b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
Size

512KB
MD5

6f91d104958a5ca488ef235eec0c5cb4
SHA1

da2b08f41effa470dc52346de414c245ecd7a464
SHA256

b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee
SHA512

d267842ff5fd158fe1700cfa7be1c6b086e9cb12a86f836e068adddc1574793a5a08f1b8d299c188ca597a036bd191612df3f32c0a9f360a99eb3f183be6527d
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

votvkxkmny.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	votvkxkmny.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

votvkxkmny.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	votvkxkmny.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

votvkxkmny.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	votvkxkmny.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	votvkxkmny.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	votvkxkmny.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	votvkxkmny.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	votvkxkmny.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

votvkxkmny.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	votvkxkmny.exe

Executes dropped EXE 5 IoCs

Processes:

votvkxkmny.exeebagukuxdbgcrto.exekuqtkpas.exeoyfbresvcvxlf.exekuqtkpas.exe

pid process

2592 votvkxkmny.exe
2716 ebagukuxdbgcrto.exe
2608 kuqtkpas.exe
2628 oyfbresvcvxlf.exe
2836 kuqtkpas.exe

pid	process
2592	votvkxkmny.exe
2716	ebagukuxdbgcrto.exe
2608	kuqtkpas.exe
2628	oyfbresvcvxlf.exe
2836	kuqtkpas.exe

Loads dropped DLL 5 IoCs

Processes:

6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exevotvkxkmny.exe

pid	process
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2592	votvkxkmny.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

votvkxkmny.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	votvkxkmny.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	votvkxkmny.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	votvkxkmny.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	votvkxkmny.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	votvkxkmny.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	votvkxkmny.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ebagukuxdbgcrto.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bhqocods = "votvkxkmny.exe"	ebagukuxdbgcrto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\keekkpgc = "ebagukuxdbgcrto.exe"	ebagukuxdbgcrto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oyfbresvcvxlf.exe"	ebagukuxdbgcrto.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

kuqtkpas.exevotvkxkmny.exekuqtkpas.exe

description	ioc	process
File opened (read-only)	\??\v:	kuqtkpas.exe
File opened (read-only)	\??\e:	votvkxkmny.exe
File opened (read-only)	\??\l:	votvkxkmny.exe
File opened (read-only)	\??\r:	kuqtkpas.exe
File opened (read-only)	\??\g:	votvkxkmny.exe
File opened (read-only)	\??\u:	votvkxkmny.exe
File opened (read-only)	\??\s:	kuqtkpas.exe
File opened (read-only)	\??\x:	kuqtkpas.exe
File opened (read-only)	\??\z:	kuqtkpas.exe
File opened (read-only)	\??\a:	kuqtkpas.exe
File opened (read-only)	\??\b:	kuqtkpas.exe
File opened (read-only)	\??\t:	kuqtkpas.exe
File opened (read-only)	\??\k:	kuqtkpas.exe
File opened (read-only)	\??\a:	kuqtkpas.exe
File opened (read-only)	\??\o:	kuqtkpas.exe
File opened (read-only)	\??\g:	kuqtkpas.exe
File opened (read-only)	\??\y:	kuqtkpas.exe
File opened (read-only)	\??\k:	votvkxkmny.exe
File opened (read-only)	\??\n:	votvkxkmny.exe
File opened (read-only)	\??\r:	votvkxkmny.exe
File opened (read-only)	\??\w:	votvkxkmny.exe
File opened (read-only)	\??\u:	kuqtkpas.exe
File opened (read-only)	\??\j:	votvkxkmny.exe
File opened (read-only)	\??\b:	kuqtkpas.exe
File opened (read-only)	\??\t:	kuqtkpas.exe
File opened (read-only)	\??\u:	kuqtkpas.exe
File opened (read-only)	\??\w:	kuqtkpas.exe
File opened (read-only)	\??\l:	kuqtkpas.exe
File opened (read-only)	\??\w:	kuqtkpas.exe
File opened (read-only)	\??\h:	kuqtkpas.exe
File opened (read-only)	\??\p:	kuqtkpas.exe
File opened (read-only)	\??\o:	votvkxkmny.exe
File opened (read-only)	\??\q:	votvkxkmny.exe
File opened (read-only)	\??\h:	kuqtkpas.exe
File opened (read-only)	\??\i:	kuqtkpas.exe
File opened (read-only)	\??\k:	kuqtkpas.exe
File opened (read-only)	\??\b:	votvkxkmny.exe
File opened (read-only)	\??\h:	votvkxkmny.exe
File opened (read-only)	\??\i:	votvkxkmny.exe
File opened (read-only)	\??\z:	votvkxkmny.exe
File opened (read-only)	\??\j:	kuqtkpas.exe
File opened (read-only)	\??\a:	votvkxkmny.exe
File opened (read-only)	\??\r:	kuqtkpas.exe
File opened (read-only)	\??\m:	kuqtkpas.exe
File opened (read-only)	\??\v:	votvkxkmny.exe
File opened (read-only)	\??\y:	votvkxkmny.exe
File opened (read-only)	\??\p:	votvkxkmny.exe
File opened (read-only)	\??\s:	votvkxkmny.exe
File opened (read-only)	\??\e:	kuqtkpas.exe
File opened (read-only)	\??\j:	kuqtkpas.exe
File opened (read-only)	\??\s:	kuqtkpas.exe
File opened (read-only)	\??\x:	kuqtkpas.exe
File opened (read-only)	\??\p:	kuqtkpas.exe
File opened (read-only)	\??\o:	kuqtkpas.exe
File opened (read-only)	\??\q:	kuqtkpas.exe
File opened (read-only)	\??\e:	kuqtkpas.exe
File opened (read-only)	\??\g:	kuqtkpas.exe
File opened (read-only)	\??\m:	kuqtkpas.exe
File opened (read-only)	\??\n:	kuqtkpas.exe
File opened (read-only)	\??\v:	kuqtkpas.exe
File opened (read-only)	\??\n:	kuqtkpas.exe
File opened (read-only)	\??\x:	votvkxkmny.exe
File opened (read-only)	\??\y:	kuqtkpas.exe
File opened (read-only)	\??\i:	kuqtkpas.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

votvkxkmny.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	votvkxkmny.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	votvkxkmny.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2176-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
C:\Windows\SysWOW64\ebagukuxdbgcrto.exe	autoit_exe
\Windows\SysWOW64\votvkxkmny.exe	autoit_exe
\Windows\SysWOW64\kuqtkpas.exe	autoit_exe
\Windows\SysWOW64\oyfbresvcvxlf.exe	autoit_exe
C:\Users\Admin\Desktop\EnterWrite.doc.exe	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

votvkxkmny.exe6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	votvkxkmny.exe
File created	C:\Windows\SysWOW64\votvkxkmny.exe	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\votvkxkmny.exe	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ebagukuxdbgcrto.exe	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ebagukuxdbgcrto.exe	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\kuqtkpas.exe	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\kuqtkpas.exe	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\oyfbresvcvxlf.exe	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\oyfbresvcvxlf.exe	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe

Drops file in Program Files directory 14 IoCs

Processes:

kuqtkpas.exekuqtkpas.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	kuqtkpas.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	kuqtkpas.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	kuqtkpas.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	kuqtkpas.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	kuqtkpas.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	kuqtkpas.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	kuqtkpas.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	kuqtkpas.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	kuqtkpas.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	kuqtkpas.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	kuqtkpas.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	kuqtkpas.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	kuqtkpas.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	kuqtkpas.exe

Drops file in Windows directory 5 IoCs

Processes:

6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exeWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\mydoc.rtf	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exevotvkxkmny.exeWINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFFACDF917F1E784753B4A819E3E99B08B028F4316033AE2CC459D08A5"	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC67415E7DAB0B8CF7FE4EDE034CA"	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	votvkxkmny.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	votvkxkmny.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	votvkxkmny.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	votvkxkmny.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	votvkxkmny.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2720 WINWORD.EXE

pid	process
2720	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exevotvkxkmny.exekuqtkpas.exeebagukuxdbgcrto.exeoyfbresvcvxlf.exekuqtkpas.exe

pid	process
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2592	votvkxkmny.exe
2592	votvkxkmny.exe
2592	votvkxkmny.exe
2592	votvkxkmny.exe
2592	votvkxkmny.exe
2608	kuqtkpas.exe
2608	kuqtkpas.exe
2608	kuqtkpas.exe
2608	kuqtkpas.exe
2716	ebagukuxdbgcrto.exe
2716	ebagukuxdbgcrto.exe
2716	ebagukuxdbgcrto.exe
2716	ebagukuxdbgcrto.exe
2716	ebagukuxdbgcrto.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2836	kuqtkpas.exe
2836	kuqtkpas.exe
2836	kuqtkpas.exe
2836	kuqtkpas.exe
2716	ebagukuxdbgcrto.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2716	ebagukuxdbgcrto.exe
2716	ebagukuxdbgcrto.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2716	ebagukuxdbgcrto.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2716	ebagukuxdbgcrto.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2716	ebagukuxdbgcrto.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2716	ebagukuxdbgcrto.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2716	ebagukuxdbgcrto.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2716	ebagukuxdbgcrto.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2716	ebagukuxdbgcrto.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2716	ebagukuxdbgcrto.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2716	ebagukuxdbgcrto.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exevotvkxkmny.exekuqtkpas.exeebagukuxdbgcrto.exeoyfbresvcvxlf.exekuqtkpas.exe

pid	process
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2592	votvkxkmny.exe
2592	votvkxkmny.exe
2592	votvkxkmny.exe
2608	kuqtkpas.exe
2608	kuqtkpas.exe
2608	kuqtkpas.exe
2716	ebagukuxdbgcrto.exe
2716	ebagukuxdbgcrto.exe
2716	ebagukuxdbgcrto.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2836	kuqtkpas.exe
2836	kuqtkpas.exe
2836	kuqtkpas.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exevotvkxkmny.exekuqtkpas.exeebagukuxdbgcrto.exeoyfbresvcvxlf.exekuqtkpas.exe

pid	process
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
2592	votvkxkmny.exe
2592	votvkxkmny.exe
2592	votvkxkmny.exe
2608	kuqtkpas.exe
2608	kuqtkpas.exe
2608	kuqtkpas.exe
2716	ebagukuxdbgcrto.exe
2716	ebagukuxdbgcrto.exe
2716	ebagukuxdbgcrto.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2628	oyfbresvcvxlf.exe
2836	kuqtkpas.exe
2836	kuqtkpas.exe
2836	kuqtkpas.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2720 WINWORD.EXE
2720 WINWORD.EXE

pid	process
2720	WINWORD.EXE
2720	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exevotvkxkmny.exeWINWORD.EXE

description	pid	process	target process
PID 2176 wrote to memory of 2592	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	votvkxkmny.exe
PID 2176 wrote to memory of 2592	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	votvkxkmny.exe
PID 2176 wrote to memory of 2592	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	votvkxkmny.exe
PID 2176 wrote to memory of 2592	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	votvkxkmny.exe
PID 2176 wrote to memory of 2716	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	ebagukuxdbgcrto.exe
PID 2176 wrote to memory of 2716	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	ebagukuxdbgcrto.exe
PID 2176 wrote to memory of 2716	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	ebagukuxdbgcrto.exe
PID 2176 wrote to memory of 2716	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	ebagukuxdbgcrto.exe
PID 2176 wrote to memory of 2608	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	kuqtkpas.exe
PID 2176 wrote to memory of 2608	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	kuqtkpas.exe
PID 2176 wrote to memory of 2608	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	kuqtkpas.exe
PID 2176 wrote to memory of 2608	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	kuqtkpas.exe
PID 2176 wrote to memory of 2628	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	oyfbresvcvxlf.exe
PID 2176 wrote to memory of 2628	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	oyfbresvcvxlf.exe
PID 2176 wrote to memory of 2628	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	oyfbresvcvxlf.exe
PID 2176 wrote to memory of 2628	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	oyfbresvcvxlf.exe
PID 2592 wrote to memory of 2836	2592	votvkxkmny.exe	kuqtkpas.exe
PID 2592 wrote to memory of 2836	2592	votvkxkmny.exe	kuqtkpas.exe
PID 2592 wrote to memory of 2836	2592	votvkxkmny.exe	kuqtkpas.exe
PID 2592 wrote to memory of 2836	2592	votvkxkmny.exe	kuqtkpas.exe
PID 2176 wrote to memory of 2720	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	WINWORD.EXE
PID 2176 wrote to memory of 2720	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	WINWORD.EXE
PID 2176 wrote to memory of 2720	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	WINWORD.EXE
PID 2176 wrote to memory of 2720	2176	6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe	WINWORD.EXE
PID 2720 wrote to memory of 780	2720	WINWORD.EXE	splwow64.exe
PID 2720 wrote to memory of 780	2720	WINWORD.EXE	splwow64.exe
PID 2720 wrote to memory of 780	2720	WINWORD.EXE	splwow64.exe
PID 2720 wrote to memory of 780	2720	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\votvkxkmny.exe
votvkxkmny.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\kuqtkpas.exe
C:\Windows\system32\kuqtkpas.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2836

C:\Windows\SysWOW64\ebagukuxdbgcrto.exe
ebagukuxdbgcrto.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2716

C:\Windows\SysWOW64\kuqtkpas.exe
kuqtkpas.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2608

C:\Windows\SysWOW64\oyfbresvcvxlf.exe
oyfbresvcvxlf.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2628

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:780

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
26ad248c82c67bfe574afb72b78a0294

SHA1
34ea6c9021b5fba88fb0d3b4a30bbc1351bacfb3

SHA256
28dbfcc14b58d4c19cfd3e06f8975a4f9aeffedd4583b807cb8aa8ad497201c5

SHA512
2e35c79bdfbd66a355dd54e8347e99ce8568c0033c33fb4df94162bf14b206315050e29d56d328bdd3d6d30da4edafc08b777aa968a78fec7d729e87475e31cb

Download Submit
C:\Users\Admin\Desktop\EnterWrite.doc.exe
Filesize
512KB

MD5
b67d897ff41ba7a0958b271c8a5638f8

SHA1
ab556205112ddc2c4f22d9ed5d6cc85aef56ecd9

SHA256
eb2e3820ed292314026e0681e3a753fe7de84d7b5e8d01fb2475d34e6ec630bd

SHA512
a6c7506197d790407f5f600f9bf32d3860ca303df4e3b75e9be948dee0446a768d541d87400f942af4109347c4c0165c385d20dc7b145e97be161e15c16d4c3e

Download Submit
C:\Windows\SysWOW64\ebagukuxdbgcrto.exe
Filesize
512KB

MD5
796252b5108ae1d20a1b812064ffb97c

SHA1
80bdb00930f4d24ec71f96650e9329466726d2e9

SHA256
4d96259c019700a3940f0f852525c659d0caa2f8a5a6d63f712a12410d1af958

SHA512
dd35f1aa4f9ab3f83ebc6d38d24ef07a210c79e263aeff1f9284fdb3b5e48870144a0b1d59401ca5333b6ac248b519744d3afead0f66ff5bf4710584dc52a0f9

Download Submit
C:\Windows\mydoc.rtf
Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\kuqtkpas.exe
Filesize
512KB

MD5
05842f3bdac1774df33a6ea62920156e

SHA1
b5f7c029aedd0ee1e4a3eb86ea2778b123249153

SHA256
24d9396d61a006d07eb9b8d31dff187b1c26c8252e2d59ec7edcb717ea38d2ba

SHA512
7a76c22944bb3cf9d1d3982359b2c463c4ac2b6540cbbbe031673a8c07975274bf8b4bc6c73bd8fc22652c02d7e8926ed306c2acabb3bb24279d5213b307b8d2

Download Submit
\Windows\SysWOW64\oyfbresvcvxlf.exe
Filesize
512KB

MD5
4bf1aabf4cd161abe40f1398158d4ea6

SHA1
af3356722090f033507d63c550f654525f714b85

SHA256
4fb52df7d7e90e0c750e64399163d371fd9ab65c4adbeca3df495d29c824928c

SHA512
c8fd9309bc306c507dad382ec83953dafb4f78f9a2093735f21add4e7c17d41668254a0761a571086b5e180b09e03a27a8ffd93e5ca65aa4d8d9528da01e716e

Download Submit
\Windows\SysWOW64\votvkxkmny.exe
Filesize
512KB

MD5
3cd316a9ede96293ff979dca168747ed

SHA1
b0b72ac61b560805ada866830fd0591ab7d19f4e

SHA256
e4bc0b666aecb7d5e2a8ccbd63714d810e111a4ae2da78fa7caa08ffdea377ec

SHA512
3a3577d9b41d4f993b8da1a7f82dff6fa776d58ffba68ce2779a44127839ba6a6cac59259f07453f877d1b5a18bc03185f50ed279fe9104b1cbbaaea37b3f1aa

Download Submit
memory/2176-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2720-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2720-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads