Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 21:25
Static task
static1
Behavioral task
behavioral1
Sample
6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe
-
Size
512KB
-
MD5
6fd74742fac872c3beef7a34cc945873
-
SHA1
eea688370dfdf005564ea48ddff99d033d35e396
-
SHA256
777860ba198b0bef58394e461d3b6b123ea71d17f38b618b88e36f578d454568
-
SHA512
75e73d2284e91b4502a831bf6d6ca9f776bed30dc7dacc0fcb3eb88ff3497c1181da2735750145e8cd224d230ed08617f625b18f20e877c6d5873d4bfd380118
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5X
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
mqrergmdys.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mqrergmdys.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
mqrergmdys.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mqrergmdys.exe -
Processes:
mqrergmdys.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mqrergmdys.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mqrergmdys.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mqrergmdys.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mqrergmdys.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mqrergmdys.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
mqrergmdys.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mqrergmdys.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
mqrergmdys.exernupusttaklqwdp.execuhgvzln.exeihjgkvrmouxsq.execuhgvzln.exepid process 4764 mqrergmdys.exe 1800 rnupusttaklqwdp.exe 1684 cuhgvzln.exe 4824 ihjgkvrmouxsq.exe 3920 cuhgvzln.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
mqrergmdys.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mqrergmdys.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mqrergmdys.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mqrergmdys.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mqrergmdys.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mqrergmdys.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mqrergmdys.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
rnupusttaklqwdp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fznxkbfe = "mqrergmdys.exe" rnupusttaklqwdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nictrsls = "rnupusttaklqwdp.exe" rnupusttaklqwdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ihjgkvrmouxsq.exe" rnupusttaklqwdp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
mqrergmdys.execuhgvzln.execuhgvzln.exedescription ioc process File opened (read-only) \??\m: mqrergmdys.exe File opened (read-only) \??\n: mqrergmdys.exe File opened (read-only) \??\o: mqrergmdys.exe File opened (read-only) \??\s: mqrergmdys.exe File opened (read-only) \??\u: mqrergmdys.exe File opened (read-only) \??\y: mqrergmdys.exe File opened (read-only) \??\a: cuhgvzln.exe File opened (read-only) \??\t: cuhgvzln.exe File opened (read-only) \??\v: cuhgvzln.exe File opened (read-only) \??\i: mqrergmdys.exe File opened (read-only) \??\r: cuhgvzln.exe File opened (read-only) \??\k: cuhgvzln.exe File opened (read-only) \??\t: mqrergmdys.exe File opened (read-only) \??\x: cuhgvzln.exe File opened (read-only) \??\m: cuhgvzln.exe File opened (read-only) \??\o: cuhgvzln.exe File opened (read-only) \??\q: cuhgvzln.exe File opened (read-only) \??\s: cuhgvzln.exe File opened (read-only) \??\u: cuhgvzln.exe File opened (read-only) \??\h: cuhgvzln.exe File opened (read-only) \??\w: cuhgvzln.exe File opened (read-only) \??\g: cuhgvzln.exe File opened (read-only) \??\h: cuhgvzln.exe File opened (read-only) \??\l: mqrergmdys.exe File opened (read-only) \??\z: mqrergmdys.exe File opened (read-only) \??\r: cuhgvzln.exe File opened (read-only) \??\w: cuhgvzln.exe File opened (read-only) \??\e: cuhgvzln.exe File opened (read-only) \??\x: mqrergmdys.exe File opened (read-only) \??\g: cuhgvzln.exe File opened (read-only) \??\y: cuhgvzln.exe File opened (read-only) \??\i: cuhgvzln.exe File opened (read-only) \??\n: cuhgvzln.exe File opened (read-only) \??\p: mqrergmdys.exe File opened (read-only) \??\l: cuhgvzln.exe File opened (read-only) \??\m: cuhgvzln.exe File opened (read-only) \??\v: cuhgvzln.exe File opened (read-only) \??\a: cuhgvzln.exe File opened (read-only) \??\p: cuhgvzln.exe File opened (read-only) \??\z: cuhgvzln.exe File opened (read-only) \??\j: mqrergmdys.exe File opened (read-only) \??\k: mqrergmdys.exe File opened (read-only) \??\w: mqrergmdys.exe File opened (read-only) \??\b: cuhgvzln.exe File opened (read-only) \??\i: cuhgvzln.exe File opened (read-only) \??\n: cuhgvzln.exe File opened (read-only) \??\e: mqrergmdys.exe File opened (read-only) \??\o: cuhgvzln.exe File opened (read-only) \??\u: cuhgvzln.exe File opened (read-only) \??\r: mqrergmdys.exe File opened (read-only) \??\s: cuhgvzln.exe File opened (read-only) \??\z: cuhgvzln.exe File opened (read-only) \??\b: mqrergmdys.exe File opened (read-only) \??\h: mqrergmdys.exe File opened (read-only) \??\k: cuhgvzln.exe File opened (read-only) \??\q: cuhgvzln.exe File opened (read-only) \??\t: cuhgvzln.exe File opened (read-only) \??\l: cuhgvzln.exe File opened (read-only) \??\j: cuhgvzln.exe File opened (read-only) \??\p: cuhgvzln.exe File opened (read-only) \??\v: mqrergmdys.exe File opened (read-only) \??\e: cuhgvzln.exe File opened (read-only) \??\b: cuhgvzln.exe File opened (read-only) \??\y: cuhgvzln.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
mqrergmdys.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mqrergmdys.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mqrergmdys.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4928-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\rnupusttaklqwdp.exe autoit_exe C:\Windows\SysWOW64\mqrergmdys.exe autoit_exe C:\Windows\SysWOW64\ihjgkvrmouxsq.exe autoit_exe C:\Windows\SysWOW64\cuhgvzln.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 13 IoCs
Processes:
6fd74742fac872c3beef7a34cc945873_JaffaCakes118.execuhgvzln.execuhgvzln.exemqrergmdys.exedescription ioc process File opened for modification C:\Windows\SysWOW64\mqrergmdys.exe 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cuhgvzln.exe 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cuhgvzln.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cuhgvzln.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cuhgvzln.exe File created C:\Windows\SysWOW64\mqrergmdys.exe 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe File created C:\Windows\SysWOW64\cuhgvzln.exe 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll mqrergmdys.exe File created C:\Windows\SysWOW64\ihjgkvrmouxsq.exe 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cuhgvzln.exe File created C:\Windows\SysWOW64\rnupusttaklqwdp.exe 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rnupusttaklqwdp.exe 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ihjgkvrmouxsq.exe 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
Processes:
cuhgvzln.execuhgvzln.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cuhgvzln.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cuhgvzln.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cuhgvzln.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cuhgvzln.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cuhgvzln.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cuhgvzln.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal cuhgvzln.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cuhgvzln.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal cuhgvzln.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cuhgvzln.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cuhgvzln.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal cuhgvzln.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal cuhgvzln.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cuhgvzln.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cuhgvzln.exe -
Drops file in Windows directory 19 IoCs
Processes:
6fd74742fac872c3beef7a34cc945873_JaffaCakes118.execuhgvzln.execuhgvzln.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cuhgvzln.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cuhgvzln.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cuhgvzln.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cuhgvzln.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cuhgvzln.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cuhgvzln.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cuhgvzln.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cuhgvzln.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cuhgvzln.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cuhgvzln.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cuhgvzln.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cuhgvzln.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cuhgvzln.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cuhgvzln.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cuhgvzln.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cuhgvzln.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exemqrergmdys.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mqrergmdys.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mqrergmdys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mqrergmdys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2D799D5283236D3E76D770542CDA7C8765DA" 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEFABAFE13F29984753A42819F3E95B08E02FF43640238E2C9429D09D1" 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F768C6FE6A22D0D27BD0D38A7F9116" 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC67815E1DBBFB9BD7FE7ED9237CA" 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mqrergmdys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mqrergmdys.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mqrergmdys.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mqrergmdys.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mqrergmdys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mqrergmdys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mqrergmdys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B02F47E6399E52C8B9A73299D7C8" 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FF8F482A856F9133D6217E97BDE0E13D5842664F6246D6EC" 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mqrergmdys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mqrergmdys.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2748 WINWORD.EXE 2748 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exemqrergmdys.exernupusttaklqwdp.execuhgvzln.exeihjgkvrmouxsq.execuhgvzln.exepid process 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4764 mqrergmdys.exe 4764 mqrergmdys.exe 4764 mqrergmdys.exe 4764 mqrergmdys.exe 4764 mqrergmdys.exe 4764 mqrergmdys.exe 4764 mqrergmdys.exe 4764 mqrergmdys.exe 4764 mqrergmdys.exe 4764 mqrergmdys.exe 1800 rnupusttaklqwdp.exe 1800 rnupusttaklqwdp.exe 1800 rnupusttaklqwdp.exe 1800 rnupusttaklqwdp.exe 1800 rnupusttaklqwdp.exe 1800 rnupusttaklqwdp.exe 1800 rnupusttaklqwdp.exe 1800 rnupusttaklqwdp.exe 1800 rnupusttaklqwdp.exe 1800 rnupusttaklqwdp.exe 1684 cuhgvzln.exe 1684 cuhgvzln.exe 1684 cuhgvzln.exe 1684 cuhgvzln.exe 1684 cuhgvzln.exe 1684 cuhgvzln.exe 1684 cuhgvzln.exe 1684 cuhgvzln.exe 4824 ihjgkvrmouxsq.exe 4824 ihjgkvrmouxsq.exe 4824 ihjgkvrmouxsq.exe 4824 ihjgkvrmouxsq.exe 4824 ihjgkvrmouxsq.exe 4824 ihjgkvrmouxsq.exe 4824 ihjgkvrmouxsq.exe 4824 ihjgkvrmouxsq.exe 4824 ihjgkvrmouxsq.exe 4824 ihjgkvrmouxsq.exe 4824 ihjgkvrmouxsq.exe 4824 ihjgkvrmouxsq.exe 3920 cuhgvzln.exe 3920 cuhgvzln.exe 3920 cuhgvzln.exe 3920 cuhgvzln.exe 3920 cuhgvzln.exe 3920 cuhgvzln.exe 3920 cuhgvzln.exe 3920 cuhgvzln.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exemqrergmdys.exernupusttaklqwdp.execuhgvzln.exeihjgkvrmouxsq.execuhgvzln.exepid process 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4764 mqrergmdys.exe 1800 rnupusttaklqwdp.exe 4764 mqrergmdys.exe 1800 rnupusttaklqwdp.exe 4764 mqrergmdys.exe 1800 rnupusttaklqwdp.exe 1684 cuhgvzln.exe 1684 cuhgvzln.exe 1684 cuhgvzln.exe 4824 ihjgkvrmouxsq.exe 4824 ihjgkvrmouxsq.exe 4824 ihjgkvrmouxsq.exe 3920 cuhgvzln.exe 3920 cuhgvzln.exe 3920 cuhgvzln.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exemqrergmdys.exernupusttaklqwdp.execuhgvzln.exeihjgkvrmouxsq.execuhgvzln.exepid process 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe 4764 mqrergmdys.exe 1800 rnupusttaklqwdp.exe 4764 mqrergmdys.exe 1800 rnupusttaklqwdp.exe 4764 mqrergmdys.exe 1800 rnupusttaklqwdp.exe 1684 cuhgvzln.exe 1684 cuhgvzln.exe 1684 cuhgvzln.exe 4824 ihjgkvrmouxsq.exe 4824 ihjgkvrmouxsq.exe 4824 ihjgkvrmouxsq.exe 3920 cuhgvzln.exe 3920 cuhgvzln.exe 3920 cuhgvzln.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2748 WINWORD.EXE 2748 WINWORD.EXE 2748 WINWORD.EXE 2748 WINWORD.EXE 2748 WINWORD.EXE 2748 WINWORD.EXE 2748 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exemqrergmdys.exedescription pid process target process PID 4928 wrote to memory of 4764 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe mqrergmdys.exe PID 4928 wrote to memory of 4764 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe mqrergmdys.exe PID 4928 wrote to memory of 4764 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe mqrergmdys.exe PID 4928 wrote to memory of 1800 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe rnupusttaklqwdp.exe PID 4928 wrote to memory of 1800 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe rnupusttaklqwdp.exe PID 4928 wrote to memory of 1800 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe rnupusttaklqwdp.exe PID 4928 wrote to memory of 1684 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe cuhgvzln.exe PID 4928 wrote to memory of 1684 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe cuhgvzln.exe PID 4928 wrote to memory of 1684 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe cuhgvzln.exe PID 4928 wrote to memory of 4824 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe ihjgkvrmouxsq.exe PID 4928 wrote to memory of 4824 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe ihjgkvrmouxsq.exe PID 4928 wrote to memory of 4824 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe ihjgkvrmouxsq.exe PID 4928 wrote to memory of 2748 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe WINWORD.EXE PID 4928 wrote to memory of 2748 4928 6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe WINWORD.EXE PID 4764 wrote to memory of 3920 4764 mqrergmdys.exe cuhgvzln.exe PID 4764 wrote to memory of 3920 4764 mqrergmdys.exe cuhgvzln.exe PID 4764 wrote to memory of 3920 4764 mqrergmdys.exe cuhgvzln.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6fd74742fac872c3beef7a34cc945873_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mqrergmdys.exemqrergmdys.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cuhgvzln.exeC:\Windows\system32\cuhgvzln.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\rnupusttaklqwdp.exernupusttaklqwdp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cuhgvzln.execuhgvzln.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ihjgkvrmouxsq.exeihjgkvrmouxsq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5f196c45ff69875cb14ccedd86115b001
SHA1d091d4e817fcc22023f810d15fe687ed4665efbf
SHA25693d46edb55165bf1c2d09a5e963208ea031482013923389e640ac531773b13c2
SHA512732adad0fefaf4e2e796c58fed0b69a8e1990bfb6daf21e83ad60e065553d228d83372302c869910bef03ac032cbea03223040d239031720193f8254316b57a5
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5fa7db8465cfadf266aca249c547fab21
SHA1899b3a153ea93644661e796f430791bdddedbccf
SHA256893f648e0f96bdd2dd9b0db57eb7556571cceae41556a6c8affc466c05a38d9c
SHA512a4af6d412ac5523b5730767a1e8f101d7569ce8f6b04c72c6c0a39f2e028ce949d1894fb2ff00de209caef8acd9ea0f65fc96d0920230f5cfc03ca8d05094158
-
C:\Users\Admin\AppData\Local\Temp\TCD9FAE.tmp\gb.xslFilesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD50123095391598fc7b219115790e81169
SHA1aee2bdf35d9dd41304badf04ed6520cc4f6f6374
SHA2565300fbc69ef63372b1380bcc0af270649f8804e534c7d478bc68ada854d5d418
SHA512710e15f46dcada7bb897101cd99b027ef523868bc0d0ab55f5698b7d459ef565e94b1401d8ea8f7066c53b8e21b1583570cb9fca01399ee52555753d13f5e414
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD55a6935e35450185fa8f13e1a9558b9f9
SHA1909b3b5c1f1413043e74afe29a9cdcdedb00fc0f
SHA256cff1eb54b063dce6912a69bb3b310a1d4959bdf7fcb1cdc197500a137ef53b67
SHA512e0cb6a916bbb068d76a7cf52617304b5f510cefa1cadffe389198d58491635135ef252a9438d5ba75e869df6bd2e960a79addb534128c36a6a16e9422b354b79
-
C:\Windows\SysWOW64\cuhgvzln.exeFilesize
512KB
MD5cabe585db60ff35bde81f29fb9df513f
SHA1b806cfc78cd0e1bd3c5827c3206d089b11d29d3e
SHA25681ca3fc5fb9407a0e74402a24545e3df6dbe606956c4dd102e9b1ee7a401d516
SHA512e0850ee98b2b2ff78da98bf23fa32853b6e2bc04dd4f57cc07619752a983a40c13be5491b1621d849f859dac209326e31fa25c3316910cbea70c80c64d775d8e
-
C:\Windows\SysWOW64\ihjgkvrmouxsq.exeFilesize
512KB
MD5ff0dcf5748b174bc02e3e2de2c94e115
SHA1a91111b776d98b407892ee417886492f2ea08582
SHA25697cd45d505db17484602713688ce41408c2e276d57e477c7473b959906bc6ab2
SHA512aa8ee3bda1728b331a3a2c24cea6f56758aaa6a9c673618a93afcc8b9734ab07b894be36f47aa09937a3b620ab3118c3ce0a332a9f246864c387c9512d8ad6c1
-
C:\Windows\SysWOW64\mqrergmdys.exeFilesize
512KB
MD586dcbb1ae62e460ce6fe80dfe824713d
SHA1a303353e24fafe89313e93ee1757373701bf6b3b
SHA256dadc2f856255fd0d5b88b31e40542123997f7e07ed6a0d3954b8e7d9ee42b79f
SHA5125703b4d9607f294c0bf66109e3c05678ca6f33022145c6678c3df198aca64ed63ad742d3b8c4a1ff20846876bc45f1b6c19169061f54d9eeb4c3908fd17927ba
-
C:\Windows\SysWOW64\rnupusttaklqwdp.exeFilesize
512KB
MD50324a8de0f571da5111e0144d617f1e5
SHA1e023eb618ba28fb8b5a0f7f42cf9376ae2e22d03
SHA256c03a30dbc2f5fbcb336defbc8cdd7d7f65750f263a015af23740c7faa8698fb5
SHA51225a5132c990762665afdcfde71f6fbf2d0b88e637706d166e47ea86f5d042e0ace395265224fc9e5d9c1af8cbdf291fbe0eeabd491bbeb6c2896ce445c4ace89
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD58adaa63c3620873532d400443b7099a6
SHA1f63cfde006d62d4a0b888d5a104f2f8ac971777d
SHA256742ce2d15412f7d8ea9a728804aacde17d90fa5a468c8fb8e4d98de3a61056df
SHA5123174b90a731f71e888e12c61f5c9ca749d9641cf98000fb434859b6b161b6add1ec1931ab88855d6dbd48a33609a2bf9aed45a4224206f4189534054279915b8
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD56ea87049c238783b4136f6d93c8f698d
SHA1be98ab64109f57480b9b09e9c17c1aa1fa51f42b
SHA256e03444a5c7f5ac9cca8cfac7c49d9cb5b85750ce746840dc7d8dc957f73cc0c1
SHA512fbd5dcb7fb600baedc072b959938b5a7c43a247ae8a474d7c63ec09962703d9da8675c9708a31d3aa0ee1143585fc442f0047d7aed9b2eb54a76f2ffbf3de5f4
-
memory/2748-43-0x00007FF9D2410000-0x00007FF9D2420000-memory.dmpFilesize
64KB
-
memory/2748-40-0x00007FF9D2410000-0x00007FF9D2420000-memory.dmpFilesize
64KB
-
memory/2748-39-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmpFilesize
64KB
-
memory/2748-38-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmpFilesize
64KB
-
memory/2748-36-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmpFilesize
64KB
-
memory/2748-37-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmpFilesize
64KB
-
memory/2748-35-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmpFilesize
64KB
-
memory/2748-600-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmpFilesize
64KB
-
memory/2748-603-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmpFilesize
64KB
-
memory/2748-602-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmpFilesize
64KB
-
memory/2748-601-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmpFilesize
64KB
-
memory/4928-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB