Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 20:15
Static task
static1
Behavioral task
behavioral1
Sample
6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe
-
Size
512KB
-
MD5
6fb724b42557af172c355c56e95dbdbf
-
SHA1
4acef96b3fc9d3acaa76c707898c9c65c539ab9a
-
SHA256
5ddd7e482af881f861cc4e67d8f3fb5855af28d074656d5d293869a6b90bb540
-
SHA512
71b8540f5cfb6081e37daf7e7759cf51835eb7c2b04c64dcdcfe0f4508a845d5a484e1038aad1e429ea7129065b0932c5cb9b3935473a678d3af139a4ae2b081
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6J:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5O
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
zxwmgdaiwm.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zxwmgdaiwm.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
zxwmgdaiwm.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zxwmgdaiwm.exe -
Processes:
zxwmgdaiwm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zxwmgdaiwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zxwmgdaiwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zxwmgdaiwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zxwmgdaiwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zxwmgdaiwm.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
zxwmgdaiwm.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zxwmgdaiwm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
zxwmgdaiwm.exexhiqvvzgqyjfsvr.exeqmtgzium.exegplrsooiavzic.exeqmtgzium.exepid process 4784 zxwmgdaiwm.exe 1944 xhiqvvzgqyjfsvr.exe 2080 qmtgzium.exe 2720 gplrsooiavzic.exe 4976 qmtgzium.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
zxwmgdaiwm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zxwmgdaiwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zxwmgdaiwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zxwmgdaiwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zxwmgdaiwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zxwmgdaiwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zxwmgdaiwm.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
xhiqvvzgqyjfsvr.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bopkxhhc = "zxwmgdaiwm.exe" xhiqvvzgqyjfsvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gqnkidxz = "xhiqvvzgqyjfsvr.exe" xhiqvvzgqyjfsvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gplrsooiavzic.exe" xhiqvvzgqyjfsvr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
zxwmgdaiwm.exeqmtgzium.exeqmtgzium.exedescription ioc process File opened (read-only) \??\o: zxwmgdaiwm.exe File opened (read-only) \??\u: qmtgzium.exe File opened (read-only) \??\a: qmtgzium.exe File opened (read-only) \??\y: zxwmgdaiwm.exe File opened (read-only) \??\z: qmtgzium.exe File opened (read-only) \??\k: qmtgzium.exe File opened (read-only) \??\l: qmtgzium.exe File opened (read-only) \??\e: qmtgzium.exe File opened (read-only) \??\q: qmtgzium.exe File opened (read-only) \??\h: zxwmgdaiwm.exe File opened (read-only) \??\i: zxwmgdaiwm.exe File opened (read-only) \??\r: zxwmgdaiwm.exe File opened (read-only) \??\s: zxwmgdaiwm.exe File opened (read-only) \??\y: qmtgzium.exe File opened (read-only) \??\g: qmtgzium.exe File opened (read-only) \??\l: qmtgzium.exe File opened (read-only) \??\q: zxwmgdaiwm.exe File opened (read-only) \??\x: zxwmgdaiwm.exe File opened (read-only) \??\q: qmtgzium.exe File opened (read-only) \??\v: qmtgzium.exe File opened (read-only) \??\x: qmtgzium.exe File opened (read-only) \??\b: qmtgzium.exe File opened (read-only) \??\p: qmtgzium.exe File opened (read-only) \??\u: qmtgzium.exe File opened (read-only) \??\p: qmtgzium.exe File opened (read-only) \??\h: qmtgzium.exe File opened (read-only) \??\i: qmtgzium.exe File opened (read-only) \??\j: qmtgzium.exe File opened (read-only) \??\a: qmtgzium.exe File opened (read-only) \??\m: qmtgzium.exe File opened (read-only) \??\w: qmtgzium.exe File opened (read-only) \??\v: qmtgzium.exe File opened (read-only) \??\b: zxwmgdaiwm.exe File opened (read-only) \??\e: zxwmgdaiwm.exe File opened (read-only) \??\j: zxwmgdaiwm.exe File opened (read-only) \??\w: zxwmgdaiwm.exe File opened (read-only) \??\b: qmtgzium.exe File opened (read-only) \??\s: qmtgzium.exe File opened (read-only) \??\g: qmtgzium.exe File opened (read-only) \??\t: qmtgzium.exe File opened (read-only) \??\k: qmtgzium.exe File opened (read-only) \??\a: zxwmgdaiwm.exe File opened (read-only) \??\k: zxwmgdaiwm.exe File opened (read-only) \??\n: zxwmgdaiwm.exe File opened (read-only) \??\z: zxwmgdaiwm.exe File opened (read-only) \??\j: qmtgzium.exe File opened (read-only) \??\o: qmtgzium.exe File opened (read-only) \??\s: qmtgzium.exe File opened (read-only) \??\g: zxwmgdaiwm.exe File opened (read-only) \??\t: zxwmgdaiwm.exe File opened (read-only) \??\e: qmtgzium.exe File opened (read-only) \??\y: qmtgzium.exe File opened (read-only) \??\i: qmtgzium.exe File opened (read-only) \??\r: qmtgzium.exe File opened (read-only) \??\l: zxwmgdaiwm.exe File opened (read-only) \??\p: zxwmgdaiwm.exe File opened (read-only) \??\u: zxwmgdaiwm.exe File opened (read-only) \??\h: qmtgzium.exe File opened (read-only) \??\o: qmtgzium.exe File opened (read-only) \??\w: qmtgzium.exe File opened (read-only) \??\m: qmtgzium.exe File opened (read-only) \??\t: qmtgzium.exe File opened (read-only) \??\x: qmtgzium.exe File opened (read-only) \??\r: qmtgzium.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
zxwmgdaiwm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zxwmgdaiwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zxwmgdaiwm.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4572-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\xhiqvvzgqyjfsvr.exe autoit_exe C:\Windows\SysWOW64\qmtgzium.exe autoit_exe C:\Windows\SysWOW64\gplrsooiavzic.exe autoit_exe C:\Windows\SysWOW64\zxwmgdaiwm.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Desktop\GetConfirm.doc.exe autoit_exe C:\Users\Admin\Documents\ResizeReset.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
zxwmgdaiwm.exeqmtgzium.exe6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exeqmtgzium.exedescription ioc process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zxwmgdaiwm.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qmtgzium.exe File created C:\Windows\SysWOW64\qmtgzium.exe 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qmtgzium.exe 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qmtgzium.exe File created C:\Windows\SysWOW64\zxwmgdaiwm.exe 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zxwmgdaiwm.exe 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xhiqvvzgqyjfsvr.exe 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gplrsooiavzic.exe 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qmtgzium.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qmtgzium.exe File created C:\Windows\SysWOW64\xhiqvvzgqyjfsvr.exe 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe File created C:\Windows\SysWOW64\gplrsooiavzic.exe 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
qmtgzium.exeqmtgzium.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qmtgzium.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qmtgzium.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qmtgzium.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qmtgzium.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qmtgzium.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qmtgzium.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qmtgzium.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qmtgzium.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qmtgzium.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qmtgzium.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qmtgzium.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qmtgzium.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qmtgzium.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qmtgzium.exe -
Drops file in Windows directory 19 IoCs
Processes:
6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exeWINWORD.EXEqmtgzium.exeqmtgzium.exedescription ioc process File opened for modification C:\Windows\mydoc.rtf 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qmtgzium.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qmtgzium.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qmtgzium.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qmtgzium.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qmtgzium.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qmtgzium.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qmtgzium.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qmtgzium.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qmtgzium.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qmtgzium.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qmtgzium.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qmtgzium.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qmtgzium.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qmtgzium.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qmtgzium.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qmtgzium.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exezxwmgdaiwm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D0B9D5583526A4476D470272CD77CF264AF" 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zxwmgdaiwm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDFABCF964F298840F3A4781EA3996B38E03FD4362033FE2CD45E609A8" 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB15C4495399E52C4BAA233E9D7CB" 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zxwmgdaiwm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zxwmgdaiwm.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFCFE482C82139042D7287DE1BDE4E133584166366337D7EE" 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zxwmgdaiwm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zxwmgdaiwm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zxwmgdaiwm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zxwmgdaiwm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zxwmgdaiwm.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F36BC1FF1F21AAD178D0A68A0E9110" 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC70915ECDAB0B8CD7CE0EC9637BC" 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zxwmgdaiwm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zxwmgdaiwm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zxwmgdaiwm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zxwmgdaiwm.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4504 WINWORD.EXE 4504 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exezxwmgdaiwm.exexhiqvvzgqyjfsvr.exeqmtgzium.exegplrsooiavzic.exeqmtgzium.exepid process 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4784 zxwmgdaiwm.exe 4784 zxwmgdaiwm.exe 4784 zxwmgdaiwm.exe 4784 zxwmgdaiwm.exe 4784 zxwmgdaiwm.exe 4784 zxwmgdaiwm.exe 4784 zxwmgdaiwm.exe 4784 zxwmgdaiwm.exe 4784 zxwmgdaiwm.exe 4784 zxwmgdaiwm.exe 1944 xhiqvvzgqyjfsvr.exe 1944 xhiqvvzgqyjfsvr.exe 1944 xhiqvvzgqyjfsvr.exe 1944 xhiqvvzgqyjfsvr.exe 1944 xhiqvvzgqyjfsvr.exe 1944 xhiqvvzgqyjfsvr.exe 1944 xhiqvvzgqyjfsvr.exe 1944 xhiqvvzgqyjfsvr.exe 2080 qmtgzium.exe 1944 xhiqvvzgqyjfsvr.exe 1944 xhiqvvzgqyjfsvr.exe 2080 qmtgzium.exe 2080 qmtgzium.exe 2080 qmtgzium.exe 2080 qmtgzium.exe 2080 qmtgzium.exe 2080 qmtgzium.exe 2080 qmtgzium.exe 2720 gplrsooiavzic.exe 2720 gplrsooiavzic.exe 2720 gplrsooiavzic.exe 2720 gplrsooiavzic.exe 2720 gplrsooiavzic.exe 2720 gplrsooiavzic.exe 2720 gplrsooiavzic.exe 2720 gplrsooiavzic.exe 2720 gplrsooiavzic.exe 2720 gplrsooiavzic.exe 2720 gplrsooiavzic.exe 2720 gplrsooiavzic.exe 4976 qmtgzium.exe 4976 qmtgzium.exe 4976 qmtgzium.exe 4976 qmtgzium.exe 4976 qmtgzium.exe 4976 qmtgzium.exe 4976 qmtgzium.exe 4976 qmtgzium.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exezxwmgdaiwm.exexhiqvvzgqyjfsvr.exeqmtgzium.exegplrsooiavzic.exeqmtgzium.exepid process 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4784 zxwmgdaiwm.exe 4784 zxwmgdaiwm.exe 4784 zxwmgdaiwm.exe 1944 xhiqvvzgqyjfsvr.exe 1944 xhiqvvzgqyjfsvr.exe 1944 xhiqvvzgqyjfsvr.exe 2080 qmtgzium.exe 2720 gplrsooiavzic.exe 2080 qmtgzium.exe 2720 gplrsooiavzic.exe 2080 qmtgzium.exe 2720 gplrsooiavzic.exe 4976 qmtgzium.exe 4976 qmtgzium.exe 4976 qmtgzium.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exezxwmgdaiwm.exexhiqvvzgqyjfsvr.exeqmtgzium.exegplrsooiavzic.exeqmtgzium.exepid process 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe 4784 zxwmgdaiwm.exe 4784 zxwmgdaiwm.exe 4784 zxwmgdaiwm.exe 1944 xhiqvvzgqyjfsvr.exe 1944 xhiqvvzgqyjfsvr.exe 1944 xhiqvvzgqyjfsvr.exe 2080 qmtgzium.exe 2720 gplrsooiavzic.exe 2080 qmtgzium.exe 2720 gplrsooiavzic.exe 2080 qmtgzium.exe 2720 gplrsooiavzic.exe 4976 qmtgzium.exe 4976 qmtgzium.exe 4976 qmtgzium.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4504 WINWORD.EXE 4504 WINWORD.EXE 4504 WINWORD.EXE 4504 WINWORD.EXE 4504 WINWORD.EXE 4504 WINWORD.EXE 4504 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exezxwmgdaiwm.exedescription pid process target process PID 4572 wrote to memory of 4784 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe zxwmgdaiwm.exe PID 4572 wrote to memory of 4784 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe zxwmgdaiwm.exe PID 4572 wrote to memory of 4784 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe zxwmgdaiwm.exe PID 4572 wrote to memory of 1944 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe xhiqvvzgqyjfsvr.exe PID 4572 wrote to memory of 1944 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe xhiqvvzgqyjfsvr.exe PID 4572 wrote to memory of 1944 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe xhiqvvzgqyjfsvr.exe PID 4572 wrote to memory of 2080 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe qmtgzium.exe PID 4572 wrote to memory of 2080 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe qmtgzium.exe PID 4572 wrote to memory of 2080 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe qmtgzium.exe PID 4572 wrote to memory of 2720 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe gplrsooiavzic.exe PID 4572 wrote to memory of 2720 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe gplrsooiavzic.exe PID 4572 wrote to memory of 2720 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe gplrsooiavzic.exe PID 4784 wrote to memory of 4976 4784 zxwmgdaiwm.exe qmtgzium.exe PID 4784 wrote to memory of 4976 4784 zxwmgdaiwm.exe qmtgzium.exe PID 4784 wrote to memory of 4976 4784 zxwmgdaiwm.exe qmtgzium.exe PID 4572 wrote to memory of 4504 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe WINWORD.EXE PID 4572 wrote to memory of 4504 4572 6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\zxwmgdaiwm.exezxwmgdaiwm.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\qmtgzium.exeC:\Windows\system32\qmtgzium.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\xhiqvvzgqyjfsvr.exexhiqvvzgqyjfsvr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\qmtgzium.exeqmtgzium.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\gplrsooiavzic.exegplrsooiavzic.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5c27c912afde8b27b1e4af6b17bd6a811
SHA15d03ac857137b6d963910726a8e78f34bfc60e5e
SHA256ec782349612ec74a74cf52940947343c76a2a2c3693c309da242132face4557e
SHA512fbffa6a2e29a3202ba71ef294ce8b317ac3e148ba5178f6c5554b696aad7cb6ed7479cb52e416b68188719ac724f51c7afca27ad3038e63ea7f60b872a97c763
-
C:\Users\Admin\AppData\Local\Temp\TCD7DF7.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD53703ce54039e84c89b0fcddaa21e8e3e
SHA1cf36be735d2149d9f82055f705004c46a5f62a6f
SHA2560e2ff1d173218a0bc688beecf7b1aca489511d7c29b4fe37877c5d5394c48645
SHA512f6a0a17f8e2223c626e541f03a0b7a1898202b83fffe6e2eade4e47ec8cf4c158801aeb972f3840c293ad6ccc6a5240bb65762bd849e9dbe7066e1f76e481c14
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5a82bd59fac73fd928b148c44ff28641f
SHA1e842ad6d961fc9dd88224acf7b6d1ad34f7220da
SHA2566b836a206a9dd0558c15c42738aad38d37502beaae288c8f5f5d91e9a9fc521c
SHA5128ade4889e3f07fa5bba071b4af208b00103c6e86a2224442055051b0885203e1c76e5ffe9b50b6a46dda4df0a8deb1402a87a41c37a35d869a0e9414b9cae9f9
-
C:\Users\Admin\Desktop\GetConfirm.doc.exeFilesize
512KB
MD5f2104da5d7393a847b7f15a4fd26a913
SHA1d4d4117d16305f669565e237aabfe02e1194e68b
SHA256f44c922bdb665c6e78c56a3709a2dc7f2003bef033973120d31b87127a0e01b8
SHA512defe96de5f8ad1c9f2c3f6e0ee8654b75876005d2208fc2da8cc3079148468973f1ab478e8a46aab421f2ba9c2bbcc1bb9361dc78fd346027e14a260b06d6fd2
-
C:\Users\Admin\Documents\ResizeReset.doc.exeFilesize
512KB
MD58038441d14f482194203ade9665da0b7
SHA141fb585ed99b7886e13f98739cf24aeefd6cc5d0
SHA256f564820e18b536436664b016a80b4ee91bb5b800e4157d191b0b1ec1c07f4f12
SHA51281024f6bb7f90a64185a9df2a14a929712db23701625144080bfbbfc41add805ca1a6c2fdfdbb7561292a131c9d43ffe3be75724eaea4f7e3707b7534eb3f627
-
C:\Windows\SysWOW64\gplrsooiavzic.exeFilesize
512KB
MD5d1a25faf9380903dc73478ef1f9c08d4
SHA189316d838efc08882d5fc1a52ed176ef0ec557c4
SHA2569aff7c3327db2cfdc3803a07f5a501affb8d87e15a9f6fc6aee7af5d51850312
SHA512c70b22ccb1720fd65919cc11d6c1e7864e13c0f2af031d2a315718e838c70ea036376171cd8cf9b917c66d445a2aebcf67875bf19d04d2e78bb7a5f919235277
-
C:\Windows\SysWOW64\qmtgzium.exeFilesize
512KB
MD5526b5377a7ac87d200f7506c950bda94
SHA15249868f23c7f1a8d6927bcb043a6fe011f1dc89
SHA256eaf521ca4d2913afe27baef21937aab952b21d7cc644f57233ef81e1b9f3a214
SHA512d305b2fca662861321b3aa612a54fe78850fe4cd23f8d59dd3af18b5eaa30ff13d84cd7fd329f2ecf1bc980867734e3b412391debbb4531332e56043657f7f62
-
C:\Windows\SysWOW64\xhiqvvzgqyjfsvr.exeFilesize
512KB
MD5a5e965c9697e60b4c0d6b9808d986558
SHA1871ad3c7a4237960130a7dd44472e26dcd956cc1
SHA256fa2914c2fe6c2f9dedb77dfbaaf175ab9de1af71c6d6c23bbc8f54560914ba2d
SHA512001b35fc8600c44b17ee84d470cd6d60ff999900d916eef57510c31cbb589851950a5b993d38b7aa698b03ac87f671f90ca09ac02cb694bcab475aa5e6628d03
-
C:\Windows\SysWOW64\zxwmgdaiwm.exeFilesize
512KB
MD56f0a7c10989ae2cca94f202591ea7903
SHA1877c8772d4932e31d42dda76f8f712c06687e3ab
SHA25686b565377caacd0a50aa6a9d347250d9bbfb785dd548a91043117028ab3811b4
SHA51239f69a70d820d717c526e703c37c3713c8ff416ac7d1e3c8af58eadff114ade2189a8b3e0e1eea2703285950490cc3ba275050c1611361938d52a17d4d14922d
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD55e6d242fe722a486450a35100c4b7423
SHA1d434bf824e8a36e41c12fe22f230dc724faa4ae1
SHA256d11fae1df9dcd79d6a4cf26dadb30af71a0daa00911bcea3e63ddc35c928a936
SHA512026d567e9788d665458a0f7f76199c2822240c7e06d13b1e83dad57f0c16d5c05bed899ad7337bfb320397915e49d17e735e3bc9cbe67833e8683d728a4c8371
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD568c9431e2c7ab56cc4a7ad37b8b76bff
SHA1c981e4dc28f56e829f461ef21cf8a35365f6db97
SHA256cd1d4fe97f5c4f1aae8434191dd9152c7a9e50b4bb178ed369f684c741f49212
SHA51225e580fe58ea9c1fbfd45b7f22ea9167f1e592e1fd4a885802ea17e77018e9095a520e8a82914cd6abe6f6240b6aa70077b62a736cc3816876606ca6301041a8
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD59fb7d06c9c5074da6faaab291d3178b4
SHA14b18073812435378a66f8544d6bd1cdf46b0f7af
SHA2563e229e804c1357036f4fc12f7203612b67e0378caa86706035a2f6e0c9fa22c6
SHA51208164259e66f34d253b2c4f5e9f95b9dad5b6001ce8098e433d0c1f8a1204b1a49fe7f8f8d6b1fc9d23ef6dbf4a53a1e85acd27b73ad19f6cd15008315f8c7e5
-
memory/4504-42-0x00007FFA30290000-0x00007FFA302A0000-memory.dmpFilesize
64KB
-
memory/4504-37-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/4504-38-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/4504-39-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/4504-40-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/4504-43-0x00007FFA30290000-0x00007FFA302A0000-memory.dmpFilesize
64KB
-
memory/4504-41-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/4504-615-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/4504-616-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/4504-614-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/4504-617-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmpFilesize
64KB
-
memory/4572-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB