5087511e7772bb1d1d4e17d404c3a856030cb66fcd6fcb488c053d24d20787b3

Analysis

max time kernel
151s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
Size

512KB
MD5

d149f1e9f413cbcf33413f605ba007a0
SHA1

e4d3b5f5dc75efe1dc41ee950dd124d64a633575
SHA256

5087511e7772bb1d1d4e17d404c3a856030cb66fcd6fcb488c053d24d20787b3
SHA512

98fbc7e7599a3f64239ffc7978da44ce6313cab3dadc8f90addf792248d0e22a8f839aeb2c8d41ee9efc4856dfbd93edeca828859b87b2b165ad75488c59b29d
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6b:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5U

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	devvmtwvro.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	devvmtwvro.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	devvmtwvro.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	devvmtwvro.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	devvmtwvro.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	devvmtwvro.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	devvmtwvro.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	devvmtwvro.exe

Executes dropped EXE 5 IoCs

pid	Process
2008	devvmtwvro.exe
2132	ouuepgwwgtlinrg.exe
2912	qlvjetxk.exe
2768	dgdamygagrhin.exe
2956	qlvjetxk.exe

Loads dropped DLL 5 IoCs

pid	Process
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
2008	devvmtwvro.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	devvmtwvro.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	devvmtwvro.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	devvmtwvro.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	devvmtwvro.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	devvmtwvro.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	devvmtwvro.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tvdunaiy = "devvmtwvro.exe"	ouuepgwwgtlinrg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ripqmshf = "ouuepgwwgtlinrg.exe"	ouuepgwwgtlinrg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dgdamygagrhin.exe"	ouuepgwwgtlinrg.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\v:	qlvjetxk.exe
File opened (read-only)	\??\e:	devvmtwvro.exe
File opened (read-only)	\??\b:	qlvjetxk.exe
File opened (read-only)	\??\y:	qlvjetxk.exe
File opened (read-only)	\??\j:	qlvjetxk.exe
File opened (read-only)	\??\x:	qlvjetxk.exe
File opened (read-only)	\??\t:	devvmtwvro.exe
File opened (read-only)	\??\p:	qlvjetxk.exe
File opened (read-only)	\??\m:	qlvjetxk.exe
File opened (read-only)	\??\a:	devvmtwvro.exe
File opened (read-only)	\??\b:	devvmtwvro.exe
File opened (read-only)	\??\q:	devvmtwvro.exe
File opened (read-only)	\??\y:	devvmtwvro.exe
File opened (read-only)	\??\e:	qlvjetxk.exe
File opened (read-only)	\??\r:	qlvjetxk.exe
File opened (read-only)	\??\i:	devvmtwvro.exe
File opened (read-only)	\??\m:	devvmtwvro.exe
File opened (read-only)	\??\g:	qlvjetxk.exe
File opened (read-only)	\??\w:	qlvjetxk.exe
File opened (read-only)	\??\o:	qlvjetxk.exe
File opened (read-only)	\??\z:	qlvjetxk.exe
File opened (read-only)	\??\j:	devvmtwvro.exe
File opened (read-only)	\??\k:	devvmtwvro.exe
File opened (read-only)	\??\i:	qlvjetxk.exe
File opened (read-only)	\??\h:	qlvjetxk.exe
File opened (read-only)	\??\l:	qlvjetxk.exe
File opened (read-only)	\??\s:	devvmtwvro.exe
File opened (read-only)	\??\o:	qlvjetxk.exe
File opened (read-only)	\??\a:	qlvjetxk.exe
File opened (read-only)	\??\b:	qlvjetxk.exe
File opened (read-only)	\??\l:	qlvjetxk.exe
File opened (read-only)	\??\z:	devvmtwvro.exe
File opened (read-only)	\??\h:	devvmtwvro.exe
File opened (read-only)	\??\n:	devvmtwvro.exe
File opened (read-only)	\??\u:	devvmtwvro.exe
File opened (read-only)	\??\v:	devvmtwvro.exe
File opened (read-only)	\??\e:	qlvjetxk.exe
File opened (read-only)	\??\h:	qlvjetxk.exe
File opened (read-only)	\??\k:	qlvjetxk.exe
File opened (read-only)	\??\s:	qlvjetxk.exe
File opened (read-only)	\??\x:	qlvjetxk.exe
File opened (read-only)	\??\r:	qlvjetxk.exe
File opened (read-only)	\??\p:	devvmtwvro.exe
File opened (read-only)	\??\k:	qlvjetxk.exe
File opened (read-only)	\??\q:	qlvjetxk.exe
File opened (read-only)	\??\s:	qlvjetxk.exe
File opened (read-only)	\??\z:	qlvjetxk.exe
File opened (read-only)	\??\t:	qlvjetxk.exe
File opened (read-only)	\??\w:	devvmtwvro.exe
File opened (read-only)	\??\q:	qlvjetxk.exe
File opened (read-only)	\??\l:	devvmtwvro.exe
File opened (read-only)	\??\r:	devvmtwvro.exe
File opened (read-only)	\??\n:	qlvjetxk.exe
File opened (read-only)	\??\t:	qlvjetxk.exe
File opened (read-only)	\??\u:	qlvjetxk.exe
File opened (read-only)	\??\x:	devvmtwvro.exe
File opened (read-only)	\??\a:	qlvjetxk.exe
File opened (read-only)	\??\u:	qlvjetxk.exe
File opened (read-only)	\??\g:	qlvjetxk.exe
File opened (read-only)	\??\g:	devvmtwvro.exe
File opened (read-only)	\??\i:	qlvjetxk.exe
File opened (read-only)	\??\m:	qlvjetxk.exe
File opened (read-only)	\??\p:	qlvjetxk.exe
File opened (read-only)	\??\w:	qlvjetxk.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	devvmtwvro.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	devvmtwvro.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1292-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0007000000018e25-9.dat	autoit_exe
behavioral1/files/0x00030000000178b0-17.dat	autoit_exe
behavioral1/files/0x0008000000018dea-21.dat	autoit_exe
behavioral1/files/0x0006000000018e65-34.dat	autoit_exe
behavioral1/files/0x0002000000003d25-66.dat	autoit_exe
behavioral1/files/0x0002000000003d26-68.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\devvmtwvro.exe	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ouuepgwwgtlinrg.exe	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\qlvjetxk.exe	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\qlvjetxk.exe	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\devvmtwvro.exe	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ouuepgwwgtlinrg.exe	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dgdamygagrhin.exe	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dgdamygagrhin.exe	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	devvmtwvro.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	qlvjetxk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	qlvjetxk.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	qlvjetxk.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	qlvjetxk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	qlvjetxk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	qlvjetxk.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	qlvjetxk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	qlvjetxk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	qlvjetxk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	qlvjetxk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	qlvjetxk.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	qlvjetxk.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	qlvjetxk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	qlvjetxk.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qlvjetxk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dgdamygagrhin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qlvjetxk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devvmtwvro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ouuepgwwgtlinrg.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	devvmtwvro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	devvmtwvro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	devvmtwvro.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472C7D9D5682596A3177D477212DD87CF564D6"	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAF9B1FE13F1E584093B46819C3E96B08803F04364034BE1BF459B08D4"	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FFFB485F85699135D62E7D92BD97E1355845674F6337D79A"	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F568B3FE1B22DDD27ED0D68A099063"	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	devvmtwvro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	devvmtwvro.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C67814E2DBC5B8C97FE7ED9634CF"	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	devvmtwvro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	devvmtwvro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	devvmtwvro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB15F449339E853CBB9D6339DD7CD"	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	devvmtwvro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	devvmtwvro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	devvmtwvro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	devvmtwvro.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2760	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
2008	devvmtwvro.exe
2008	devvmtwvro.exe
2008	devvmtwvro.exe
2008	devvmtwvro.exe
2008	devvmtwvro.exe
2132	ouuepgwwgtlinrg.exe
2132	ouuepgwwgtlinrg.exe
2132	ouuepgwwgtlinrg.exe
2132	ouuepgwwgtlinrg.exe
2132	ouuepgwwgtlinrg.exe
2912	qlvjetxk.exe
2912	qlvjetxk.exe
2912	qlvjetxk.exe
2912	qlvjetxk.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2132	ouuepgwwgtlinrg.exe
2956	qlvjetxk.exe
2956	qlvjetxk.exe
2956	qlvjetxk.exe
2956	qlvjetxk.exe
2132	ouuepgwwgtlinrg.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2132	ouuepgwwgtlinrg.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2132	ouuepgwwgtlinrg.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2132	ouuepgwwgtlinrg.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2132	ouuepgwwgtlinrg.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2132	ouuepgwwgtlinrg.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2132	ouuepgwwgtlinrg.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2132	ouuepgwwgtlinrg.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2132	ouuepgwwgtlinrg.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2132	ouuepgwwgtlinrg.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2132	ouuepgwwgtlinrg.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2372	explorer.exe
Token: SeShutdownPrivilege	2372	explorer.exe
Token: SeShutdownPrivilege	2372	explorer.exe
Token: SeShutdownPrivilege	2372	explorer.exe
Token: SeShutdownPrivilege	2372	explorer.exe
Token: SeShutdownPrivilege	2372	explorer.exe
Token: SeShutdownPrivilege	2372	explorer.exe
Token: SeShutdownPrivilege	2372	explorer.exe
Token: SeShutdownPrivilege	2372	explorer.exe
Token: SeShutdownPrivilege	2372	explorer.exe
Token: SeShutdownPrivilege	2372	explorer.exe
Token: SeShutdownPrivilege	2372	explorer.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
2008	devvmtwvro.exe
2008	devvmtwvro.exe
2008	devvmtwvro.exe
2132	ouuepgwwgtlinrg.exe
2132	ouuepgwwgtlinrg.exe
2132	ouuepgwwgtlinrg.exe
2912	qlvjetxk.exe
2912	qlvjetxk.exe
2912	qlvjetxk.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2956	qlvjetxk.exe
2956	qlvjetxk.exe
2956	qlvjetxk.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
2008	devvmtwvro.exe
2008	devvmtwvro.exe
2008	devvmtwvro.exe
2132	ouuepgwwgtlinrg.exe
2132	ouuepgwwgtlinrg.exe
2132	ouuepgwwgtlinrg.exe
2912	qlvjetxk.exe
2912	qlvjetxk.exe
2912	qlvjetxk.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2768	dgdamygagrhin.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2760	WINWORD.EXE
2760	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2008	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	30
PID 1292 wrote to memory of 2008	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	30
PID 1292 wrote to memory of 2008	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	30
PID 1292 wrote to memory of 2008	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	30
PID 1292 wrote to memory of 2132	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	31
PID 1292 wrote to memory of 2132	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	31
PID 1292 wrote to memory of 2132	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	31
PID 1292 wrote to memory of 2132	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	31
PID 1292 wrote to memory of 2912	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	32
PID 1292 wrote to memory of 2912	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	32
PID 1292 wrote to memory of 2912	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	32
PID 1292 wrote to memory of 2912	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	32
PID 1292 wrote to memory of 2768	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	33
PID 1292 wrote to memory of 2768	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	33
PID 1292 wrote to memory of 2768	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	33
PID 1292 wrote to memory of 2768	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	33
PID 2008 wrote to memory of 2956	2008	devvmtwvro.exe	34
PID 2008 wrote to memory of 2956	2008	devvmtwvro.exe	34
PID 2008 wrote to memory of 2956	2008	devvmtwvro.exe	34
PID 2008 wrote to memory of 2956	2008	devvmtwvro.exe	34
PID 1292 wrote to memory of 2760	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	35
PID 1292 wrote to memory of 2760	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	35
PID 1292 wrote to memory of 2760	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	35
PID 1292 wrote to memory of 2760	1292	d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe	35
PID 2760 wrote to memory of 1052	2760	WINWORD.EXE	38
PID 2760 wrote to memory of 1052	2760	WINWORD.EXE	38
PID 2760 wrote to memory of 1052	2760	WINWORD.EXE	38
PID 2760 wrote to memory of 1052	2760	WINWORD.EXE	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d149f1e9f413cbcf33413f605ba007a0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\devvmtwvro.exe
  devvmtwvro.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\qlvjetxk.exe
    C:\Windows\system32\qlvjetxk.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2956
- C:\Windows\SysWOW64\ouuepgwwgtlinrg.exe
  ouuepgwwgtlinrg.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2132
- C:\Windows\SysWOW64\qlvjetxk.exe
  qlvjetxk.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2912
- C:\Windows\SysWOW64\dgdamygagrhin.exe
  dgdamygagrhin.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2768
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1052

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
6e494d4d9cececdd569a8f84e293349a

SHA1
ed464bc293c56c5deb6f5db74d05679153cab1a2

SHA256
9284c15a370b301272558e9fe79553b4e749821a009d080ad823007f6d4e82a3

SHA512
4955fec92f310a329f40bf1b3cc1ce26b0b401099d94a4974fa8f789fc9f2d3f4f38005b7c3938d8eb5412064a2c640259952622c22923fac7607ec2b7d2ca8e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
4ccb77c60229ed39140849e2d43e52f4

SHA1
67e5849cd9feca224611065a8f3ed7e8d743e446

SHA256
cf6569178d8a4f248a8598d353163916c46a583efdc6c5c04517c7ff5f928661

SHA512
82640274216caec08276748137420399d3c7116e1732b29fa6bdc588b0784cc8c93b962d7b59a8b469c59b0b5cb1768c70efbfc4a90b89684eb40eb9d4837339

Download Submit
C:\Windows\SysWOW64\qlvjetxk.exe

Filesize
512KB

MD5
8d62127c2b005c04d72519b098864e57

SHA1
382f38eda2330459afc1c5ee124ec649747dc929

SHA256
94e9b031fe6d840514a923679156e1c3401562f928a61f14427358f04a407258

SHA512
c5d99ab2f1f20ac8362dda9ac9f722677ad254c23f698a01706dc184c54e0f304c395198ec11d0be307944672656060509012a07e6cfbd79c7ebd9b5e60e3dcc

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\devvmtwvro.exe

Filesize
512KB

MD5
e8eace43645319b5b1ef58cad6691976

SHA1
3e56e32f1a4be410a4b3ad1fdf5e0da2f3d8d8a4

SHA256
9ca590dcf519dd7fe6d3c149fb102b52dad3a4f4760467e17d938948ea0e4e4f

SHA512
5ffe3fba18c7d12370901a24ac9373ae0019a7c890e9592ec2edb68545f36691de2a42d368f66b12f7f4ad2689ccb092a975eb8b417ddaf0e385bb5f0098bcdc

Download Submit
\Windows\SysWOW64\dgdamygagrhin.exe

Filesize
512KB

MD5
6100900f75ad42cf36a872c6e2e7ac3a

SHA1
69dc3b80dd03806c331b576f92ca875911da71da

SHA256
687f465b86d2b5d8f08cdf14b11aa5648af8b773b84f376da4436da8976a87f5

SHA512
3d96c0864e0df734100021accc41222379caf34eb1c0b46bc1c221e35410698353086e6a1d6dec182cb93fa8c2de80478f3a10c07e783d04ce5234bc8b659c56

Download Submit
\Windows\SysWOW64\ouuepgwwgtlinrg.exe

Filesize
512KB

MD5
a16e4bf43a35cc3ef1e4dec45e1464e4

SHA1
2dbf0678cd433d1958e0ef7c4d9fc68b7c4594b1

SHA256
a578194d16456924502ce80266b8eb9f81e17b973d94ed41808d51a722e07b0d

SHA512
84c55a697d8b14db5192628dd4aaf0904380e8c4a80bf3c7e2403c41754e45f265e7b60479c51933125ee6c796193c893167af59f6e5b8aa791ac3a3893e8fcd

Download Submit
memory/1292-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2372-80-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/2760-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download