Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 20:54
Static task
static1
Behavioral task
behavioral1
Sample
6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe
-
Size
512KB
-
MD5
6fd1083bf5feeb646bd239a8a746071b
-
SHA1
b2fa8706e82e41d761acb14bd8cb2f3f5c9297c1
-
SHA256
a52f6ab0aa9602129134aeddd524fa53ed0b02e7f2f4c6e10358f12384c4cfd2
-
SHA512
7099119882f3ed29b8e8480e946f2d8cf2ae38ab12aed10f65ae4d1beedeb99b9d1d13666f6f7c3f9f3e9a20322d57c7cd0db647869c4e5cd5103f98e9459c4a
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj65:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5S
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
lroqynanyn.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lroqynanyn.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
lroqynanyn.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lroqynanyn.exe -
Processes:
lroqynanyn.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lroqynanyn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lroqynanyn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lroqynanyn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lroqynanyn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" lroqynanyn.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
lroqynanyn.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lroqynanyn.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
Processes:
lroqynanyn.execnxmtfplnviilbe.exeahcgwmlk.exeeoodvxvdctpkp.exeahcgwmlk.exepid process 2944 lroqynanyn.exe 2552 cnxmtfplnviilbe.exe 2548 ahcgwmlk.exe 2360 eoodvxvdctpkp.exe 2568 ahcgwmlk.exe -
Loads dropped DLL 5 IoCs
Processes:
6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exelroqynanyn.exepid process 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 2944 lroqynanyn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
lroqynanyn.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lroqynanyn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lroqynanyn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lroqynanyn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" lroqynanyn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lroqynanyn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" lroqynanyn.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
cnxmtfplnviilbe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\klywmcxx = "lroqynanyn.exe" cnxmtfplnviilbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\znmnzxyc = "cnxmtfplnviilbe.exe" cnxmtfplnviilbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "eoodvxvdctpkp.exe" cnxmtfplnviilbe.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ahcgwmlk.exeahcgwmlk.exelroqynanyn.exedescription ioc process File opened (read-only) \??\i: ahcgwmlk.exe File opened (read-only) \??\t: ahcgwmlk.exe File opened (read-only) \??\z: ahcgwmlk.exe File opened (read-only) \??\w: ahcgwmlk.exe File opened (read-only) \??\p: lroqynanyn.exe File opened (read-only) \??\h: lroqynanyn.exe File opened (read-only) \??\x: lroqynanyn.exe File opened (read-only) \??\o: lroqynanyn.exe File opened (read-only) \??\r: lroqynanyn.exe File opened (read-only) \??\b: ahcgwmlk.exe File opened (read-only) \??\l: ahcgwmlk.exe File opened (read-only) \??\q: ahcgwmlk.exe File opened (read-only) \??\j: ahcgwmlk.exe File opened (read-only) \??\g: lroqynanyn.exe File opened (read-only) \??\s: lroqynanyn.exe File opened (read-only) \??\g: ahcgwmlk.exe File opened (read-only) \??\x: ahcgwmlk.exe File opened (read-only) \??\u: ahcgwmlk.exe File opened (read-only) \??\q: lroqynanyn.exe File opened (read-only) \??\s: ahcgwmlk.exe File opened (read-only) \??\w: ahcgwmlk.exe File opened (read-only) \??\r: ahcgwmlk.exe File opened (read-only) \??\v: ahcgwmlk.exe File opened (read-only) \??\k: ahcgwmlk.exe File opened (read-only) \??\z: ahcgwmlk.exe File opened (read-only) \??\b: lroqynanyn.exe File opened (read-only) \??\a: ahcgwmlk.exe File opened (read-only) \??\b: ahcgwmlk.exe File opened (read-only) \??\k: ahcgwmlk.exe File opened (read-only) \??\a: ahcgwmlk.exe File opened (read-only) \??\h: ahcgwmlk.exe File opened (read-only) \??\p: ahcgwmlk.exe File opened (read-only) \??\t: ahcgwmlk.exe File opened (read-only) \??\t: lroqynanyn.exe File opened (read-only) \??\v: lroqynanyn.exe File opened (read-only) \??\h: ahcgwmlk.exe File opened (read-only) \??\j: ahcgwmlk.exe File opened (read-only) \??\r: ahcgwmlk.exe File opened (read-only) \??\g: ahcgwmlk.exe File opened (read-only) \??\s: ahcgwmlk.exe File opened (read-only) \??\l: lroqynanyn.exe File opened (read-only) \??\z: lroqynanyn.exe File opened (read-only) \??\i: ahcgwmlk.exe File opened (read-only) \??\k: lroqynanyn.exe File opened (read-only) \??\v: ahcgwmlk.exe File opened (read-only) \??\e: ahcgwmlk.exe File opened (read-only) \??\y: ahcgwmlk.exe File opened (read-only) \??\e: ahcgwmlk.exe File opened (read-only) \??\n: lroqynanyn.exe File opened (read-only) \??\e: lroqynanyn.exe File opened (read-only) \??\m: lroqynanyn.exe File opened (read-only) \??\i: lroqynanyn.exe File opened (read-only) \??\n: ahcgwmlk.exe File opened (read-only) \??\a: lroqynanyn.exe File opened (read-only) \??\u: lroqynanyn.exe File opened (read-only) \??\w: lroqynanyn.exe File opened (read-only) \??\o: ahcgwmlk.exe File opened (read-only) \??\u: ahcgwmlk.exe File opened (read-only) \??\p: ahcgwmlk.exe File opened (read-only) \??\j: lroqynanyn.exe File opened (read-only) \??\y: lroqynanyn.exe File opened (read-only) \??\l: ahcgwmlk.exe File opened (read-only) \??\m: ahcgwmlk.exe File opened (read-only) \??\m: ahcgwmlk.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
lroqynanyn.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" lroqynanyn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" lroqynanyn.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1844-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\ahcgwmlk.exe autoit_exe \Windows\SysWOW64\lroqynanyn.exe autoit_exe C:\Windows\SysWOW64\cnxmtfplnviilbe.exe autoit_exe C:\Windows\SysWOW64\eoodvxvdctpkp.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exelroqynanyn.exedescription ioc process File created C:\Windows\SysWOW64\cnxmtfplnviilbe.exe 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cnxmtfplnviilbe.exe 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lroqynanyn.exe File opened for modification C:\Windows\SysWOW64\lroqynanyn.exe 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe File created C:\Windows\SysWOW64\ahcgwmlk.exe 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ahcgwmlk.exe 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe File created C:\Windows\SysWOW64\eoodvxvdctpkp.exe 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\eoodvxvdctpkp.exe 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe File created C:\Windows\SysWOW64\lroqynanyn.exe 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
Processes:
ahcgwmlk.exeahcgwmlk.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ahcgwmlk.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ahcgwmlk.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ahcgwmlk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ahcgwmlk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ahcgwmlk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ahcgwmlk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ahcgwmlk.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ahcgwmlk.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ahcgwmlk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ahcgwmlk.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ahcgwmlk.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ahcgwmlk.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ahcgwmlk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ahcgwmlk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ahcgwmlk.exe -
Drops file in Windows directory 4 IoCs
Processes:
6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXE6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exelroqynanyn.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FF88482F856E9045D62F7E93BD90E131584366476335D6EB" 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" lroqynanyn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC67F1594DAB5B9CE7F95EC9734CA" 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB15B4794399E52C9BAA63299D7CD" 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf lroqynanyn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" lroqynanyn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh lroqynanyn.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2428 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.execnxmtfplnviilbe.exeahcgwmlk.exelroqynanyn.exeeoodvxvdctpkp.exeahcgwmlk.exepid process 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 2552 cnxmtfplnviilbe.exe 2552 cnxmtfplnviilbe.exe 2552 cnxmtfplnviilbe.exe 2552 cnxmtfplnviilbe.exe 2552 cnxmtfplnviilbe.exe 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 2548 ahcgwmlk.exe 2548 ahcgwmlk.exe 2548 ahcgwmlk.exe 2548 ahcgwmlk.exe 2944 lroqynanyn.exe 2944 lroqynanyn.exe 2944 lroqynanyn.exe 2944 lroqynanyn.exe 2944 lroqynanyn.exe 2552 cnxmtfplnviilbe.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2568 ahcgwmlk.exe 2568 ahcgwmlk.exe 2568 ahcgwmlk.exe 2568 ahcgwmlk.exe 2552 cnxmtfplnviilbe.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2552 cnxmtfplnviilbe.exe 2552 cnxmtfplnviilbe.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2552 cnxmtfplnviilbe.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2552 cnxmtfplnviilbe.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2552 cnxmtfplnviilbe.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2552 cnxmtfplnviilbe.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2552 cnxmtfplnviilbe.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2552 cnxmtfplnviilbe.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2552 cnxmtfplnviilbe.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2552 cnxmtfplnviilbe.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 1584 explorer.exe Token: SeShutdownPrivilege 1584 explorer.exe Token: SeShutdownPrivilege 1584 explorer.exe Token: SeShutdownPrivilege 1584 explorer.exe Token: SeShutdownPrivilege 1584 explorer.exe Token: SeShutdownPrivilege 1584 explorer.exe Token: SeShutdownPrivilege 1584 explorer.exe Token: SeShutdownPrivilege 1584 explorer.exe Token: SeShutdownPrivilege 1584 explorer.exe Token: SeShutdownPrivilege 1584 explorer.exe Token: SeShutdownPrivilege 1584 explorer.exe Token: SeShutdownPrivilege 1584 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
Processes:
6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.execnxmtfplnviilbe.exelroqynanyn.exeahcgwmlk.exeeoodvxvdctpkp.exeahcgwmlk.exeexplorer.exepid process 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 2552 cnxmtfplnviilbe.exe 2552 cnxmtfplnviilbe.exe 2552 cnxmtfplnviilbe.exe 2944 lroqynanyn.exe 2944 lroqynanyn.exe 2944 lroqynanyn.exe 2548 ahcgwmlk.exe 2548 ahcgwmlk.exe 2548 ahcgwmlk.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2568 ahcgwmlk.exe 2568 ahcgwmlk.exe 2568 ahcgwmlk.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe -
Suspicious use of SendNotifyMessage 34 IoCs
Processes:
6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.execnxmtfplnviilbe.exelroqynanyn.exeahcgwmlk.exeeoodvxvdctpkp.exeexplorer.exepid process 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe 2552 cnxmtfplnviilbe.exe 2552 cnxmtfplnviilbe.exe 2552 cnxmtfplnviilbe.exe 2944 lroqynanyn.exe 2944 lroqynanyn.exe 2944 lroqynanyn.exe 2548 ahcgwmlk.exe 2548 ahcgwmlk.exe 2548 ahcgwmlk.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 2360 eoodvxvdctpkp.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe 1584 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2428 WINWORD.EXE 2428 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.execnxmtfplnviilbe.exelroqynanyn.exedescription pid process target process PID 1844 wrote to memory of 2944 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe lroqynanyn.exe PID 1844 wrote to memory of 2944 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe lroqynanyn.exe PID 1844 wrote to memory of 2944 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe lroqynanyn.exe PID 1844 wrote to memory of 2944 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe lroqynanyn.exe PID 1844 wrote to memory of 2552 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe cnxmtfplnviilbe.exe PID 1844 wrote to memory of 2552 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe cnxmtfplnviilbe.exe PID 1844 wrote to memory of 2552 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe cnxmtfplnviilbe.exe PID 1844 wrote to memory of 2552 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe cnxmtfplnviilbe.exe PID 1844 wrote to memory of 2548 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe ahcgwmlk.exe PID 1844 wrote to memory of 2548 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe ahcgwmlk.exe PID 1844 wrote to memory of 2548 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe ahcgwmlk.exe PID 1844 wrote to memory of 2548 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe ahcgwmlk.exe PID 2552 wrote to memory of 2600 2552 cnxmtfplnviilbe.exe cmd.exe PID 2552 wrote to memory of 2600 2552 cnxmtfplnviilbe.exe cmd.exe PID 2552 wrote to memory of 2600 2552 cnxmtfplnviilbe.exe cmd.exe PID 2552 wrote to memory of 2600 2552 cnxmtfplnviilbe.exe cmd.exe PID 1844 wrote to memory of 2360 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe eoodvxvdctpkp.exe PID 1844 wrote to memory of 2360 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe eoodvxvdctpkp.exe PID 1844 wrote to memory of 2360 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe eoodvxvdctpkp.exe PID 1844 wrote to memory of 2360 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe eoodvxvdctpkp.exe PID 2944 wrote to memory of 2568 2944 lroqynanyn.exe ahcgwmlk.exe PID 2944 wrote to memory of 2568 2944 lroqynanyn.exe ahcgwmlk.exe PID 2944 wrote to memory of 2568 2944 lroqynanyn.exe ahcgwmlk.exe PID 2944 wrote to memory of 2568 2944 lroqynanyn.exe ahcgwmlk.exe PID 1844 wrote to memory of 2428 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe WINWORD.EXE PID 1844 wrote to memory of 2428 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe WINWORD.EXE PID 1844 wrote to memory of 2428 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe WINWORD.EXE PID 1844 wrote to memory of 2428 1844 6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lroqynanyn.exelroqynanyn.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ahcgwmlk.exeC:\Windows\system32\ahcgwmlk.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cnxmtfplnviilbe.execnxmtfplnviilbe.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c eoodvxvdctpkp.exe3⤵
-
C:\Windows\SysWOW64\ahcgwmlk.exeahcgwmlk.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\eoodvxvdctpkp.exeeoodvxvdctpkp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
8Impair Defenses
2Disable or Modify Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exeFilesize
512KB
MD52675f5be187957917f7b1e869bd34cf3
SHA116fd4b3dc157e5d9e2aa7b7795d77b275652490b
SHA256bb7d76599ef966174da614d5f6fb67701c1556ed0f07e66b767c57b704280eb5
SHA512831703be8a4ca5d979b090d969d4717e61806f0adadabd1db4420e1251b4689cd1646f337fceff083f9b4341dc7da6ad61fa9f7bbc281f8e3fe912453cd5843b
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5b6f71f597c183035012eea5c1ed0202f
SHA1b84cd5a02cd385110c97f08f8bb41474fb75f7fe
SHA2563e8a312d99bdbeb11edf93a762c7998562d9de827ab3f58faf4a13614815bbc4
SHA51267b5635e4cb56d378c8b2d5ef4c96c4726886089024a0c80118b7e4c06f40b0c03c21200546a7ba94576968849f4433368d88e9d03b1ade570bb07fc0159aaa3
-
C:\Windows\SysWOW64\ahcgwmlk.exeFilesize
512KB
MD588ef9ae72549aa61d8f862925cb776ba
SHA187fc6c634fbaaa1cd8e0a2b3460c9950212c6b1e
SHA256bab5c2122a73bef43617e6325d743727e1ddcb99c03e63d0bce793a261b4188b
SHA512c07af3986d2b0e0f8d7f09688af6941c74a8ba4ea58443f30d48232560943f30f33453bd60bde7012325bb2e548f348d2dc15246ebe41c040c3c54cb8f122b87
-
C:\Windows\SysWOW64\cnxmtfplnviilbe.exeFilesize
512KB
MD57a23d168463b4ad9eeb803a20a1f6ef8
SHA1d6e0b61297b037f4612f38a5d63111a1865f14ba
SHA256a086f0aacbd851d09adbfee677f861885c4e0870ce44a3882ce89f9f6a4f8c3d
SHA51243a349236fe8114e253be5d4eb0fb488d74d4170a9fed3f411090f5bf460e87e0be3f375c2e1e7e8a6187a93fd91bc4814be9aaec72505570889de29644d71f1
-
C:\Windows\SysWOW64\eoodvxvdctpkp.exeFilesize
512KB
MD50225b99129d8acf80e900731e26cc617
SHA123682f305df2f18cf618d6cb49758260ec874fb1
SHA256b49b879db45fd29b514105c1df904f4ad3332b7879b8b4ecc24bc7593665e237
SHA512c07bfea7bb76160dc4779c4a4aea43f724f854dc006d9b6e5f2d8d0d030b55e4cc8c591a7f492c80ee8498bf839c780fde1340406e5921d5c145519eefbb7097
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\lroqynanyn.exeFilesize
512KB
MD56b16e7cb6d175c3268c88227ed781cbb
SHA143079649a1ec4f51243408954d00f635cb68fbc1
SHA2566b47912cf3486bd1164222aa9ecba68b8ebd54d4bd5749216fe5f1a5d5f596c0
SHA512f1a331b4b79f85977a9334733dd89184778639019c7089d35b11c971bb7ebacc0a334008854e19abf8f6c0eb635d8baa16d231a390231dd780dafc5159d3d187
-
memory/1584-83-0x0000000002B50000-0x0000000002B60000-memory.dmpFilesize
64KB
-
memory/1844-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2428-45-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB