Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19/06/2024, 22:27
Behavioral task
behavioral1
Sample
00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
26 signatures
150 seconds
General
-
Target
00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe
-
Size
255KB
-
MD5
00e13fb0994988d9ef1b8971eae70f6a
-
SHA1
e7276849cbc5e45b1fd1128041e00752d44b0e34
-
SHA256
695186c5c723ddfe155e1799027facda1f8eb27c3a2b3dcdcc3b407eeb146c8d
-
SHA512
dc33e918d88be5069760aa7911cbbaf9c72fd601e36183c2bb69e780644ee31550254e84e011a1bee7aa5a70a4b6a9b7bd90546c9fc7909d006e3d68ac7bbb53
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJm:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIF
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fqhlejzhjq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fqhlejzhjq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fqhlejzhjq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fqhlejzhjq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fqhlejzhjq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fqhlejzhjq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fqhlejzhjq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fqhlejzhjq.exe -
Executes dropped EXE 5 IoCs
pid Process 2580 fqhlejzhjq.exe 2776 pytoisztesjmkva.exe 2588 tzeiewgz.exe 2692 lbqginwssrhtt.exe 2532 tzeiewgz.exe -
Loads dropped DLL 5 IoCs
pid Process 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 2580 fqhlejzhjq.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1224-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0038000000016448-5.dat upx behavioral1/files/0x0009000000012280-17.dat upx behavioral1/memory/1224-18-0x00000000029F0000-0x0000000002A90000-memory.dmp upx behavioral1/files/0x0007000000016c5d-34.dat upx behavioral1/memory/2692-41-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0008000000016a7d-33.dat upx behavioral1/memory/2776-31-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2580-29-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2588-36-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1224-47-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0005000000018711-70.dat upx behavioral1/files/0x000500000001873a-75.dat upx behavioral1/memory/2532-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2692-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2588-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2776-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2580-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2776-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2580-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2588-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2692-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2692-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2532-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2588-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2580-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2776-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2588-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2532-97-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2776-102-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2692-103-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2580-101-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2580-104-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2692-106-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2776-105-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2776-108-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2692-109-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2580-107-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2776-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2692-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2580-111-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2776-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2692-116-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2580-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2776-118-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2692-119-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2580-117-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2580-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2776-121-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2692-122-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2580-142-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2776-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2692-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2580-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2776-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2692-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2580-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2776-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2692-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2580-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2692-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2776-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2580-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2776-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fqhlejzhjq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fqhlejzhjq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fqhlejzhjq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" fqhlejzhjq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fqhlejzhjq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fqhlejzhjq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dpgbdjhs = "fqhlejzhjq.exe" pytoisztesjmkva.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\huafznfj = "pytoisztesjmkva.exe" pytoisztesjmkva.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "lbqginwssrhtt.exe" pytoisztesjmkva.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: fqhlejzhjq.exe File opened (read-only) \??\y: fqhlejzhjq.exe File opened (read-only) \??\b: tzeiewgz.exe File opened (read-only) \??\a: tzeiewgz.exe File opened (read-only) \??\j: fqhlejzhjq.exe File opened (read-only) \??\v: fqhlejzhjq.exe File opened (read-only) \??\w: fqhlejzhjq.exe File opened (read-only) \??\m: tzeiewgz.exe File opened (read-only) \??\v: tzeiewgz.exe File opened (read-only) \??\o: tzeiewgz.exe File opened (read-only) \??\g: fqhlejzhjq.exe File opened (read-only) \??\m: fqhlejzhjq.exe File opened (read-only) \??\p: fqhlejzhjq.exe File opened (read-only) \??\s: tzeiewgz.exe File opened (read-only) \??\r: tzeiewgz.exe File opened (read-only) \??\v: tzeiewgz.exe File opened (read-only) \??\x: fqhlejzhjq.exe File opened (read-only) \??\q: tzeiewgz.exe File opened (read-only) \??\x: tzeiewgz.exe File opened (read-only) \??\y: tzeiewgz.exe File opened (read-only) \??\w: tzeiewgz.exe File opened (read-only) \??\a: fqhlejzhjq.exe File opened (read-only) \??\e: fqhlejzhjq.exe File opened (read-only) \??\g: tzeiewgz.exe File opened (read-only) \??\x: tzeiewgz.exe File opened (read-only) \??\i: fqhlejzhjq.exe File opened (read-only) \??\l: fqhlejzhjq.exe File opened (read-only) \??\h: tzeiewgz.exe File opened (read-only) \??\j: tzeiewgz.exe File opened (read-only) \??\n: tzeiewgz.exe File opened (read-only) \??\t: tzeiewgz.exe File opened (read-only) \??\h: fqhlejzhjq.exe File opened (read-only) \??\b: tzeiewgz.exe File opened (read-only) \??\m: tzeiewgz.exe File opened (read-only) \??\p: tzeiewgz.exe File opened (read-only) \??\q: tzeiewgz.exe File opened (read-only) \??\r: tzeiewgz.exe File opened (read-only) \??\z: fqhlejzhjq.exe File opened (read-only) \??\g: tzeiewgz.exe File opened (read-only) \??\j: tzeiewgz.exe File opened (read-only) \??\n: fqhlejzhjq.exe File opened (read-only) \??\q: fqhlejzhjq.exe File opened (read-only) \??\i: tzeiewgz.exe File opened (read-only) \??\u: tzeiewgz.exe File opened (read-only) \??\o: fqhlejzhjq.exe File opened (read-only) \??\a: tzeiewgz.exe File opened (read-only) \??\t: tzeiewgz.exe File opened (read-only) \??\w: tzeiewgz.exe File opened (read-only) \??\k: tzeiewgz.exe File opened (read-only) \??\i: tzeiewgz.exe File opened (read-only) \??\o: tzeiewgz.exe File opened (read-only) \??\y: tzeiewgz.exe File opened (read-only) \??\z: tzeiewgz.exe File opened (read-only) \??\e: tzeiewgz.exe File opened (read-only) \??\z: tzeiewgz.exe File opened (read-only) \??\e: tzeiewgz.exe File opened (read-only) \??\s: fqhlejzhjq.exe File opened (read-only) \??\t: fqhlejzhjq.exe File opened (read-only) \??\s: tzeiewgz.exe File opened (read-only) \??\b: fqhlejzhjq.exe File opened (read-only) \??\u: fqhlejzhjq.exe File opened (read-only) \??\k: tzeiewgz.exe File opened (read-only) \??\l: tzeiewgz.exe File opened (read-only) \??\p: tzeiewgz.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" fqhlejzhjq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" fqhlejzhjq.exe -
AutoIT Executable 56 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2692-41-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2776-31-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2580-29-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1224-47-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2532-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2692-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2588-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2776-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2580-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2776-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2580-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2588-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2692-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2692-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2532-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2588-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2580-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2776-92-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2588-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2532-97-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2776-102-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2692-103-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2580-101-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2580-104-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2692-106-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2776-105-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2776-108-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2692-109-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2580-107-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2776-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2692-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2580-111-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2776-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2692-116-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2580-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2776-118-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2692-119-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2580-117-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2580-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2776-121-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2692-122-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2580-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2776-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2692-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2580-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2776-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2692-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2580-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2776-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2692-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2580-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2692-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2776-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2580-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2776-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2692-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\tzeiewgz.exe 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe File created C:\Windows\SysWOW64\lbqginwssrhtt.exe 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lbqginwssrhtt.exe 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll fqhlejzhjq.exe File created C:\Windows\SysWOW64\fqhlejzhjq.exe 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fqhlejzhjq.exe 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe File created C:\Windows\SysWOW64\pytoisztesjmkva.exe 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pytoisztesjmkva.exe 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tzeiewgz.exe 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tzeiewgz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tzeiewgz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tzeiewgz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tzeiewgz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tzeiewgz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tzeiewgz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tzeiewgz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal tzeiewgz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal tzeiewgz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal tzeiewgz.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tzeiewgz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe tzeiewgz.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe tzeiewgz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal tzeiewgz.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" fqhlejzhjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs fqhlejzhjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C77415E3DAC4B9CE7C93EDE334BC" 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf fqhlejzhjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" fqhlejzhjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B020479239EB53CBB9D53292D4CC" 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" fqhlejzhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" fqhlejzhjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2756 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 2580 fqhlejzhjq.exe 2580 fqhlejzhjq.exe 2580 fqhlejzhjq.exe 2580 fqhlejzhjq.exe 2580 fqhlejzhjq.exe 2776 pytoisztesjmkva.exe 2776 pytoisztesjmkva.exe 2776 pytoisztesjmkva.exe 2776 pytoisztesjmkva.exe 2776 pytoisztesjmkva.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2588 tzeiewgz.exe 2588 tzeiewgz.exe 2588 tzeiewgz.exe 2588 tzeiewgz.exe 2532 tzeiewgz.exe 2532 tzeiewgz.exe 2532 tzeiewgz.exe 2532 tzeiewgz.exe 2776 pytoisztesjmkva.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2776 pytoisztesjmkva.exe 2776 pytoisztesjmkva.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2776 pytoisztesjmkva.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2776 pytoisztesjmkva.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2776 pytoisztesjmkva.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2776 pytoisztesjmkva.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2776 pytoisztesjmkva.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2776 pytoisztesjmkva.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2776 pytoisztesjmkva.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2776 pytoisztesjmkva.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2776 pytoisztesjmkva.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 2580 fqhlejzhjq.exe 2580 fqhlejzhjq.exe 2580 fqhlejzhjq.exe 2776 pytoisztesjmkva.exe 2776 pytoisztesjmkva.exe 2776 pytoisztesjmkva.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2588 tzeiewgz.exe 2588 tzeiewgz.exe 2588 tzeiewgz.exe 2532 tzeiewgz.exe 2532 tzeiewgz.exe 2532 tzeiewgz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 2580 fqhlejzhjq.exe 2580 fqhlejzhjq.exe 2580 fqhlejzhjq.exe 2776 pytoisztesjmkva.exe 2776 pytoisztesjmkva.exe 2776 pytoisztesjmkva.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2692 lbqginwssrhtt.exe 2588 tzeiewgz.exe 2588 tzeiewgz.exe 2588 tzeiewgz.exe 2532 tzeiewgz.exe 2532 tzeiewgz.exe 2532 tzeiewgz.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2756 WINWORD.EXE 2756 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1224 wrote to memory of 2580 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 28 PID 1224 wrote to memory of 2580 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 28 PID 1224 wrote to memory of 2580 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 28 PID 1224 wrote to memory of 2580 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 28 PID 1224 wrote to memory of 2776 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 29 PID 1224 wrote to memory of 2776 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 29 PID 1224 wrote to memory of 2776 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 29 PID 1224 wrote to memory of 2776 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 29 PID 1224 wrote to memory of 2588 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 30 PID 1224 wrote to memory of 2588 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 30 PID 1224 wrote to memory of 2588 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 30 PID 1224 wrote to memory of 2588 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 30 PID 1224 wrote to memory of 2692 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 31 PID 1224 wrote to memory of 2692 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 31 PID 1224 wrote to memory of 2692 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 31 PID 1224 wrote to memory of 2692 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 31 PID 2580 wrote to memory of 2532 2580 fqhlejzhjq.exe 32 PID 2580 wrote to memory of 2532 2580 fqhlejzhjq.exe 32 PID 2580 wrote to memory of 2532 2580 fqhlejzhjq.exe 32 PID 2580 wrote to memory of 2532 2580 fqhlejzhjq.exe 32 PID 1224 wrote to memory of 2756 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 33 PID 1224 wrote to memory of 2756 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 33 PID 1224 wrote to memory of 2756 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 33 PID 1224 wrote to memory of 2756 1224 00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe 33 PID 2756 wrote to memory of 588 2756 WINWORD.EXE 37 PID 2756 wrote to memory of 588 2756 WINWORD.EXE 37 PID 2756 wrote to memory of 588 2756 WINWORD.EXE 37 PID 2756 wrote to memory of 588 2756 WINWORD.EXE 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00e13fb0994988d9ef1b8971eae70f6a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\fqhlejzhjq.exefqhlejzhjq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\tzeiewgz.exeC:\Windows\system32\tzeiewgz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2532
-
-
-
C:\Windows\SysWOW64\pytoisztesjmkva.exepytoisztesjmkva.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2776
-
-
C:\Windows\SysWOW64\tzeiewgz.exetzeiewgz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2588
-
-
C:\Windows\SysWOW64\lbqginwssrhtt.exelbqginwssrhtt.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2692
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:588
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5ac5f344deeb7ccd8ce7a9333bf154a4f
SHA14bd714e311645cbdf0659555c05071ef7d2d52ab
SHA2567a2557c1707167d45d12626432a2a8025808417d81232ec0312d0d810da5ebe0
SHA512376d17c719a5546c31d1f8f4fd2554422f9a169bf291f3998f43b1a4b063c05ee17f2e4379f327a47f675a14e59e4b1036d7b290a3d4b56efcf135f385d0e8a8
-
Filesize
255KB
MD5b8207487b53a8294d0026caa58320b9b
SHA13e7cae72fc2783e8e4812471fdc08adb4d194de5
SHA256c3344ad20f5ef6fbe2448abc2ba473208f9b8f9016d68632fd4dd897958da124
SHA512f5f410dbf7e46a83505767ac708d6c7db4c5116a6f0d91c38e8b5b93edfb5dd47e2e6cc1f1cfad83c6fa48b3d0fb158465937aa33de6012e93f2508ee9f41e85
-
Filesize
20KB
MD5ad7b043dfad01d6972523c2d556cf170
SHA1804e08a4a376f12b1ad06b9918dca2fb01361561
SHA256518cb03f0a461c9aa65d05bbc5706b52cbcc3df9357643f3f66f74e9a863bc95
SHA51257a1cd77b0060da26838524168f0529e92f07f8341be53fb23adcc93f770db0d48dff09956166ecb80eab0434ef1aa7f4e586d0e202f717ff46c639e2b5682d1
-
Filesize
255KB
MD54df2d32216e70ec561763e0d0b418d8b
SHA1898b3713e11613cc46834bc1d42fa4fbf74dd447
SHA25601849d99c470e8a0c46d4bdff071fce048139388f0d830571a50dd9748da74e0
SHA5129b04df026214c5a913458cc2483f7b6b774fb88b4f22ef0941796c6a2f968dc5e9b2d97cf7e050bacaff6b79484a6baa2501b80c441c8f81ea828bbb7c38ef51
-
Filesize
255KB
MD58f32c964970b4f0be2af694526733801
SHA129bbfc9695f7356a82efd78a0020717ead12c018
SHA256c6e6dd1a77f2741c968ad5adff79449bd6c703ce572e578ca34b6a52255beedc
SHA512e92d947cb7c8c6ea112acfaf92665256ffeca22f127214ff67f4771dbd12c159a5b45812c8900715f97f094cf69fedb8ca25c48146dccd2c58ec4258cf38d0ea
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD59301ead5873fd6f1e3818009f5cab7cb
SHA1dda0c2f9426ed7e72d5fdecc39e1901f8703e7b4
SHA25671d8f3985d3ec383cf0205bd43bb7966d966cd4f34ae6ca7e7736bfee51ece69
SHA512ade742bf2ecf2b300a4b43edbb5b1d7311721595804334b0962095148a7b7fc677bc953a82a13066fbd9453b2efe9642323237a7311c918e0b085b8f2f501589
-
Filesize
255KB
MD53147fd41d8fb248357d0f5d83028541b
SHA1c8bbc1e536858d7d9f455fd4a35b743115952d11
SHA25667076575a492018a81d0b0238ba6e40cf4661d3eadfb84a2bd223a80a4d5c6fc
SHA51200b2af88ac5d2585e0887a38c89d66707c57477416f032b1172da4847948f22dc6db6ed87ef74868202b660600dd75cc6b4f882b91554798db2a1ef0dbb9d846