Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 08:05
Static task
static1
Behavioral task
behavioral1
Sample
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe
-
Size
512KB
-
MD5
7873e7e0692a506e43e36d4bf4da28b7
-
SHA1
32629a66348b9a5016084c7e320a3a967ef61cc3
-
SHA256
be0ddeb3e3b7d943e20c4f535891d04c2b3981894dc777dcc17d27d304b1dbf9
-
SHA512
5f1474dc892a850fd1a94aeaf940b0a89f61698a044bcc6b65479ee892b343da24c218f4a55ff284b2202f7804687f9ef581a7ebc6fd56eb6cbfece3dda9e6e2
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5j
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
qtataucwkr.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qtataucwkr.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
qtataucwkr.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qtataucwkr.exe -
Processes:
qtataucwkr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" qtataucwkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qtataucwkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qtataucwkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qtataucwkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qtataucwkr.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
qtataucwkr.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qtataucwkr.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
Processes:
qtataucwkr.exeycpaylkwhgulfmj.exeewspnxceazjay.exehoyyqncu.exehoyyqncu.exepid process 2364 qtataucwkr.exe 1116 ycpaylkwhgulfmj.exe 1260 ewspnxceazjay.exe 1968 hoyyqncu.exe 2008 hoyyqncu.exe -
Loads dropped DLL 5 IoCs
Processes:
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exeqtataucwkr.exepid process 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 2364 qtataucwkr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
qtataucwkr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qtataucwkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qtataucwkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qtataucwkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qtataucwkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qtataucwkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" qtataucwkr.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ycpaylkwhgulfmj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xgzicqzr = "qtataucwkr.exe" ycpaylkwhgulfmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucjdycss = "ycpaylkwhgulfmj.exe" ycpaylkwhgulfmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ewspnxceazjay.exe" ycpaylkwhgulfmj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
hoyyqncu.exehoyyqncu.exeqtataucwkr.exedescription ioc process File opened (read-only) \??\j: hoyyqncu.exe File opened (read-only) \??\r: hoyyqncu.exe File opened (read-only) \??\t: hoyyqncu.exe File opened (read-only) \??\o: qtataucwkr.exe File opened (read-only) \??\u: qtataucwkr.exe File opened (read-only) \??\w: qtataucwkr.exe File opened (read-only) \??\a: hoyyqncu.exe File opened (read-only) \??\h: hoyyqncu.exe File opened (read-only) \??\w: hoyyqncu.exe File opened (read-only) \??\k: hoyyqncu.exe File opened (read-only) \??\r: hoyyqncu.exe File opened (read-only) \??\z: qtataucwkr.exe File opened (read-only) \??\g: hoyyqncu.exe File opened (read-only) \??\n: hoyyqncu.exe File opened (read-only) \??\p: hoyyqncu.exe File opened (read-only) \??\z: hoyyqncu.exe File opened (read-only) \??\v: qtataucwkr.exe File opened (read-only) \??\h: hoyyqncu.exe File opened (read-only) \??\i: hoyyqncu.exe File opened (read-only) \??\s: hoyyqncu.exe File opened (read-only) \??\u: hoyyqncu.exe File opened (read-only) \??\y: hoyyqncu.exe File opened (read-only) \??\s: qtataucwkr.exe File opened (read-only) \??\y: hoyyqncu.exe File opened (read-only) \??\w: hoyyqncu.exe File opened (read-only) \??\b: hoyyqncu.exe File opened (read-only) \??\z: hoyyqncu.exe File opened (read-only) \??\j: qtataucwkr.exe File opened (read-only) \??\n: qtataucwkr.exe File opened (read-only) \??\x: qtataucwkr.exe File opened (read-only) \??\u: hoyyqncu.exe File opened (read-only) \??\l: qtataucwkr.exe File opened (read-only) \??\b: hoyyqncu.exe File opened (read-only) \??\q: hoyyqncu.exe File opened (read-only) \??\a: qtataucwkr.exe File opened (read-only) \??\h: qtataucwkr.exe File opened (read-only) \??\y: qtataucwkr.exe File opened (read-only) \??\o: hoyyqncu.exe File opened (read-only) \??\a: hoyyqncu.exe File opened (read-only) \??\p: qtataucwkr.exe File opened (read-only) \??\i: hoyyqncu.exe File opened (read-only) \??\l: hoyyqncu.exe File opened (read-only) \??\n: hoyyqncu.exe File opened (read-only) \??\o: hoyyqncu.exe File opened (read-only) \??\p: hoyyqncu.exe File opened (read-only) \??\k: qtataucwkr.exe File opened (read-only) \??\m: qtataucwkr.exe File opened (read-only) \??\t: hoyyqncu.exe File opened (read-only) \??\e: hoyyqncu.exe File opened (read-only) \??\k: hoyyqncu.exe File opened (read-only) \??\b: qtataucwkr.exe File opened (read-only) \??\t: qtataucwkr.exe File opened (read-only) \??\l: hoyyqncu.exe File opened (read-only) \??\j: hoyyqncu.exe File opened (read-only) \??\e: qtataucwkr.exe File opened (read-only) \??\q: qtataucwkr.exe File opened (read-only) \??\q: hoyyqncu.exe File opened (read-only) \??\s: hoyyqncu.exe File opened (read-only) \??\m: hoyyqncu.exe File opened (read-only) \??\g: qtataucwkr.exe File opened (read-only) \??\i: qtataucwkr.exe File opened (read-only) \??\v: hoyyqncu.exe File opened (read-only) \??\x: hoyyqncu.exe File opened (read-only) \??\e: hoyyqncu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
qtataucwkr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qtataucwkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qtataucwkr.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2224-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\ycpaylkwhgulfmj.exe autoit_exe \Windows\SysWOW64\qtataucwkr.exe autoit_exe \Windows\SysWOW64\hoyyqncu.exe autoit_exe C:\Windows\SysWOW64\ewspnxceazjay.exe autoit_exe C:\Program Files\ExitSync.doc.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exeqtataucwkr.exedescription ioc process File created C:\Windows\SysWOW64\qtataucwkr.exe 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qtataucwkr.exe 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ycpaylkwhgulfmj.exe 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File created C:\Windows\SysWOW64\hoyyqncu.exe 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hoyyqncu.exe 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File created C:\Windows\SysWOW64\ycpaylkwhgulfmj.exe 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File created C:\Windows\SysWOW64\ewspnxceazjay.exe 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ewspnxceazjay.exe 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qtataucwkr.exe -
Drops file in Program Files directory 21 IoCs
Processes:
hoyyqncu.exehoyyqncu.exedescription ioc process File created \??\c:\Program Files\ExitSync.doc.exe hoyyqncu.exe File opened for modification \??\c:\Program Files\ExitSync.doc.exe hoyyqncu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hoyyqncu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal hoyyqncu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hoyyqncu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hoyyqncu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hoyyqncu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hoyyqncu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal hoyyqncu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hoyyqncu.exe File opened for modification \??\c:\Program Files\ExitSync.doc.exe hoyyqncu.exe File opened for modification C:\Program Files\ExitSync.doc.exe hoyyqncu.exe File opened for modification C:\Program Files\ExitSync.doc.exe hoyyqncu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hoyyqncu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal hoyyqncu.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hoyyqncu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal hoyyqncu.exe File opened for modification C:\Program Files\ExitSync.nal hoyyqncu.exe File opened for modification C:\Program Files\ExitSync.nal hoyyqncu.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hoyyqncu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hoyyqncu.exe -
Drops file in Windows directory 4 IoCs
Processes:
WINWORD.EXE7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXE7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exeexplorer.exeqtataucwkr.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0866BB2FF6E21D1D273D1D68B089013" 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422D7C9C5782206A4677D570252DD97D8565DB" 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B15A44E738EB52CFBADC32EFD4B8" 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qtataucwkr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qtataucwkr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qtataucwkr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 676 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exeycpaylkwhgulfmj.exeqtataucwkr.exeewspnxceazjay.exehoyyqncu.exehoyyqncu.exepid process 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1116 ycpaylkwhgulfmj.exe 1116 ycpaylkwhgulfmj.exe 1116 ycpaylkwhgulfmj.exe 1116 ycpaylkwhgulfmj.exe 1116 ycpaylkwhgulfmj.exe 2364 qtataucwkr.exe 2364 qtataucwkr.exe 2364 qtataucwkr.exe 2364 qtataucwkr.exe 2364 qtataucwkr.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1968 hoyyqncu.exe 1968 hoyyqncu.exe 1968 hoyyqncu.exe 1968 hoyyqncu.exe 1116 ycpaylkwhgulfmj.exe 2008 hoyyqncu.exe 2008 hoyyqncu.exe 2008 hoyyqncu.exe 2008 hoyyqncu.exe 1116 ycpaylkwhgulfmj.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1116 ycpaylkwhgulfmj.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1116 ycpaylkwhgulfmj.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1116 ycpaylkwhgulfmj.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1116 ycpaylkwhgulfmj.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1116 ycpaylkwhgulfmj.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1116 ycpaylkwhgulfmj.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1116 ycpaylkwhgulfmj.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1116 ycpaylkwhgulfmj.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1116 ycpaylkwhgulfmj.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1116 ycpaylkwhgulfmj.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1136 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 1136 explorer.exe Token: SeShutdownPrivilege 1136 explorer.exe Token: SeShutdownPrivilege 1136 explorer.exe Token: SeShutdownPrivilege 1136 explorer.exe Token: SeShutdownPrivilege 1136 explorer.exe Token: SeShutdownPrivilege 1136 explorer.exe Token: SeShutdownPrivilege 1136 explorer.exe Token: SeShutdownPrivilege 1136 explorer.exe Token: SeShutdownPrivilege 1136 explorer.exe Token: SeShutdownPrivilege 1136 explorer.exe Token: SeShutdownPrivilege 1136 explorer.exe Token: SeShutdownPrivilege 1136 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
Processes:
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exeycpaylkwhgulfmj.exeqtataucwkr.exehoyyqncu.exeewspnxceazjay.exehoyyqncu.exeexplorer.exepid process 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1116 ycpaylkwhgulfmj.exe 2364 qtataucwkr.exe 1116 ycpaylkwhgulfmj.exe 1116 ycpaylkwhgulfmj.exe 2364 qtataucwkr.exe 2364 qtataucwkr.exe 1968 hoyyqncu.exe 1968 hoyyqncu.exe 1968 hoyyqncu.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 2008 hoyyqncu.exe 2008 hoyyqncu.exe 2008 hoyyqncu.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe -
Suspicious use of SendNotifyMessage 34 IoCs
Processes:
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exeycpaylkwhgulfmj.exeqtataucwkr.exehoyyqncu.exeewspnxceazjay.exeexplorer.exepid process 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe 1116 ycpaylkwhgulfmj.exe 2364 qtataucwkr.exe 1116 ycpaylkwhgulfmj.exe 1116 ycpaylkwhgulfmj.exe 2364 qtataucwkr.exe 2364 qtataucwkr.exe 1968 hoyyqncu.exe 1968 hoyyqncu.exe 1968 hoyyqncu.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1260 ewspnxceazjay.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe 1136 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 676 WINWORD.EXE 676 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exeqtataucwkr.exedescription pid process target process PID 2224 wrote to memory of 2364 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe qtataucwkr.exe PID 2224 wrote to memory of 2364 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe qtataucwkr.exe PID 2224 wrote to memory of 2364 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe qtataucwkr.exe PID 2224 wrote to memory of 2364 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe qtataucwkr.exe PID 2224 wrote to memory of 1116 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe ycpaylkwhgulfmj.exe PID 2224 wrote to memory of 1116 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe ycpaylkwhgulfmj.exe PID 2224 wrote to memory of 1116 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe ycpaylkwhgulfmj.exe PID 2224 wrote to memory of 1116 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe ycpaylkwhgulfmj.exe PID 2224 wrote to memory of 1968 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe hoyyqncu.exe PID 2224 wrote to memory of 1968 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe hoyyqncu.exe PID 2224 wrote to memory of 1968 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe hoyyqncu.exe PID 2224 wrote to memory of 1968 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe hoyyqncu.exe PID 2224 wrote to memory of 1260 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe ewspnxceazjay.exe PID 2224 wrote to memory of 1260 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe ewspnxceazjay.exe PID 2224 wrote to memory of 1260 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe ewspnxceazjay.exe PID 2224 wrote to memory of 1260 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe ewspnxceazjay.exe PID 2364 wrote to memory of 2008 2364 qtataucwkr.exe hoyyqncu.exe PID 2364 wrote to memory of 2008 2364 qtataucwkr.exe hoyyqncu.exe PID 2364 wrote to memory of 2008 2364 qtataucwkr.exe hoyyqncu.exe PID 2364 wrote to memory of 2008 2364 qtataucwkr.exe hoyyqncu.exe PID 2224 wrote to memory of 676 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe WINWORD.EXE PID 2224 wrote to memory of 676 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe WINWORD.EXE PID 2224 wrote to memory of 676 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe WINWORD.EXE PID 2224 wrote to memory of 676 2224 7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\qtataucwkr.exeqtataucwkr.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\hoyyqncu.exeC:\Windows\system32\hoyyqncu.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2008 -
C:\Windows\SysWOW64\ycpaylkwhgulfmj.exeycpaylkwhgulfmj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1116 -
C:\Windows\SysWOW64\hoyyqncu.exehoyyqncu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1968 -
C:\Windows\SysWOW64\ewspnxceazjay.exeewspnxceazjay.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1260 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:676
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1136
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD553220393d595d6e5467b1057bb8881c9
SHA157d9f2341a62c9be2df7e607a53f0784a51a472d
SHA256ab90abfffb2ca9ad23344986c3f2214ac5ba17392117c94eb494e904affa35f5
SHA51221d4dcac1091d2c88e77c0e3a9c39ec9146228a09deb8608f96347ec92c95f099a4c5a1aec21c87ba90d3cc421d85221daaeec142f91c9f79c126afb430013fb
-
Filesize
512KB
MD51a506ba1e63ffacb7256a8af143744b6
SHA12bc96f25cfd1a1769fa6c3da475a36b39c607ef7
SHA2569877607891613bfde4e672261ef8e0c80d9d463d6bf6a98386cc235e30a92891
SHA51238f4824546e0c2495b800d947589b55dc3a7b6397d4b6be09a9955c3ef6838cd4429e995dc657225f54ef3bac3f06a422305ed0a5c81669777ad7c848f81ba10
-
Filesize
512KB
MD53b05d8ad7034e67a501d329ae8eebe91
SHA1a86befaeb019a910a911533c18b58e501dd45476
SHA2562c708bd54fb8ae48360b92b5306fced7563448e9e9d7f561a66ec003a7e76e1b
SHA512a9e783bd585e542eb62f09589d8fda24576342f17d7ebb7c3fb4f9d10d89646bd6ea1537d7014cac4ab54ff718660c4c34108553cb5911202e22ffbb4299608e
-
Filesize
512KB
MD5553e511e9641e22b0b5ab49e325b29dd
SHA1dc781aa5c1cd67794bc7abcba114e699d95c0466
SHA25685eea1d2dbd6f9ccd0993d324a915763805bef3f219ae9d80631f064e5999d60
SHA5121453645dd876836140869c2de99b5ae75d65bde1fbc987c3bc20f3914fcf5beaa655733c81143c463cf2a910873078b0954af1576d7b16aa2b6d977a50f2d0bc
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5ae185cc9f21e6e472cffda4f144e3718
SHA12df17fd35a2ba7a2792b97b2c73b59180802b0be
SHA2564ccb382c2f83bd3502345b9f53f41ce0ed48536f79f0760dd5e773225fbcbd3a
SHA512db7cad28d251874d216463ef3e60b81e78fd2ab41d3162f53084e728525b9acb612e2c65106bf0187089ce2d1fce851846d5459083aef1dfcf4766c2405279f9
-
Filesize
512KB
MD51de60009bbacf05e29019dff48811960
SHA10da6e69a2778673b50ffcb8d7e23e97b0f995f8a
SHA256cf85052de6ed399a4aa2d33b7ed40bb2a6b4d769ecfb9c0bd230c00bbb1a33bf
SHA512ef97000dfde082c76af04f04c35f584994278a1d0fe69ee3b6eb3beaf91edbd691282c1e0b185ebea077372e3a7b86a0114456a245b44a4991c6ce9fc33dde9c