Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 09:13
Static task
static1
Behavioral task
behavioral1
Sample
0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe
-
Size
224KB
-
MD5
0d8007c628a5c009d3d2b6aa53e6cc0a
-
SHA1
3ad7496a74762cae06b394a32dc8832611b20df8
-
SHA256
d26dc3afdc474fc8170c92fabdab98bf97176635d36fc3a1c8a7f76e77f43b6a
-
SHA512
6711b4bceda2396f63cc97b26e4884341bca1625a627044ce65195f0d787d8697fb8f550008b5e6ef9771a149aa010d96116dc9cae44728823014f70ec49c596
-
SSDEEP
3072:1ma9v8Isvh3Tg93yDxkWD8bENk4Dy1lxeMV37q/LwmfYS:Up3Tg93yDxkWD8bERDy8MFq/Ldw
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 1 IoCs
pid Process 1632 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Container = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32.exe" rundll32.exe -
Document created with cracked Office version 1 IoCs
Office document contains Grizli777 string known to be caused by using a cracked version of the software.
resource yara_rule behavioral1/files/0x0009000000016176-18.dat grizli777_cracked_office -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32.exe rundll32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2576 reg.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1056 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1632 rundll32.exe 1632 rundll32.exe 1632 rundll32.exe 1632 rundll32.exe 1632 rundll32.exe 1632 rundll32.exe 1632 rundll32.exe 1632 rundll32.exe 1632 rundll32.exe 1632 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe Token: SeIncBasePriorityPrivilege 1632 rundll32.exe Token: 33 1632 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1056 WINWORD.EXE 1056 WINWORD.EXE 1632 rundll32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2824 wrote to memory of 1632 2824 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe 28 PID 2824 wrote to memory of 1632 2824 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe 28 PID 2824 wrote to memory of 1632 2824 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe 28 PID 2824 wrote to memory of 1632 2824 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe 28 PID 2824 wrote to memory of 1632 2824 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe 28 PID 2824 wrote to memory of 1632 2824 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe 28 PID 2824 wrote to memory of 1632 2824 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe 28 PID 2824 wrote to memory of 1056 2824 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe 29 PID 2824 wrote to memory of 1056 2824 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe 29 PID 2824 wrote to memory of 1056 2824 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe 29 PID 2824 wrote to memory of 1056 2824 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe 29 PID 1632 wrote to memory of 2716 1632 rundll32.exe 30 PID 1632 wrote to memory of 2716 1632 rundll32.exe 30 PID 1632 wrote to memory of 2716 1632 rundll32.exe 30 PID 1632 wrote to memory of 2716 1632 rundll32.exe 30 PID 2716 wrote to memory of 2576 2716 cmd.exe 33 PID 2716 wrote to memory of 2576 2716 cmd.exe 33 PID 2716 wrote to memory of 2576 2716 cmd.exe 33 PID 2716 wrote to memory of 2576 2716 cmd.exe 33 PID 1056 wrote to memory of 3064 1056 WINWORD.EXE 35 PID 1056 wrote to memory of 3064 1056 WINWORD.EXE 35 PID 1056 wrote to memory of 3064 1056 WINWORD.EXE 35 PID 1056 wrote to memory of 3064 1056 WINWORD.EXE 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\rundll32.exe"C:\Users\Admin\AppData\Local\Temp\rundll32.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- Modifies registry key
PID:2576
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SENARAI CALON BN PRU 13.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:3064
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD57866ebcba567d0384a4173c44bde6163
SHA1881da445f78b8ba92eddd7eb533dcb0027cd60f4
SHA256ca193036f99a12ed1d89bc434d5b194631f83bc9bd6d4eba92e6403862c800ed
SHA512c3fe4cbb393c72277855f8bbc657bbf6004b462a0ec9b2ca27c2a587055395b890b91a89a543ab33d058d864c636dc196b944ca1668515dd4f9bf2e9e8a4f9b5
-
Filesize
73KB
MD5716d1b5f9d25d9374208ace7bfda7494
SHA1e27e3c9551952c6b16664138ea6393682161bb51
SHA2562b9fd5444bf32bb57619496751620b6f03d044e6a7d6c1ec734be1dbcbb477e5
SHA5126016aac7c48d7d4a3b322ff77461b229fd6ec2915e4187a0f0259de0cb21446813dfe68d82a7216a21ac28de211e75ff1f0968d3869b0c454c78716cf7d74146
-
Filesize
20KB
MD5aada3c138c52b61e44144116f98b4072
SHA1f69251f21ee03cf47ad4e200f7b16b298ae2f436
SHA256b46fd3bbef57bf177e8fb002c9592aa110490f9b718ff490c07deded84b20f57
SHA5127dcf6c6b20348c945f4c899c08f9e701292c20838bf1467fbbdb74c0fb95f96bde611cef82c89067c898dacbe464c5d68123ee0713a0dfbea971e1cba8fa1c2b