Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 04:33
Static task
static1
Behavioral task
behavioral1
Sample
01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
01468a69ca8676b51a357676e0856c88
-
SHA1
4413a7f864255767a6d84c3e8362b9873a7e224b
-
SHA256
fcccc611730474775ff1cfd4c60481deef586f01191348b07d7a143d174a07b0
-
SHA512
d0d516c96c14e4ec5dded82e80f82a3ff6b2f8c2aae63b8f0e8667aea6e07e52e8dcf2ee7939304ef2303b07a4b8ca6e6c64f985a508d57aad79440d479d68b8
-
SSDEEP
49152:Na175O/mZxrkaH1EN5/yxnxEil7F8vSZBWwj186KQGwi38KQrF+FO7p1FzohbJqE:uO/mZxbHW7yxnxECF8vSZBW+Pbi38KQU
Malware Config
Signatures
-
Detects PlugX payload 17 IoCs
resource yara_rule behavioral1/memory/2828-20-0x00000000003A0000-0x00000000003CE000-memory.dmp family_plugx behavioral1/memory/2556-31-0x0000000000200000-0x000000000022E000-memory.dmp family_plugx behavioral1/memory/2556-32-0x0000000000200000-0x000000000022E000-memory.dmp family_plugx behavioral1/memory/2556-47-0x0000000000200000-0x000000000022E000-memory.dmp family_plugx behavioral1/memory/2556-46-0x0000000000200000-0x000000000022E000-memory.dmp family_plugx behavioral1/memory/2556-44-0x0000000000200000-0x000000000022E000-memory.dmp family_plugx behavioral1/memory/2828-34-0x00000000003A0000-0x00000000003CE000-memory.dmp family_plugx behavioral1/memory/2556-45-0x0000000000200000-0x000000000022E000-memory.dmp family_plugx behavioral1/memory/2556-48-0x0000000000200000-0x000000000022E000-memory.dmp family_plugx behavioral1/memory/2556-58-0x0000000000200000-0x000000000022E000-memory.dmp family_plugx behavioral1/memory/2496-64-0x0000000000780000-0x00000000007AE000-memory.dmp family_plugx behavioral1/memory/2496-66-0x0000000000780000-0x00000000007AE000-memory.dmp family_plugx behavioral1/memory/2496-67-0x0000000000780000-0x00000000007AE000-memory.dmp family_plugx behavioral1/memory/2556-69-0x0000000000200000-0x000000000022E000-memory.dmp family_plugx behavioral1/memory/2556-76-0x0000000000200000-0x000000000022E000-memory.dmp family_plugx behavioral1/memory/2556-85-0x0000000000200000-0x000000000022E000-memory.dmp family_plugx behavioral1/memory/2556-86-0x0000000000200000-0x000000000022E000-memory.dmp family_plugx -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\meekness.lnk rudiment.exe -
Executes dropped EXE 1 IoCs
pid Process 2828 rudiment.exe -
Loads dropped DLL 3 IoCs
pid Process 2208 01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe 2828 rudiment.exe 2828 rudiment.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 38004600390037003900380034004600390039003000440039003100360035000000 svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1732 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2208 01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2556 svchost.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2556 svchost.exe 2556 svchost.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2556 svchost.exe 2556 svchost.exe 2496 msiexec.exe 2496 msiexec.exe 2556 svchost.exe 2556 svchost.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2556 svchost.exe 2556 svchost.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe 2556 svchost.exe 2556 svchost.exe 2496 msiexec.exe 2496 msiexec.exe 2556 svchost.exe 2556 svchost.exe 2496 msiexec.exe 2496 msiexec.exe 2496 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2556 svchost.exe 2496 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2828 rudiment.exe Token: SeTcbPrivilege 2828 rudiment.exe Token: SeDebugPrivilege 2556 svchost.exe Token: SeTcbPrivilege 2556 svchost.exe Token: SeDebugPrivilege 2496 msiexec.exe Token: SeTcbPrivilege 2496 msiexec.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2208 01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe 2208 01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe 1732 WINWORD.EXE 1732 WINWORD.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2828 2208 01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe 29 PID 2208 wrote to memory of 2828 2208 01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe 29 PID 2208 wrote to memory of 2828 2208 01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe 29 PID 2208 wrote to memory of 2828 2208 01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe 29 PID 2828 wrote to memory of 2556 2828 rudiment.exe 30 PID 2828 wrote to memory of 2556 2828 rudiment.exe 30 PID 2828 wrote to memory of 2556 2828 rudiment.exe 30 PID 2828 wrote to memory of 2556 2828 rudiment.exe 30 PID 2828 wrote to memory of 2556 2828 rudiment.exe 30 PID 2828 wrote to memory of 2556 2828 rudiment.exe 30 PID 2828 wrote to memory of 2556 2828 rudiment.exe 30 PID 2828 wrote to memory of 2556 2828 rudiment.exe 30 PID 2828 wrote to memory of 2556 2828 rudiment.exe 30 PID 2556 wrote to memory of 2496 2556 svchost.exe 34 PID 2556 wrote to memory of 2496 2556 svchost.exe 34 PID 2556 wrote to memory of 2496 2556 svchost.exe 34 PID 2556 wrote to memory of 2496 2556 svchost.exe 34 PID 2556 wrote to memory of 2496 2556 svchost.exe 34 PID 2556 wrote to memory of 2496 2556 svchost.exe 34 PID 2556 wrote to memory of 2496 2556 svchost.exe 34 PID 2556 wrote to memory of 2496 2556 svchost.exe 34 PID 2556 wrote to memory of 2496 2556 svchost.exe 34 PID 2556 wrote to memory of 2496 2556 svchost.exe 34 PID 2556 wrote to memory of 2496 2556 svchost.exe 34 PID 2556 wrote to memory of 2496 2556 svchost.exe 34 PID 1732 wrote to memory of 2736 1732 WINWORD.EXE 35 PID 1732 wrote to memory of 2736 1732 WINWORD.EXE 35 PID 1732 wrote to memory of 2736 1732 WINWORD.EXE 35 PID 1732 wrote to memory of 2736 1732 WINWORD.EXE 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01468a69ca8676b51a357676e0856c88_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\rudiment.exeC:\Users\Admin\AppData\Local\Temp\rudiment.exe2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD509a4e70560c2b595932a4582fd84bbf8
SHA18719221b5159fd47ce655fc01ec2d688ac750fb9
SHA256ba5c35f51b5ebcb41dec480451c58cfa35fb86d465dc942cb55b0b16174c0772
SHA51289ca096cdd1146fb317326bd9c4a9dee50b2d8bd187799073ca10e539d62b384bfaa7fb5f918c05c9347c4d9d3a8d86a4229c0c4261ca3ac0c9affb257d91b9a
-
Filesize
47KB
MD5b5bdaba69689e8be57ce78bb6845e4f0
SHA1573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a
SHA2561e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad
SHA512e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
112KB
MD58e1e29319401aa9e83be7a298b35743e
SHA1c82d8a9dd5f00559f8a6a12bd5444c105fc81744
SHA25642c10c024b48b59ab485cfd570875b4e88af72847acc85f5aaaa83bc8437d431
SHA5121804d936cdb5ba8d3d62815ce0d2396e4bf8f53d004771adabacd63a6728a8ff8058215d420c28c702f406b352522ee35c7e8cc832b994dd1cb710a1a1090751