Analysis
-
max time kernel
149s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 16:05
Static task
static1
Behavioral task
behavioral1
Sample
6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe
-
Size
512KB
-
MD5
6f13772fff6a75643fdc9c58d965ff33
-
SHA1
40d4de0e8980c6843c72a4c78d25bc6019796640
-
SHA256
5e1774d2991b5c972e6b34758a07f103ee31fdffa888fb622f2a6ea47da853d8
-
SHA512
c37893e94f7343b58eed1e3fcc3c60761aeac32e95d738b94453d1412fcdeabab13d5a733460d0ef4fb7a29cd7a38cd0335c28a96dc05ac7b9a439a6eb16e42b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6H:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Y
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
vwyvqxzkbj.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vwyvqxzkbj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
vwyvqxzkbj.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vwyvqxzkbj.exe -
Processes:
vwyvqxzkbj.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vwyvqxzkbj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vwyvqxzkbj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vwyvqxzkbj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vwyvqxzkbj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vwyvqxzkbj.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
vwyvqxzkbj.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vwyvqxzkbj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
vwyvqxzkbj.exegewmwqeehmfrggi.exeumussbgu.exenrorrmmedymfi.exeumussbgu.exepid process 1624 vwyvqxzkbj.exe 4140 gewmwqeehmfrggi.exe 1700 umussbgu.exe 3216 nrorrmmedymfi.exe 2576 umussbgu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
vwyvqxzkbj.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vwyvqxzkbj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vwyvqxzkbj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vwyvqxzkbj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vwyvqxzkbj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vwyvqxzkbj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vwyvqxzkbj.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
gewmwqeehmfrggi.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yjprdxfc = "vwyvqxzkbj.exe" gewmwqeehmfrggi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mztwahzs = "gewmwqeehmfrggi.exe" gewmwqeehmfrggi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nrorrmmedymfi.exe" gewmwqeehmfrggi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
umussbgu.exevwyvqxzkbj.exeumussbgu.exedescription ioc process File opened (read-only) \??\q: umussbgu.exe File opened (read-only) \??\w: vwyvqxzkbj.exe File opened (read-only) \??\v: umussbgu.exe File opened (read-only) \??\a: vwyvqxzkbj.exe File opened (read-only) \??\j: vwyvqxzkbj.exe File opened (read-only) \??\b: umussbgu.exe File opened (read-only) \??\w: umussbgu.exe File opened (read-only) \??\z: umussbgu.exe File opened (read-only) \??\r: umussbgu.exe File opened (read-only) \??\e: umussbgu.exe File opened (read-only) \??\y: vwyvqxzkbj.exe File opened (read-only) \??\a: umussbgu.exe File opened (read-only) \??\k: umussbgu.exe File opened (read-only) \??\x: umussbgu.exe File opened (read-only) \??\b: umussbgu.exe File opened (read-only) \??\m: umussbgu.exe File opened (read-only) \??\v: umussbgu.exe File opened (read-only) \??\x: vwyvqxzkbj.exe File opened (read-only) \??\k: umussbgu.exe File opened (read-only) \??\s: umussbgu.exe File opened (read-only) \??\e: vwyvqxzkbj.exe File opened (read-only) \??\z: vwyvqxzkbj.exe File opened (read-only) \??\h: umussbgu.exe File opened (read-only) \??\t: vwyvqxzkbj.exe File opened (read-only) \??\n: umussbgu.exe File opened (read-only) \??\o: umussbgu.exe File opened (read-only) \??\t: umussbgu.exe File opened (read-only) \??\m: umussbgu.exe File opened (read-only) \??\v: vwyvqxzkbj.exe File opened (read-only) \??\e: umussbgu.exe File opened (read-only) \??\l: umussbgu.exe File opened (read-only) \??\g: umussbgu.exe File opened (read-only) \??\g: umussbgu.exe File opened (read-only) \??\a: umussbgu.exe File opened (read-only) \??\i: vwyvqxzkbj.exe File opened (read-only) \??\l: vwyvqxzkbj.exe File opened (read-only) \??\p: vwyvqxzkbj.exe File opened (read-only) \??\r: vwyvqxzkbj.exe File opened (read-only) \??\r: umussbgu.exe File opened (read-only) \??\s: umussbgu.exe File opened (read-only) \??\t: umussbgu.exe File opened (read-only) \??\b: vwyvqxzkbj.exe File opened (read-only) \??\u: umussbgu.exe File opened (read-only) \??\n: umussbgu.exe File opened (read-only) \??\s: vwyvqxzkbj.exe File opened (read-only) \??\p: umussbgu.exe File opened (read-only) \??\n: vwyvqxzkbj.exe File opened (read-only) \??\m: vwyvqxzkbj.exe File opened (read-only) \??\q: vwyvqxzkbj.exe File opened (read-only) \??\j: umussbgu.exe File opened (read-only) \??\h: vwyvqxzkbj.exe File opened (read-only) \??\x: umussbgu.exe File opened (read-only) \??\l: umussbgu.exe File opened (read-only) \??\u: umussbgu.exe File opened (read-only) \??\j: umussbgu.exe File opened (read-only) \??\o: umussbgu.exe File opened (read-only) \??\p: umussbgu.exe File opened (read-only) \??\q: umussbgu.exe File opened (read-only) \??\w: umussbgu.exe File opened (read-only) \??\y: umussbgu.exe File opened (read-only) \??\k: vwyvqxzkbj.exe File opened (read-only) \??\i: umussbgu.exe File opened (read-only) \??\y: umussbgu.exe File opened (read-only) \??\i: umussbgu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
vwyvqxzkbj.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vwyvqxzkbj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vwyvqxzkbj.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4800-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\gewmwqeehmfrggi.exe autoit_exe C:\Windows\SysWOW64\vwyvqxzkbj.exe autoit_exe C:\Windows\SysWOW64\umussbgu.exe autoit_exe C:\Windows\SysWOW64\nrorrmmedymfi.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\DisconnectTest.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exeumussbgu.exeumussbgu.exevwyvqxzkbj.exedescription ioc process File created C:\Windows\SysWOW64\nrorrmmedymfi.exe 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\nrorrmmedymfi.exe 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe umussbgu.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe umussbgu.exe File created C:\Windows\SysWOW64\vwyvqxzkbj.exe 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe File created C:\Windows\SysWOW64\gewmwqeehmfrggi.exe 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\umussbgu.exe 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vwyvqxzkbj.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe umussbgu.exe File opened for modification C:\Windows\SysWOW64\vwyvqxzkbj.exe 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gewmwqeehmfrggi.exe 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe File created C:\Windows\SysWOW64\umussbgu.exe 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
Processes:
umussbgu.exeumussbgu.exedescription ioc process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe umussbgu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe umussbgu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal umussbgu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal umussbgu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal umussbgu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe umussbgu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe umussbgu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal umussbgu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe umussbgu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe umussbgu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe umussbgu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe umussbgu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe umussbgu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe umussbgu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe umussbgu.exe -
Drops file in Windows directory 19 IoCs
Processes:
umussbgu.exeWINWORD.EXEumussbgu.exe6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exedescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe umussbgu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe umussbgu.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe umussbgu.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe umussbgu.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe umussbgu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe umussbgu.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe umussbgu.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe umussbgu.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe umussbgu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe umussbgu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe umussbgu.exe File opened for modification C:\Windows\mydoc.rtf 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe umussbgu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe umussbgu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe umussbgu.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe umussbgu.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe umussbgu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exevwyvqxzkbj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452D7F9D2082596D4677A777552CAE7DF564AA" 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFCFC482F82139041D72A7DE7BD93E136583767336341D79D" 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC77B14E6DBC7B8BC7C95EC9437CA" 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vwyvqxzkbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B15C4492389A52CDBAD03292D4B8" 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vwyvqxzkbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vwyvqxzkbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vwyvqxzkbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vwyvqxzkbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9FAB1FE6AF194840C3A40869E3994B0FE02F94315023BE1C942E708A3" 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vwyvqxzkbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vwyvqxzkbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vwyvqxzkbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vwyvqxzkbj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0816BC6FF1F22DAD20FD1A68A7F9110" 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vwyvqxzkbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vwyvqxzkbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vwyvqxzkbj.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1816 WINWORD.EXE 1816 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exevwyvqxzkbj.exeumussbgu.exegewmwqeehmfrggi.exenrorrmmedymfi.exeumussbgu.exepid process 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 1624 vwyvqxzkbj.exe 1624 vwyvqxzkbj.exe 1624 vwyvqxzkbj.exe 1624 vwyvqxzkbj.exe 1624 vwyvqxzkbj.exe 1624 vwyvqxzkbj.exe 1624 vwyvqxzkbj.exe 1624 vwyvqxzkbj.exe 1624 vwyvqxzkbj.exe 1624 vwyvqxzkbj.exe 1700 umussbgu.exe 1700 umussbgu.exe 1700 umussbgu.exe 1700 umussbgu.exe 1700 umussbgu.exe 1700 umussbgu.exe 1700 umussbgu.exe 1700 umussbgu.exe 4140 gewmwqeehmfrggi.exe 4140 gewmwqeehmfrggi.exe 4140 gewmwqeehmfrggi.exe 4140 gewmwqeehmfrggi.exe 4140 gewmwqeehmfrggi.exe 4140 gewmwqeehmfrggi.exe 4140 gewmwqeehmfrggi.exe 4140 gewmwqeehmfrggi.exe 3216 nrorrmmedymfi.exe 3216 nrorrmmedymfi.exe 3216 nrorrmmedymfi.exe 3216 nrorrmmedymfi.exe 3216 nrorrmmedymfi.exe 3216 nrorrmmedymfi.exe 3216 nrorrmmedymfi.exe 3216 nrorrmmedymfi.exe 3216 nrorrmmedymfi.exe 3216 nrorrmmedymfi.exe 3216 nrorrmmedymfi.exe 3216 nrorrmmedymfi.exe 4140 gewmwqeehmfrggi.exe 4140 gewmwqeehmfrggi.exe 2576 umussbgu.exe 2576 umussbgu.exe 2576 umussbgu.exe 2576 umussbgu.exe 2576 umussbgu.exe 2576 umussbgu.exe 2576 umussbgu.exe 2576 umussbgu.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exevwyvqxzkbj.exeumussbgu.exegewmwqeehmfrggi.exenrorrmmedymfi.exeumussbgu.exepid process 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 1624 vwyvqxzkbj.exe 1624 vwyvqxzkbj.exe 1624 vwyvqxzkbj.exe 1700 umussbgu.exe 1700 umussbgu.exe 1700 umussbgu.exe 4140 gewmwqeehmfrggi.exe 3216 nrorrmmedymfi.exe 4140 gewmwqeehmfrggi.exe 3216 nrorrmmedymfi.exe 4140 gewmwqeehmfrggi.exe 3216 nrorrmmedymfi.exe 2576 umussbgu.exe 2576 umussbgu.exe 2576 umussbgu.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exevwyvqxzkbj.exeumussbgu.exegewmwqeehmfrggi.exenrorrmmedymfi.exeumussbgu.exepid process 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe 1624 vwyvqxzkbj.exe 1624 vwyvqxzkbj.exe 1624 vwyvqxzkbj.exe 1700 umussbgu.exe 1700 umussbgu.exe 1700 umussbgu.exe 4140 gewmwqeehmfrggi.exe 3216 nrorrmmedymfi.exe 4140 gewmwqeehmfrggi.exe 3216 nrorrmmedymfi.exe 4140 gewmwqeehmfrggi.exe 3216 nrorrmmedymfi.exe 2576 umussbgu.exe 2576 umussbgu.exe 2576 umussbgu.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1816 WINWORD.EXE 1816 WINWORD.EXE 1816 WINWORD.EXE 1816 WINWORD.EXE 1816 WINWORD.EXE 1816 WINWORD.EXE 1816 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exevwyvqxzkbj.exedescription pid process target process PID 4800 wrote to memory of 1624 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe vwyvqxzkbj.exe PID 4800 wrote to memory of 1624 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe vwyvqxzkbj.exe PID 4800 wrote to memory of 1624 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe vwyvqxzkbj.exe PID 4800 wrote to memory of 4140 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe gewmwqeehmfrggi.exe PID 4800 wrote to memory of 4140 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe gewmwqeehmfrggi.exe PID 4800 wrote to memory of 4140 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe gewmwqeehmfrggi.exe PID 4800 wrote to memory of 1700 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe umussbgu.exe PID 4800 wrote to memory of 1700 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe umussbgu.exe PID 4800 wrote to memory of 1700 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe umussbgu.exe PID 4800 wrote to memory of 3216 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe nrorrmmedymfi.exe PID 4800 wrote to memory of 3216 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe nrorrmmedymfi.exe PID 4800 wrote to memory of 3216 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe nrorrmmedymfi.exe PID 4800 wrote to memory of 1816 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe WINWORD.EXE PID 4800 wrote to memory of 1816 4800 6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe WINWORD.EXE PID 1624 wrote to memory of 2576 1624 vwyvqxzkbj.exe umussbgu.exe PID 1624 wrote to memory of 2576 1624 vwyvqxzkbj.exe umussbgu.exe PID 1624 wrote to memory of 2576 1624 vwyvqxzkbj.exe umussbgu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f13772fff6a75643fdc9c58d965ff33_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vwyvqxzkbj.exevwyvqxzkbj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\umussbgu.exeC:\Windows\system32\umussbgu.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\gewmwqeehmfrggi.exegewmwqeehmfrggi.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\umussbgu.exeumussbgu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\nrorrmmedymfi.exenrorrmmedymfi.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4152,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD59872d3aa49c9357b371ffb49d1e1c025
SHA148454af065307a129aca9414b299c39092449e79
SHA256d97794cd70a49b2e56d141ca1abd948a83d6cd662258a2397f85679b0f3fb77e
SHA51272ff978c4f9299dba9cb3ede661f7d34f03c52c8a158b7e64591e85b7456f5d96e2f2ff85504454c4b692ab288896b82bae14ebb5fa4adfd6c60abda5f1c6b7f
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD54b90f64774bd6332b10814d98c503ad1
SHA1824c5807255eaa94452ac47867b5e1b97848644f
SHA256e4458d437bf9e7c5b7a0e04275f8f5df48edeec76d62766b4593d7ffc74de9f7
SHA5123b06d0b5b989deef45e231a0099c4bfc2f3b85ccd63e53605327402b11b8dd8eb258c96298f486d9be125966375269feff3df2195f1eb475df697e7cb299ba1b
-
C:\Users\Admin\AppData\Local\Temp\TCD4312.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD53cd66435e43e93bc050c84da0450297b
SHA11ae196ae8caf1f2394d973e7b4732ef0055ad649
SHA25693d0099a43c8b5b341ceea61e2cc566b8656f582d0f3b5908ce48738f7babf71
SHA512eb1204f6c187ab3455b21ff0e11ffb70d2e40c9fc705d09380b5ecb669031a30721b08fb221d7e6cd45b65f79112070eef9cec4f447e470eec88eec8f514943f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5a27bcba7a32a0f6a976f06dcc3bdc747
SHA19cf351d1c1d5f807c00b5831538f479139620d70
SHA256152a0d69bb54a748e02975d30f631c8f2cf6c51770a8939ff6e42ca9982d061b
SHA51258705790c52eb66a7b0d951fc25247ea1dff40c794c03179befb092ee3d0594190123e2723142690fe9a01ff9ff34f061158158e09665053ceb43f0411f09979
-
C:\Users\Admin\Documents\DisconnectTest.doc.exeFilesize
512KB
MD52fc437ae0692bf1785b96744ea29d144
SHA1022936e806918bd70f845534654b2e9d6b19e497
SHA25696135b22daae31fe9a9fe83dd74af8ccb35d0cbcfee7a652043912d7556aa165
SHA51282f444abbd3caecf576143c6794a678516d9d681bedf654896826622b4df5f70cd382780a2e63814703ecb5b07d40fb9a0ec2e136c56131845ec586880c47c9e
-
C:\Windows\SysWOW64\gewmwqeehmfrggi.exeFilesize
512KB
MD50d63e53d87e6c1eb654485abedbf3bc5
SHA17acfdc2a48267dbd52a8164f42d4292dcd733234
SHA2561a111290491c39888df04497e1af214f08056ad669c4d8f1d3e0281d1e9855fe
SHA5120e48e1c6b969b05dcc32cac1d501ed9594a7ae3d47cbdea6aff7c7aab93b36458190460a54f2eb573535ac25c973c499bb49360d0692ccee68ffe37849f4d0d4
-
C:\Windows\SysWOW64\nrorrmmedymfi.exeFilesize
512KB
MD5df261d4ebf92e2071cf6009d793510d8
SHA1c46f53948e9a53c8f1c24bb40e3f27724f669205
SHA256f423b043d0d20424da3cb168096236cc60c9ec91056e1697dffa6fc0691f0c9a
SHA512de99bcd927ad98e7678a1ed3002f95e1025c3936336ac9ef93315b8f9ce3b97e984a2a5b0d5f6d6d20042942868da806400e6358b2986b064c027c85a61746f2
-
C:\Windows\SysWOW64\umussbgu.exeFilesize
512KB
MD58d33ea3cbe1e86b480591a290b14fc17
SHA157db1f9343a6b6ae161822cc7d70a2cc5abcee43
SHA2569c94f81ee0692296b3f904cfbb2dff570c202c600127404be50192a65027ed4e
SHA51250c4e4b9ad6c3aae22b7e2d7376386006168b3514ef821cd2367bb45a0f13f8ccdc52b6da3637c5fb75d2a7bbbc3c49ee29a734b07a7fa8d90370eda9a106e43
-
C:\Windows\SysWOW64\vwyvqxzkbj.exeFilesize
512KB
MD51651dc4ba6c4203725e80dc5c1253fec
SHA1a44450584379397c4ccde2637058183ac3b1e6f7
SHA2563f30fd8e70d822fb6bbefe6b3ff5af036119e57c058792f308283193f52b79c5
SHA51236d51995cbc77947e639a8d189b6da43f77805febd8a59afde5d5d2a456346f42cb48429c32037f82bffb52191436e37b9687f4e915687af29725065c84a020d
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5b467f7f38ed01f464013e3cfbcfa56c8
SHA1d0059753a48f8e64bec3c71cf9c0e0c76d3eaba9
SHA2563b7e20a7038e9d44a0857e934fa9e29296b3a42c9777baf76367f6a5bcd99a22
SHA512ca9dd7ae4f3737d10bd384829f28aff6e938e787f1ca9d91ee821daa7bfd143138d49c2d81a5bf63e5b8b79a6cf94f88e0f7b5cefc93114834c89fbb87f687d0
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD515cfb7a0818b5b3e160da2b01ddb3e2b
SHA1914c14517ba096f913583a5ff3e145dec2246e72
SHA2568c365cc493f24d9ef330ca0ddaef66e2ebeb136d2af2bbd0f63a0fd84f81fc51
SHA51219bd92a44dc745d544e248cd0810af2836e326a3c175430511abb23bbe1de147dc343341854bc14aa5ff860e0ffae2480a1ae744db06d24f560b46ad2ec118c5
-
memory/1816-39-0x00007FF7C4990000-0x00007FF7C49A0000-memory.dmpFilesize
64KB
-
memory/1816-38-0x00007FF7C4990000-0x00007FF7C49A0000-memory.dmpFilesize
64KB
-
memory/1816-36-0x00007FF7C4990000-0x00007FF7C49A0000-memory.dmpFilesize
64KB
-
memory/1816-37-0x00007FF7C4990000-0x00007FF7C49A0000-memory.dmpFilesize
64KB
-
memory/1816-35-0x00007FF7C4990000-0x00007FF7C49A0000-memory.dmpFilesize
64KB
-
memory/1816-40-0x00007FF7C2170000-0x00007FF7C2180000-memory.dmpFilesize
64KB
-
memory/1816-43-0x00007FF7C2170000-0x00007FF7C2180000-memory.dmpFilesize
64KB
-
memory/1816-603-0x00007FF7C4990000-0x00007FF7C49A0000-memory.dmpFilesize
64KB
-
memory/1816-606-0x00007FF7C4990000-0x00007FF7C49A0000-memory.dmpFilesize
64KB
-
memory/1816-605-0x00007FF7C4990000-0x00007FF7C49A0000-memory.dmpFilesize
64KB
-
memory/1816-604-0x00007FF7C4990000-0x00007FF7C49A0000-memory.dmpFilesize
64KB
-
memory/4800-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB