d85ed42d81d48d8f2892ff1c172637388f670ebfeabe2c3884563828fa5a6e5d

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 21:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
Size

512KB
MD5

8bcc3420bb85080f306b057638f16418
SHA1

38e58f13043b0a1f57e9e1aeaed5cc9c94448cf5
SHA256

d85ed42d81d48d8f2892ff1c172637388f670ebfeabe2c3884563828fa5a6e5d
SHA512

b28107e0cccbafe201ee86368508c5f6dceefb36ddf026a575d62c74d8a02fd9f9034187f3179d9561c9d35c2ec71956acac44f0bba8cc407caefbc54db0f85e
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5P

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	omjzdggtbl.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	omjzdggtbl.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	omjzdggtbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	omjzdggtbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	omjzdggtbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	omjzdggtbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	omjzdggtbl.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	omjzdggtbl.exe

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
2384	omjzdggtbl.exe
1648	arahlqffjdoztax.exe
2772	tzfrnaui.exe
2916	fejpqsjozlcby.exe
2528	tzfrnaui.exe

Loads dropped DLL 5 IoCs

pid	Process
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2384	omjzdggtbl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	omjzdggtbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	omjzdggtbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	omjzdggtbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	omjzdggtbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	omjzdggtbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	omjzdggtbl.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dmmyghni = "omjzdggtbl.exe"	arahlqffjdoztax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bejmxutl = "arahlqffjdoztax.exe"	arahlqffjdoztax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fejpqsjozlcby.exe"	arahlqffjdoztax.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\p:	omjzdggtbl.exe
File opened (read-only)	\??\w:	omjzdggtbl.exe
File opened (read-only)	\??\g:	omjzdggtbl.exe
File opened (read-only)	\??\n:	tzfrnaui.exe
File opened (read-only)	\??\t:	tzfrnaui.exe
File opened (read-only)	\??\x:	tzfrnaui.exe
File opened (read-only)	\??\o:	omjzdggtbl.exe
File opened (read-only)	\??\t:	omjzdggtbl.exe
File opened (read-only)	\??\x:	omjzdggtbl.exe
File opened (read-only)	\??\i:	tzfrnaui.exe
File opened (read-only)	\??\o:	tzfrnaui.exe
File opened (read-only)	\??\s:	tzfrnaui.exe
File opened (read-only)	\??\y:	tzfrnaui.exe
File opened (read-only)	\??\e:	tzfrnaui.exe
File opened (read-only)	\??\a:	tzfrnaui.exe
File opened (read-only)	\??\j:	tzfrnaui.exe
File opened (read-only)	\??\l:	tzfrnaui.exe
File opened (read-only)	\??\u:	tzfrnaui.exe
File opened (read-only)	\??\a:	omjzdggtbl.exe
File opened (read-only)	\??\k:	tzfrnaui.exe
File opened (read-only)	\??\o:	tzfrnaui.exe
File opened (read-only)	\??\p:	tzfrnaui.exe
File opened (read-only)	\??\h:	omjzdggtbl.exe
File opened (read-only)	\??\i:	omjzdggtbl.exe
File opened (read-only)	\??\r:	omjzdggtbl.exe
File opened (read-only)	\??\g:	tzfrnaui.exe
File opened (read-only)	\??\q:	tzfrnaui.exe
File opened (read-only)	\??\x:	tzfrnaui.exe
File opened (read-only)	\??\b:	tzfrnaui.exe
File opened (read-only)	\??\b:	omjzdggtbl.exe
File opened (read-only)	\??\a:	tzfrnaui.exe
File opened (read-only)	\??\b:	tzfrnaui.exe
File opened (read-only)	\??\e:	tzfrnaui.exe
File opened (read-only)	\??\g:	tzfrnaui.exe
File opened (read-only)	\??\h:	tzfrnaui.exe
File opened (read-only)	\??\i:	tzfrnaui.exe
File opened (read-only)	\??\e:	omjzdggtbl.exe
File opened (read-only)	\??\u:	tzfrnaui.exe
File opened (read-only)	\??\m:	tzfrnaui.exe
File opened (read-only)	\??\k:	omjzdggtbl.exe
File opened (read-only)	\??\v:	tzfrnaui.exe
File opened (read-only)	\??\j:	omjzdggtbl.exe
File opened (read-only)	\??\l:	omjzdggtbl.exe
File opened (read-only)	\??\s:	omjzdggtbl.exe
File opened (read-only)	\??\z:	omjzdggtbl.exe
File opened (read-only)	\??\k:	tzfrnaui.exe
File opened (read-only)	\??\m:	tzfrnaui.exe
File opened (read-only)	\??\t:	tzfrnaui.exe
File opened (read-only)	\??\q:	tzfrnaui.exe
File opened (read-only)	\??\y:	tzfrnaui.exe
File opened (read-only)	\??\h:	tzfrnaui.exe
File opened (read-only)	\??\j:	tzfrnaui.exe
File opened (read-only)	\??\w:	tzfrnaui.exe
File opened (read-only)	\??\m:	omjzdggtbl.exe
File opened (read-only)	\??\q:	omjzdggtbl.exe
File opened (read-only)	\??\p:	tzfrnaui.exe
File opened (read-only)	\??\z:	tzfrnaui.exe
File opened (read-only)	\??\n:	omjzdggtbl.exe
File opened (read-only)	\??\y:	omjzdggtbl.exe
File opened (read-only)	\??\w:	tzfrnaui.exe
File opened (read-only)	\??\r:	tzfrnaui.exe
File opened (read-only)	\??\z:	tzfrnaui.exe
File opened (read-only)	\??\u:	omjzdggtbl.exe
File opened (read-only)	\??\v:	omjzdggtbl.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	omjzdggtbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	omjzdggtbl.exe

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2136-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0037000000015b72-5.dat	autoit_exe
behavioral1/files/0x000c000000012279-17.dat	autoit_exe
behavioral1/files/0x0008000000015ca9-29.dat	autoit_exe
behavioral1/files/0x0008000000015cc2-34.dat	autoit_exe
behavioral1/files/0x0006000000016cf2-67.dat	autoit_exe
behavioral1/files/0x0006000000016d01-73.dat	autoit_exe
behavioral1/files/0x0006000000016d10-78.dat	autoit_exe
behavioral1/files/0x0006000000016d19-81.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\arahlqffjdoztax.exe	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tzfrnaui.exe	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tzfrnaui.exe	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fejpqsjozlcby.exe	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\omjzdggtbl.exe	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\omjzdggtbl.exe	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	omjzdggtbl.exe
File opened for modification	C:\Windows\SysWOW64\arahlqffjdoztax.exe	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fejpqsjozlcby.exe	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	tzfrnaui.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	tzfrnaui.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	tzfrnaui.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	tzfrnaui.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	tzfrnaui.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	tzfrnaui.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	tzfrnaui.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	tzfrnaui.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	tzfrnaui.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	tzfrnaui.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	tzfrnaui.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	tzfrnaui.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	tzfrnaui.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	tzfrnaui.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	omjzdggtbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	omjzdggtbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	omjzdggtbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	omjzdggtbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	omjzdggtbl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33372C0C9C2382556A4176D770212DDA7DF564AC"	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BB8FE6922D1D20ED0A68A0C9163"	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2640	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
1648	arahlqffjdoztax.exe
1648	arahlqffjdoztax.exe
1648	arahlqffjdoztax.exe
1648	arahlqffjdoztax.exe
1648	arahlqffjdoztax.exe
2384	omjzdggtbl.exe
2384	omjzdggtbl.exe
2384	omjzdggtbl.exe
2384	omjzdggtbl.exe
2384	omjzdggtbl.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
2772	tzfrnaui.exe
2772	tzfrnaui.exe
2772	tzfrnaui.exe
2772	tzfrnaui.exe
2528	tzfrnaui.exe
2528	tzfrnaui.exe
2528	tzfrnaui.exe
2528	tzfrnaui.exe
1648	arahlqffjdoztax.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
1648	arahlqffjdoztax.exe
1648	arahlqffjdoztax.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
1648	arahlqffjdoztax.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
1648	arahlqffjdoztax.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
1648	arahlqffjdoztax.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
1648	arahlqffjdoztax.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
1648	arahlqffjdoztax.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
1648	arahlqffjdoztax.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
1648	arahlqffjdoztax.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
1648	arahlqffjdoztax.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
1648	arahlqffjdoztax.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2488	explorer.exe
Token: SeShutdownPrivilege	2488	explorer.exe
Token: SeShutdownPrivilege	2488	explorer.exe
Token: SeShutdownPrivilege	2488	explorer.exe
Token: SeShutdownPrivilege	2488	explorer.exe
Token: SeShutdownPrivilege	2488	explorer.exe
Token: SeShutdownPrivilege	2488	explorer.exe
Token: SeShutdownPrivilege	2488	explorer.exe
Token: SeShutdownPrivilege	2488	explorer.exe
Token: SeShutdownPrivilege	2488	explorer.exe
Token: SeShutdownPrivilege	2488	explorer.exe
Token: SeShutdownPrivilege	2488	explorer.exe
Token: SeShutdownPrivilege	1108	explorer.exe
Token: SeShutdownPrivilege	1108	explorer.exe
Token: SeShutdownPrivilege	1108	explorer.exe
Token: SeShutdownPrivilege	1108	explorer.exe
Token: SeShutdownPrivilege	1108	explorer.exe
Token: SeShutdownPrivilege	1108	explorer.exe
Token: SeShutdownPrivilege	1108	explorer.exe
Token: SeShutdownPrivilege	1108	explorer.exe
Token: SeShutdownPrivilege	1108	explorer.exe
Token: SeShutdownPrivilege	1108	explorer.exe
Token: SeShutdownPrivilege	1108	explorer.exe
Token: SeShutdownPrivilege	1108	explorer.exe
Token: SeShutdownPrivilege	2324	explorer.exe
Token: SeShutdownPrivilege	2324	explorer.exe
Token: SeShutdownPrivilege	2324	explorer.exe
Token: SeShutdownPrivilege	2324	explorer.exe
Token: SeShutdownPrivilege	2324	explorer.exe
Token: SeShutdownPrivilege	2324	explorer.exe
Token: SeShutdownPrivilege	2324	explorer.exe
Token: SeShutdownPrivilege	2324	explorer.exe
Token: SeShutdownPrivilege	2324	explorer.exe
Token: SeShutdownPrivilege	2324	explorer.exe
Token: SeShutdownPrivilege	2324	explorer.exe
Token: SeShutdownPrivilege	2324	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2384	omjzdggtbl.exe
1648	arahlqffjdoztax.exe
2384	omjzdggtbl.exe
1648	arahlqffjdoztax.exe
2384	omjzdggtbl.exe
1648	arahlqffjdoztax.exe
2916	fejpqsjozlcby.exe
2772	tzfrnaui.exe
2772	tzfrnaui.exe
2772	tzfrnaui.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
2528	tzfrnaui.exe
2528	tzfrnaui.exe
2528	tzfrnaui.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
2384	omjzdggtbl.exe
1648	arahlqffjdoztax.exe
2384	omjzdggtbl.exe
1648	arahlqffjdoztax.exe
2384	omjzdggtbl.exe
1648	arahlqffjdoztax.exe
2916	fejpqsjozlcby.exe
2772	tzfrnaui.exe
2772	tzfrnaui.exe
2772	tzfrnaui.exe
2916	fejpqsjozlcby.exe
2916	fejpqsjozlcby.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
1108	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2640	WINWORD.EXE
2640	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2384	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	28
PID 2136 wrote to memory of 2384	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	28
PID 2136 wrote to memory of 2384	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	28
PID 2136 wrote to memory of 2384	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	28
PID 2136 wrote to memory of 1648	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	29
PID 2136 wrote to memory of 1648	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	29
PID 2136 wrote to memory of 1648	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	29
PID 2136 wrote to memory of 1648	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	29
PID 2136 wrote to memory of 2772	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2772	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2772	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2772	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2916	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2916	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2916	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2916	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2528	2384	omjzdggtbl.exe	32
PID 2384 wrote to memory of 2528	2384	omjzdggtbl.exe	32
PID 2384 wrote to memory of 2528	2384	omjzdggtbl.exe	32
PID 2384 wrote to memory of 2528	2384	omjzdggtbl.exe	32
PID 2136 wrote to memory of 2640	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	33
PID 2136 wrote to memory of 2640	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	33
PID 2136 wrote to memory of 2640	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	33
PID 2136 wrote to memory of 2640	2136	8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2944	2640	WINWORD.EXE	38
PID 2640 wrote to memory of 2944	2640	WINWORD.EXE	38
PID 2640 wrote to memory of 2944	2640	WINWORD.EXE	38
PID 2640 wrote to memory of 2944	2640	WINWORD.EXE	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8bcc3420bb85080f306b057638f16418_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\omjzdggtbl.exe
  omjzdggtbl.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\tzfrnaui.exe
    C:\Windows\system32\tzfrnaui.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2528
- C:\Windows\SysWOW64\arahlqffjdoztax.exe
  arahlqffjdoztax.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1648
- C:\Windows\SysWOW64\tzfrnaui.exe
  tzfrnaui.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2772
- C:\Windows\SysWOW64\fejpqsjozlcby.exe
  fejpqsjozlcby.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2916
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2944

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2488

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1108

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
07cdcb7a6db6a26421a5dd7c118e3723

SHA1
eab288683360da0da49ffc69d7384c83f0bb0dcd

SHA256
a0f90c1d26031a0c9b02b468a380106cf4791f7910a6a6db54e9f623f096e4d7

SHA512
02729e761e18f6bc4859e4f4daed5aa1eabfce30df65ce6e0afc10b4dd039d400d5a35a3616318f403b8733d72189e63d09745500a9ce185b9f6c563587d6014

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
2a837b6764837fb549e0ab4cf63624e7

SHA1
bea37b2c3bff0a6cbd84e2ddad9bf0f27611c381

SHA256
7c55fd31afdec234da66014dafbb45936df48444625c0fe2ed5b7cad6ef2bc4b

SHA512
6c9de8f2bdf73f1c78221ac51d207fe9a37fc23182f846dbf8e25eb99b9616e2991e0f40b7546b0c80bc62e0408f6121584fbf302a3fb8738c2bc14e4d99324a

Download Submit
C:\Users\Admin\AppData\Roaming\ResolveUnregister.doc.exe

Filesize
512KB

MD5
3e7eaf1d5d4eab38fd69b04dc1bea9a8

SHA1
5f9e7bbbdc9753c136db84f5979da11278dec6ff

SHA256
cf2f2b2d690d053834e6baf0981702b290724e420a248ab423d7f3df351f1539

SHA512
8f091c91d0f0cc4feafc12918a17e372cce4f315ba918d55348cd6634acbd1bd8e684f60df9a39c8bd273f1ae1a0dc8053832a3382b06a36e287db1d667bba71

Download Submit
C:\Users\Admin\Documents\WriteRegister.doc.exe

Filesize
512KB

MD5
4984fe7df809b2b55c897800f4f196e8

SHA1
a59099eed4a6a8fd4183203e0a144861b0b8cdbd

SHA256
e3086e8c895d8f4a0af447657b55c431eee745e6b99d24d387e8037e545518ce

SHA512
2c4b1afe0f56b107f8967c4a95bdf977f109ee9c66e2aacc001be57d193695f7173a79b24fb554f0c883b2ae6228781d125cdcdf70733e5e7edd27c9854f8a32

Download Submit
C:\Windows\SysWOW64\arahlqffjdoztax.exe

Filesize
512KB

MD5
3d87fa85faada215dda131afa392dabb

SHA1
6fc3baa43cc17e34dab4602d2b34f2260e791aec

SHA256
aef0f7699a2076aca3f3065746036bb44e2a98baa4304f4054f27a8cd748572d

SHA512
d561f5382e575b7bcefc0caf49395140c186c46992a5907ce80cfa7a123b94e87ca28d80817a187e9e7d55d0a40304b44dceba1b0e8a257045b3e45dced0afa5

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\fejpqsjozlcby.exe

Filesize
512KB

MD5
8c69335bcd91a0bb62a50053558b6e29

SHA1
099ae4421436d67ffb747952c162b9e20ed4fa1d

SHA256
cb002f538ca9770a53a5e20e01fbdb5f5feedc5bd965068a9084f59dce634fb5

SHA512
c584cc9861b56cb78ac7ae36ab3d2bcd8a7bc9b0f35f16c790680d396ac98ae0ef7550fe00ed63b4f0fe0e492c8c4425177b967596f295882e708c3abbcd5186

Download Submit
\Windows\SysWOW64\omjzdggtbl.exe

Filesize
512KB

MD5
7abb32705ac3e7b9c1993ac7dc2595b6

SHA1
c95b78541fdeac5c514f482037678033a0232b19

SHA256
e86baf5ef515048f8d2197704b31f7cec2fcb87596c75fbe28eae8e38ad2e770

SHA512
7ad4cb99051e45c7c44124dd8515fb83c30e3194b4c1aa05245be5e0bc469271d3417df5e737668b1d9f816328ce770ad47e477ea2625d06fd567dd02820867b

Download Submit
\Windows\SysWOW64\tzfrnaui.exe

Filesize
512KB

MD5
93182677735cc9209e0437562ef9824e

SHA1
017927127cdbcdcfcb0797c1b991ab7fb9bce9ac

SHA256
61ce4a20e32e7316c4bebb29d2d22333c956b6a159b032231ea11bd40aa7259f

SHA512
ad63a8421913ebf2f28431b0a7d045444cafbfd20989ae0d252c21ea9ed77cd7f018d1d2df66034d656a973374d1b85fb3c6263619a4baef6318cda491c8dc2c

Download Submit
memory/2136-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2324-89-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/2640-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download