dd2267
SHA512d349b35897ec1507f570fab8a6d5bc2c486134daa98afdf6aeb3a15d8ef1a28d0e010242c32ac367f6539742ca2aaf19e7ae7fd85684d8933e4e9894d92cd2fa
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD54b826314382251034274f1be484dcb6b
SHA1f4f5f3139a1912c7e4d60eb54a5fcecb20ab4d07
SHA256b422f219bf4bf71e11ebee951d28e2ceb0930a991b6a5b61331240bd18abc379
SHA512d705e707d8c8bfdd3cfbc89e80e372c23ad9a456915e112150317f7868dfe93c5a9c642f5cbdd944af4d0441239e669c210daf87b2856479c78dcd647194c22f
-
memory/3756-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/3784-41-0x00007FFA4CE60000-0x00007FFA4CE70000-memory.dmpFilesize
64KB
-
memory/3784-40-0x00007FFA4CE60000-0x00007FFA4CE70000-memory.dmpFilesize
64KB
-
memory/3784-39-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmpFilesize
64KB
-
memory/3784-38-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmpFilesize
64KB
-
memory/3784-36-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmpFilesize
64KB
-
memory/3784-37-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmpFilesize
64KB
-
memory/3784-35-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmpFilesize
64KB
-
memory/3784-594-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmpFilesize
64KB
-
memory/3784-595-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmpFilesize
64KB
-
memory/3784-596-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmpFilesize
64KB
-
memory/3784-593-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmpFilesize
64KB