d7231c9941f8b195f8e380c7f44b5bd114e46ba5afaf67b3b01a3d4ac7f40291

Analysis

max time kernel
150s
max time network
15s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
Size

512KB
MD5

cdfaabe544a4b3a1fe3574561932bc46
SHA1

498fd62df89689b03593876b19b1bd317ce375c6
SHA256

d7231c9941f8b195f8e380c7f44b5bd114e46ba5afaf67b3b01a3d4ac7f40291
SHA512

42f4bcb4db36167256991c1859ead01eec56784bbf3ccf0ae8d109ff3f6d2774970c4376c3146228d819fe9ea3aa339647ae0719dbe8e60b6a7b6e0f4ae652f5
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6t:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5M

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	yutdzcdxwp.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yutdzcdxwp.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	yutdzcdxwp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	yutdzcdxwp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	yutdzcdxwp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	yutdzcdxwp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	yutdzcdxwp.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yutdzcdxwp.exe

Executes dropped EXE 5 IoCs

pid	Process
2784	yutdzcdxwp.exe
2880	znillyioathczsl.exe
2848	ooljcsej.exe
2812	ffrapicsnadth.exe
2676	ooljcsej.exe

Loads dropped DLL 5 IoCs

pid	Process
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2784	yutdzcdxwp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	yutdzcdxwp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	yutdzcdxwp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	yutdzcdxwp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	yutdzcdxwp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	yutdzcdxwp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	yutdzcdxwp.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mamqijhk = "yutdzcdxwp.exe"	znillyioathczsl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eonufiwr = "znillyioathczsl.exe"	znillyioathczsl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ffrapicsnadth.exe"	znillyioathczsl.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	ooljcsej.exe
File opened (read-only)	\??\o:	ooljcsej.exe
File opened (read-only)	\??\t:	ooljcsej.exe
File opened (read-only)	\??\o:	yutdzcdxwp.exe
File opened (read-only)	\??\o:	ooljcsej.exe
File opened (read-only)	\??\y:	ooljcsej.exe
File opened (read-only)	\??\t:	ooljcsej.exe
File opened (read-only)	\??\q:	ooljcsej.exe
File opened (read-only)	\??\w:	ooljcsej.exe
File opened (read-only)	\??\z:	ooljcsej.exe
File opened (read-only)	\??\k:	yutdzcdxwp.exe
File opened (read-only)	\??\x:	yutdzcdxwp.exe
File opened (read-only)	\??\b:	ooljcsej.exe
File opened (read-only)	\??\y:	ooljcsej.exe
File opened (read-only)	\??\a:	yutdzcdxwp.exe
File opened (read-only)	\??\v:	yutdzcdxwp.exe
File opened (read-only)	\??\w:	ooljcsej.exe
File opened (read-only)	\??\m:	ooljcsej.exe
File opened (read-only)	\??\v:	ooljcsej.exe
File opened (read-only)	\??\l:	yutdzcdxwp.exe
File opened (read-only)	\??\a:	ooljcsej.exe
File opened (read-only)	\??\l:	ooljcsej.exe
File opened (read-only)	\??\i:	ooljcsej.exe
File opened (read-only)	\??\s:	ooljcsej.exe
File opened (read-only)	\??\b:	ooljcsej.exe
File opened (read-only)	\??\p:	ooljcsej.exe
File opened (read-only)	\??\u:	ooljcsej.exe
File opened (read-only)	\??\m:	yutdzcdxwp.exe
File opened (read-only)	\??\w:	yutdzcdxwp.exe
File opened (read-only)	\??\h:	ooljcsej.exe
File opened (read-only)	\??\v:	ooljcsej.exe
File opened (read-only)	\??\j:	yutdzcdxwp.exe
File opened (read-only)	\??\y:	yutdzcdxwp.exe
File opened (read-only)	\??\i:	ooljcsej.exe
File opened (read-only)	\??\b:	yutdzcdxwp.exe
File opened (read-only)	\??\r:	ooljcsej.exe
File opened (read-only)	\??\e:	yutdzcdxwp.exe
File opened (read-only)	\??\g:	yutdzcdxwp.exe
File opened (read-only)	\??\i:	yutdzcdxwp.exe
File opened (read-only)	\??\j:	ooljcsej.exe
File opened (read-only)	\??\m:	ooljcsej.exe
File opened (read-only)	\??\n:	ooljcsej.exe
File opened (read-only)	\??\q:	yutdzcdxwp.exe
File opened (read-only)	\??\t:	yutdzcdxwp.exe
File opened (read-only)	\??\z:	yutdzcdxwp.exe
File opened (read-only)	\??\r:	ooljcsej.exe
File opened (read-only)	\??\p:	yutdzcdxwp.exe
File opened (read-only)	\??\r:	yutdzcdxwp.exe
File opened (read-only)	\??\q:	ooljcsej.exe
File opened (read-only)	\??\k:	ooljcsej.exe
File opened (read-only)	\??\n:	yutdzcdxwp.exe
File opened (read-only)	\??\g:	ooljcsej.exe
File opened (read-only)	\??\h:	yutdzcdxwp.exe
File opened (read-only)	\??\u:	yutdzcdxwp.exe
File opened (read-only)	\??\n:	ooljcsej.exe
File opened (read-only)	\??\u:	ooljcsej.exe
File opened (read-only)	\??\a:	ooljcsej.exe
File opened (read-only)	\??\l:	ooljcsej.exe
File opened (read-only)	\??\e:	ooljcsej.exe
File opened (read-only)	\??\p:	ooljcsej.exe
File opened (read-only)	\??\h:	ooljcsej.exe
File opened (read-only)	\??\x:	ooljcsej.exe
File opened (read-only)	\??\x:	ooljcsej.exe
File opened (read-only)	\??\z:	ooljcsej.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	yutdzcdxwp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	yutdzcdxwp.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2556-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0008000000018f90-5.dat	autoit_exe
behavioral1/files/0x000c000000015635-17.dat	autoit_exe
behavioral1/files/0x0007000000018f98-29.dat	autoit_exe
behavioral1/files/0x0006000000018f9c-38.dat	autoit_exe
behavioral1/files/0x0006000000018fe4-70.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yutdzcdxwp.exe	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ooljcsej.exe	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ffrapicsnadth.exe	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	yutdzcdxwp.exe
File opened for modification	C:\Windows\SysWOW64\yutdzcdxwp.exe	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\znillyioathczsl.exe	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\znillyioathczsl.exe	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ooljcsej.exe	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ffrapicsnadth.exe	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ooljcsej.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ooljcsej.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ooljcsej.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	ooljcsej.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ooljcsej.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ooljcsej.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	ooljcsej.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ooljcsej.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ooljcsej.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	ooljcsej.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ooljcsej.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ooljcsej.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ooljcsej.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	ooljcsej.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yutdzcdxwp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	znillyioathczsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ooljcsej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffrapicsnadth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ooljcsej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	yutdzcdxwp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	yutdzcdxwp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352D7D9D2D83206D3676D370222DD67CF265D9"	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFABAF964F195837C3A3186EB39E5B08E03F04360033AE2C4459C08A6"	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFFF84F5D85699047D72E7D96BCEEE13C594667436243D79C"	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FC6BB4FE6922D9D279D0A48A0E9161"	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	yutdzcdxwp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	yutdzcdxwp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	yutdzcdxwp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	yutdzcdxwp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C67E15ECDBBEB8B97C92ECE037CB"	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	yutdzcdxwp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	yutdzcdxwp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	yutdzcdxwp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	yutdzcdxwp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	yutdzcdxwp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B15A47E239E853CDB9D132E9D7CC"	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	yutdzcdxwp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2640	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2784	yutdzcdxwp.exe
2784	yutdzcdxwp.exe
2784	yutdzcdxwp.exe
2784	yutdzcdxwp.exe
2784	yutdzcdxwp.exe
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2880	znillyioathczsl.exe
2880	znillyioathczsl.exe
2880	znillyioathczsl.exe
2880	znillyioathczsl.exe
2880	znillyioathczsl.exe
2848	ooljcsej.exe
2848	ooljcsej.exe
2848	ooljcsej.exe
2848	ooljcsej.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2676	ooljcsej.exe
2676	ooljcsej.exe
2676	ooljcsej.exe
2676	ooljcsej.exe
2880	znillyioathczsl.exe
2880	znillyioathczsl.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2880	znillyioathczsl.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2880	znillyioathczsl.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2880	znillyioathczsl.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2880	znillyioathczsl.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2880	znillyioathczsl.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2880	znillyioathczsl.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2880	znillyioathczsl.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2880	znillyioathczsl.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2880	znillyioathczsl.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2880	znillyioathczsl.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2784	yutdzcdxwp.exe
2784	yutdzcdxwp.exe
2784	yutdzcdxwp.exe
2880	znillyioathczsl.exe
2880	znillyioathczsl.exe
2880	znillyioathczsl.exe
2848	ooljcsej.exe
2848	ooljcsej.exe
2848	ooljcsej.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2676	ooljcsej.exe
2676	ooljcsej.exe
2676	ooljcsej.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
2784	yutdzcdxwp.exe
2784	yutdzcdxwp.exe
2784	yutdzcdxwp.exe
2880	znillyioathczsl.exe
2880	znillyioathczsl.exe
2880	znillyioathczsl.exe
2848	ooljcsej.exe
2848	ooljcsej.exe
2848	ooljcsej.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2812	ffrapicsnadth.exe
2676	ooljcsej.exe
2676	ooljcsej.exe
2676	ooljcsej.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2640	WINWORD.EXE
2640	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2784	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2784	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2784	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2784	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2880	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2880	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2880	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2880	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2848	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	31
PID 2556 wrote to memory of 2848	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	31
PID 2556 wrote to memory of 2848	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	31
PID 2556 wrote to memory of 2848	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	31
PID 2556 wrote to memory of 2812	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	32
PID 2556 wrote to memory of 2812	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	32
PID 2556 wrote to memory of 2812	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	32
PID 2556 wrote to memory of 2812	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2676	2784	yutdzcdxwp.exe	33
PID 2784 wrote to memory of 2676	2784	yutdzcdxwp.exe	33
PID 2784 wrote to memory of 2676	2784	yutdzcdxwp.exe	33
PID 2784 wrote to memory of 2676	2784	yutdzcdxwp.exe	33
PID 2556 wrote to memory of 2640	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2640	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2640	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2640	2556	cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe	34
PID 2640 wrote to memory of 1996	2640	WINWORD.EXE	36
PID 2640 wrote to memory of 1996	2640	WINWORD.EXE	36
PID 2640 wrote to memory of 1996	2640	WINWORD.EXE	36
PID 2640 wrote to memory of 1996	2640	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cdfaabe544a4b3a1fe3574561932bc46_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\yutdzcdxwp.exe
  yutdzcdxwp.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\ooljcsej.exe
    C:\Windows\system32\ooljcsej.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2676
- C:\Windows\SysWOW64\znillyioathczsl.exe
  znillyioathczsl.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2880
- C:\Windows\SysWOW64\ooljcsej.exe
  ooljcsej.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2848
- C:\Windows\SysWOW64\ffrapicsnadth.exe
  ffrapicsnadth.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2812
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
0b5e34c8c8b7b9c4f59f7af01c7e5e93

SHA1
aeea2944f0a7378fc803a0cc893fd7d8ce7d7d55

SHA256
da549eb45402b34e7bda9374d50a1a771657528ea8897ecca4717c6369144a4e

SHA512
91f1bd72166e3bfcdcf48c7c7dfcdb27552651505a591cbb03eb9983d400c152dd1df0c5dbf69dd47caad1aed9dc5872dd03ce8d31919a62d86fda74a7b903ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
35b7d137033b4c9bbe88ed4b07e8fb4e

SHA1
9c41d9e83f44c3b026e477a37a4f42ee126f47bd

SHA256
cef5ebef61ad9246a5ef0c26cf5324b88a647d4f2fcb792a5be14f6eeb4e5b03

SHA512
3b2d0a65f873ddd869820e30b0fe434a0c67264db6cafc53fdb02f2d785d527c0cbaaff8ed20eeac0e494f7f26b6cc0a61d9c16ef1927dceac4c1aa84998bca3

Download Submit
C:\Windows\SysWOW64\ffrapicsnadth.exe

Filesize
512KB

MD5
a7ff3ace30a54fb7ee6c8fd5161ccf0b

SHA1
f4cf64fae4e357d62ad861b1446b7e37aa46af8f

SHA256
5a92df8e8d3feb82c67537b9aa72c6536f5c4b7b50c4efc261e4ec7606158264

SHA512
fcadb8bc48cd5a23b72fc62edaf27d8a59d5bc0f3f5fa73c660ba1ad3c1d6ed18c53efea6dfc85ba81ce614562b187ef1ef4814d26008169a66fc70d56b64101

Download Submit
C:\Windows\SysWOW64\znillyioathczsl.exe

Filesize
512KB

MD5
1e28c66fb5d10141f12ef867a78fda58

SHA1
22fcffbd4f69d77dab9040157e2ee7b75b7f3353

SHA256
32fbbe51256ec9dc03a229f6f617d9637f8b780d729369defb0b6908e3e293ff

SHA512
97cf770780bd9bc8be3fb09bb28a660bae3a419394a286a30d15ff97ea2d12082da14f14c4665c7839917eb513a91c05da4728e97f4d00a40de4a508f5d17a77

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\ooljcsej.exe

Filesize
512KB

MD5
7511d087ff5cbccf4f0bd3430bf26fdd

SHA1
1f71b109fac49df02412c52cbbdbefe3a23be524

SHA256
c6559be49f702d932727ee8f9ac8dc0622532532fe460680cda16f200e8c5961

SHA512
ad2ffbc9f3af84123ee3f6b9c938241d5c41d2d7e1ea521334093d934b705a9d2ffd37e0971cf48fd83c86ed709614ecd05d0beec2f99703e0ff489198cd2ebb

Download Submit
\Windows\SysWOW64\yutdzcdxwp.exe

Filesize
512KB

MD5
4661809d6a739712aa22377f09af8133

SHA1
de0de7adf495192d5eed4beaf2addd3acc3ee39b

SHA256
6f768f8d4c9df9e8417167e5591b714c0f06fcdb93975197c0ddbec26828a0a1

SHA512
df66e1a9a33f58d7ad6a3539f3327208c176d7c9c4cba158b5ce4c6fefa7e85121a48d24bcba71dc74521c1e8bc73bf8a4598818359ed6545a92ac8b72d4721e

Download Submit
memory/2556-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2640-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2640-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download