9417a97f04634187b691e2f560ad144d33dac75fd8962447db1f9167bb3e3701

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/06/2024, 21:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
Size

512KB
MD5

b55d5a2513da2941cb9f69f1b2541579
SHA1

4bce415b397ac48c0f94b02b5e4445d6b586e7be
SHA256

9417a97f04634187b691e2f560ad144d33dac75fd8962447db1f9167bb3e3701
SHA512

0a41954ddd9a8effe9c4f548e5184ad69248dc5f329a5af5eddd9a0ba91523d151428ecdc245a623857b8ca5ec1d7cb00be5fe7ab8e8b89d6dd084ec05cf8bcd
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6O:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5R

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hyinvdvcdb.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hyinvdvcdb.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	hyinvdvcdb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	hyinvdvcdb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	hyinvdvcdb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	hyinvdvcdb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	hyinvdvcdb.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hyinvdvcdb.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
2968	hyinvdvcdb.exe
1916	anruvrfhpyekwnc.exe
2700	vvvxmvoc.exe
2748	hjrsrrdrnkupu.exe
2820	vvvxmvoc.exe

Loads dropped DLL 5 IoCs

pid	Process
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2968	hyinvdvcdb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	hyinvdvcdb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	hyinvdvcdb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	hyinvdvcdb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	hyinvdvcdb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	hyinvdvcdb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	hyinvdvcdb.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hjrsrrdrnkupu.exe"	anruvrfhpyekwnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nzpqrilr = "hyinvdvcdb.exe"	anruvrfhpyekwnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xhqvcwmy = "anruvrfhpyekwnc.exe"	anruvrfhpyekwnc.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\q:	vvvxmvoc.exe
File opened (read-only)	\??\p:	vvvxmvoc.exe
File opened (read-only)	\??\j:	vvvxmvoc.exe
File opened (read-only)	\??\a:	hyinvdvcdb.exe
File opened (read-only)	\??\v:	hyinvdvcdb.exe
File opened (read-only)	\??\k:	vvvxmvoc.exe
File opened (read-only)	\??\s:	vvvxmvoc.exe
File opened (read-only)	\??\a:	vvvxmvoc.exe
File opened (read-only)	\??\g:	vvvxmvoc.exe
File opened (read-only)	\??\h:	hyinvdvcdb.exe
File opened (read-only)	\??\m:	hyinvdvcdb.exe
File opened (read-only)	\??\q:	vvvxmvoc.exe
File opened (read-only)	\??\u:	vvvxmvoc.exe
File opened (read-only)	\??\x:	vvvxmvoc.exe
File opened (read-only)	\??\g:	vvvxmvoc.exe
File opened (read-only)	\??\m:	vvvxmvoc.exe
File opened (read-only)	\??\z:	vvvxmvoc.exe
File opened (read-only)	\??\a:	vvvxmvoc.exe
File opened (read-only)	\??\x:	vvvxmvoc.exe
File opened (read-only)	\??\t:	vvvxmvoc.exe
File opened (read-only)	\??\y:	vvvxmvoc.exe
File opened (read-only)	\??\e:	vvvxmvoc.exe
File opened (read-only)	\??\l:	vvvxmvoc.exe
File opened (read-only)	\??\i:	hyinvdvcdb.exe
File opened (read-only)	\??\n:	vvvxmvoc.exe
File opened (read-only)	\??\u:	hyinvdvcdb.exe
File opened (read-only)	\??\y:	hyinvdvcdb.exe
File opened (read-only)	\??\w:	vvvxmvoc.exe
File opened (read-only)	\??\k:	vvvxmvoc.exe
File opened (read-only)	\??\l:	vvvxmvoc.exe
File opened (read-only)	\??\s:	hyinvdvcdb.exe
File opened (read-only)	\??\z:	hyinvdvcdb.exe
File opened (read-only)	\??\o:	vvvxmvoc.exe
File opened (read-only)	\??\e:	vvvxmvoc.exe
File opened (read-only)	\??\g:	hyinvdvcdb.exe
File opened (read-only)	\??\b:	vvvxmvoc.exe
File opened (read-only)	\??\t:	vvvxmvoc.exe
File opened (read-only)	\??\n:	vvvxmvoc.exe
File opened (read-only)	\??\p:	vvvxmvoc.exe
File opened (read-only)	\??\r:	vvvxmvoc.exe
File opened (read-only)	\??\l:	hyinvdvcdb.exe
File opened (read-only)	\??\r:	hyinvdvcdb.exe
File opened (read-only)	\??\w:	hyinvdvcdb.exe
File opened (read-only)	\??\i:	vvvxmvoc.exe
File opened (read-only)	\??\k:	hyinvdvcdb.exe
File opened (read-only)	\??\y:	vvvxmvoc.exe
File opened (read-only)	\??\p:	hyinvdvcdb.exe
File opened (read-only)	\??\h:	vvvxmvoc.exe
File opened (read-only)	\??\r:	vvvxmvoc.exe
File opened (read-only)	\??\v:	vvvxmvoc.exe
File opened (read-only)	\??\x:	hyinvdvcdb.exe
File opened (read-only)	\??\j:	vvvxmvoc.exe
File opened (read-only)	\??\o:	vvvxmvoc.exe
File opened (read-only)	\??\v:	vvvxmvoc.exe
File opened (read-only)	\??\w:	vvvxmvoc.exe
File opened (read-only)	\??\z:	vvvxmvoc.exe
File opened (read-only)	\??\e:	hyinvdvcdb.exe
File opened (read-only)	\??\o:	hyinvdvcdb.exe
File opened (read-only)	\??\n:	hyinvdvcdb.exe
File opened (read-only)	\??\q:	hyinvdvcdb.exe
File opened (read-only)	\??\b:	vvvxmvoc.exe
File opened (read-only)	\??\h:	vvvxmvoc.exe
File opened (read-only)	\??\m:	vvvxmvoc.exe
File opened (read-only)	\??\s:	vvvxmvoc.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	hyinvdvcdb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	hyinvdvcdb.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2928-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0037000000016133-5.dat	autoit_exe
behavioral1/files/0x000e00000001214d-17.dat	autoit_exe
behavioral1/files/0x000b000000016572-28.dat	autoit_exe
behavioral1/files/0x00070000000165d4-32.dat	autoit_exe
behavioral1/files/0x00020000000001bf-49.dat	autoit_exe
behavioral1/files/0x0002000000003d1e-55.dat	autoit_exe
behavioral1/files/0x0006000000017568-84.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hjrsrrdrnkupu.exe	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	hyinvdvcdb.exe
File opened for modification	C:\Windows\SysWOW64\anruvrfhpyekwnc.exe	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vvvxmvoc.exe	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hjrsrrdrnkupu.exe	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\vvvxmvoc.exe	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hyinvdvcdb.exe	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\hyinvdvcdb.exe	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\anruvrfhpyekwnc.exe	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ExitRequest.nal	vvvxmvoc.exe
File opened for modification	C:\Program Files\ExitRequest.nal	vvvxmvoc.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vvvxmvoc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	vvvxmvoc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	vvvxmvoc.exe
File opened for modification	C:\Program Files\CompareHide.nal	vvvxmvoc.exe
File opened for modification	\??\c:\Program Files\ExitRequest.doc.exe	vvvxmvoc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vvvxmvoc.exe
File opened for modification	\??\c:\Program Files\CompareHide.doc.exe	vvvxmvoc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	vvvxmvoc.exe
File opened for modification	\??\c:\Program Files\CompareHide.doc.exe	vvvxmvoc.exe
File created	\??\c:\Program Files\ExitRequest.doc.exe	vvvxmvoc.exe
File opened for modification	C:\Program Files\ExitRequest.doc.exe	vvvxmvoc.exe
File opened for modification	\??\c:\Program Files\ExitRequest.doc.exe	vvvxmvoc.exe
File opened for modification	C:\Program Files\ExitRequest.doc.exe	vvvxmvoc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vvvxmvoc.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vvvxmvoc.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vvvxmvoc.exe
File created	\??\c:\Program Files\CompareHide.doc.exe	vvvxmvoc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	vvvxmvoc.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vvvxmvoc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vvvxmvoc.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vvvxmvoc.exe
File opened for modification	C:\Program Files\CompareHide.doc.exe	vvvxmvoc.exe
File opened for modification	C:\Program Files\CompareHide.doc.exe	vvvxmvoc.exe
File opened for modification	C:\Program Files\CompareHide.nal	vvvxmvoc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vvvxmvoc.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vvvxmvoc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	hyinvdvcdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	hyinvdvcdb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	hyinvdvcdb.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	hyinvdvcdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	hyinvdvcdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B02C449338EA53BAB9D4329AD7C5"	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	hyinvdvcdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4FABAFE16F2E5840F3A43869D3999B38F03FD43140332E2C942EE08A9"	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78468C6FF1F22D9D172D0A78A759013"	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2740	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2968	hyinvdvcdb.exe
2968	hyinvdvcdb.exe
2968	hyinvdvcdb.exe
2968	hyinvdvcdb.exe
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2968	hyinvdvcdb.exe
2700	vvvxmvoc.exe
2700	vvvxmvoc.exe
2700	vvvxmvoc.exe
2700	vvvxmvoc.exe
1916	anruvrfhpyekwnc.exe
1916	anruvrfhpyekwnc.exe
1916	anruvrfhpyekwnc.exe
1916	anruvrfhpyekwnc.exe
1916	anruvrfhpyekwnc.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
2820	vvvxmvoc.exe
2820	vvvxmvoc.exe
2820	vvvxmvoc.exe
2820	vvvxmvoc.exe
1916	anruvrfhpyekwnc.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
1916	anruvrfhpyekwnc.exe
1916	anruvrfhpyekwnc.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
1916	anruvrfhpyekwnc.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
1916	anruvrfhpyekwnc.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
1916	anruvrfhpyekwnc.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
1916	anruvrfhpyekwnc.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
1916	anruvrfhpyekwnc.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
1916	anruvrfhpyekwnc.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
1916	anruvrfhpyekwnc.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
1916	anruvrfhpyekwnc.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
1916	anruvrfhpyekwnc.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2944	explorer.exe
Token: SeShutdownPrivilege	2944	explorer.exe
Token: SeShutdownPrivilege	2944	explorer.exe
Token: SeShutdownPrivilege	2944	explorer.exe
Token: SeShutdownPrivilege	2944	explorer.exe
Token: SeShutdownPrivilege	2944	explorer.exe
Token: SeShutdownPrivilege	2944	explorer.exe
Token: SeShutdownPrivilege	2944	explorer.exe
Token: SeShutdownPrivilege	2944	explorer.exe
Token: SeShutdownPrivilege	2944	explorer.exe
Token: SeShutdownPrivilege	2944	explorer.exe
Token: SeShutdownPrivilege	2944	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2968	hyinvdvcdb.exe
2968	hyinvdvcdb.exe
2968	hyinvdvcdb.exe
2700	vvvxmvoc.exe
2700	vvvxmvoc.exe
2700	vvvxmvoc.exe
1916	anruvrfhpyekwnc.exe
1916	anruvrfhpyekwnc.exe
1916	anruvrfhpyekwnc.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
2820	vvvxmvoc.exe
2820	vvvxmvoc.exe
2820	vvvxmvoc.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
2968	hyinvdvcdb.exe
2968	hyinvdvcdb.exe
2968	hyinvdvcdb.exe
2700	vvvxmvoc.exe
2700	vvvxmvoc.exe
2700	vvvxmvoc.exe
1916	anruvrfhpyekwnc.exe
1916	anruvrfhpyekwnc.exe
1916	anruvrfhpyekwnc.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
2748	hjrsrrdrnkupu.exe
2820	vvvxmvoc.exe
2820	vvvxmvoc.exe
2820	vvvxmvoc.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2740	WINWORD.EXE
2740	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2968	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	28
PID 2928 wrote to memory of 2968	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	28
PID 2928 wrote to memory of 2968	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	28
PID 2928 wrote to memory of 2968	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	28
PID 2928 wrote to memory of 1916	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	29
PID 2928 wrote to memory of 1916	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	29
PID 2928 wrote to memory of 1916	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	29
PID 2928 wrote to memory of 1916	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	29
PID 2928 wrote to memory of 2700	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	30
PID 2928 wrote to memory of 2700	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	30
PID 2928 wrote to memory of 2700	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	30
PID 2928 wrote to memory of 2700	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	30
PID 2928 wrote to memory of 2748	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	31
PID 2928 wrote to memory of 2748	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	31
PID 2928 wrote to memory of 2748	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	31
PID 2928 wrote to memory of 2748	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	31
PID 2968 wrote to memory of 2820	2968	hyinvdvcdb.exe	32
PID 2968 wrote to memory of 2820	2968	hyinvdvcdb.exe	32
PID 2968 wrote to memory of 2820	2968	hyinvdvcdb.exe	32
PID 2968 wrote to memory of 2820	2968	hyinvdvcdb.exe	32
PID 2928 wrote to memory of 2740	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	33
PID 2928 wrote to memory of 2740	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	33
PID 2928 wrote to memory of 2740	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	33
PID 2928 wrote to memory of 2740	2928	b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe	33
PID 2740 wrote to memory of 2304	2740	WINWORD.EXE	38
PID 2740 wrote to memory of 2304	2740	WINWORD.EXE	38
PID 2740 wrote to memory of 2304	2740	WINWORD.EXE	38
PID 2740 wrote to memory of 2304	2740	WINWORD.EXE	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b55d5a2513da2941cb9f69f1b2541579_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\hyinvdvcdb.exe
  hyinvdvcdb.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\vvvxmvoc.exe
    C:\Windows\system32\vvvxmvoc.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2820
- C:\Windows\SysWOW64\anruvrfhpyekwnc.exe
  anruvrfhpyekwnc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1916
- C:\Windows\SysWOW64\vvvxmvoc.exe
  vvvxmvoc.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2700
- C:\Windows\SysWOW64\hjrsrrdrnkupu.exe
  hjrsrrdrnkupu.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2748
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2304

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
666d15dba501f4c239e5ddb1ca853205

SHA1
718ed3789e24e734ab6311bb2c518fb14686e714

SHA256
da4c703970a8714540b737d7c14624bd6c86ce01e3f2a0b83bfbfb966e6ed3cb

SHA512
30ca661b49c0e289c3a4ef00af2e280d86a22b2e2c18e3ef5ffa5510c6b1ea492489fb777f8671d86ef445703e1f346bd9eba1a45cc4cb9504fabda56c7fe4b9

Download Submit
C:\Program Files\CompareHide.doc.exe

Filesize
512KB

MD5
3de2ca83d07d228fe5ed06349a477d8a

SHA1
700fd2a7540b1afddec1e204d30c8f03e785a43e

SHA256
782f78265374dece10de0152b89bc285b1fc9c2c0d58f253b8f7b9bda0fe7cf4

SHA512
6d916ad5b1ec73a365dea39745b1b07f2d8ac6a9e01aaae9eedfc04e6fe6d7ab71a70d2934f39288070de3326d4501c37b368412f1cfa9ee0ec336fec373c94b

Download Submit
C:\Program Files\ExitRequest.doc.exe

Filesize
512KB

MD5
0000ff08beaa2f77b63d34b39bfd4a51

SHA1
cfc1b4d54023d5b25802eb6971c4c3e3373c3438

SHA256
ba3e67d769fbd60cbdb036fee83d6c1ede937b8e55f7d90343531fc6feefd438

SHA512
e09bc325ed990accd1b575cedb3af4121bdc2ce989debe4aff0c83f07188484dc9188ee36520e8386cb96248a536d820155a41f44303034cd90dfc090c44e0fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
68B

MD5
65aedb463895681a2dffd2373495ad3b

SHA1
8b3841f2882f5ceb521956d177fe2d9ca167fe2e

SHA256
165ce3a6ba290dd7365d5ce0a9399fbc98e606be3c42c0c6924231036eb0779b

SHA512
21eccfce8c8e4bbb45140f1cb467390e66324a87c905e14de99106a8997a4229ed49ee9c1bd76c197fce0ba479e75c95d00181fdce0a1a3cc12115f09316e863

Download Submit
C:\Windows\SysWOW64\anruvrfhpyekwnc.exe

Filesize
512KB

MD5
71074c7be884ccb1dcf74c53cbfa058e

SHA1
f4e7bb4e6422d84e993ce40d601403d6636e530d

SHA256
004b78ca4f0b6be77822875b75f8fe1714fa2f322276a7527a1076cb27d5662e

SHA512
e9f5e0ec01fc837c620746151d207654239d6b930fa9da66033723bc8c94be69701d16398561be8de23d47b250405b02074e7f201547ddf2a82ed6a9430981fe

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\hjrsrrdrnkupu.exe

Filesize
512KB

MD5
d9668b904979324cbfd534d2cfa95e59

SHA1
ea4a8afbd5ce85bde1805872a2bc1f2d41fd634d

SHA256
be1247fd8c88268b12e80cf73034ac68b5694ef3e3308194274f7cf03e510b54

SHA512
e8219610e1974545507e220601b39e080ef10f12f89d3072f869b6c04752c0ab51b9655e99bc79b277cd686e2eef4b4f8e721d8e62cbc3adeb209ff091ee56b9

Download Submit
\Windows\SysWOW64\hyinvdvcdb.exe

Filesize
512KB

MD5
ab2faeda76a5563a230f410d5f66333e

SHA1
d5c3ea86778403898edcb8ca260c4ed096b01f96

SHA256
0ef12d774a81b16a0adf8f7376868e15cd527a21456d00a24d291e3a968e1119

SHA512
44932306d4bb3ddad63cf024ce24de12ea2ba4018582e3b4820af406a91721b42888a67cf463818914c266de60047049fa8ed349d751bb8fdb1dbc44e3ecdab2

Download Submit
\Windows\SysWOW64\vvvxmvoc.exe

Filesize
512KB

MD5
f78470560ed0da5243df28931c859aee

SHA1
55038d13fdaa78932604d00305181c4a5324ca34

SHA256
0a0913cd60ff930ae48d1a3fc0232c94c5185edb98a0347d3c931403747ca0b7

SHA512
1ab3707c400c61f17752b76ae356b92e845c1a15bef952a8736133bd95d817314c297961e86494077c4c6096098b42a59f2bc928011c0bdf5022553941334291

Download Submit
memory/2740-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2928-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2944-92-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download