7fd5992c88194526a13050960d694f1b637d8a87b9d845e9a4b0d3c47560174b

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
Size

512KB
MD5

d538e33e460f736d6748f866ee31fdc6
SHA1

2b5cf80c58d6bc905c11f9374ecc64f962aa5b6a
SHA256

7fd5992c88194526a13050960d694f1b637d8a87b9d845e9a4b0d3c47560174b
SHA512

7ca6d93548f247d0cf08cca98b1dbcabfd93ecddb5dcd33ac631ae296ab03f6711a01f46800e32650321686d798210b2026ff45023424cfc369b25e84114711f
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6A:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5B

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	inbqvpmshi.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	inbqvpmshi.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	inbqvpmshi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	inbqvpmshi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	inbqvpmshi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	inbqvpmshi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	inbqvpmshi.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	inbqvpmshi.exe

Executes dropped EXE 5 IoCs

pid	Process
2760	inbqvpmshi.exe
2800	otkheuvhfcxibag.exe
2684	etjorygh.exe
2172	gxbriozkrapsz.exe
2556	etjorygh.exe

Loads dropped DLL 5 IoCs

pid	Process
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2760	inbqvpmshi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	inbqvpmshi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	inbqvpmshi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	inbqvpmshi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	inbqvpmshi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	inbqvpmshi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	inbqvpmshi.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rlnxfghc = "inbqvpmshi.exe"	otkheuvhfcxibag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rhruzamd = "otkheuvhfcxibag.exe"	otkheuvhfcxibag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gxbriozkrapsz.exe"	otkheuvhfcxibag.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\w:	etjorygh.exe
File opened (read-only)	\??\t:	etjorygh.exe
File opened (read-only)	\??\a:	inbqvpmshi.exe
File opened (read-only)	\??\o:	etjorygh.exe
File opened (read-only)	\??\q:	etjorygh.exe
File opened (read-only)	\??\r:	etjorygh.exe
File opened (read-only)	\??\n:	etjorygh.exe
File opened (read-only)	\??\n:	inbqvpmshi.exe
File opened (read-only)	\??\u:	inbqvpmshi.exe
File opened (read-only)	\??\k:	etjorygh.exe
File opened (read-only)	\??\l:	etjorygh.exe
File opened (read-only)	\??\y:	etjorygh.exe
File opened (read-only)	\??\e:	inbqvpmshi.exe
File opened (read-only)	\??\j:	etjorygh.exe
File opened (read-only)	\??\j:	inbqvpmshi.exe
File opened (read-only)	\??\t:	inbqvpmshi.exe
File opened (read-only)	\??\y:	inbqvpmshi.exe
File opened (read-only)	\??\n:	etjorygh.exe
File opened (read-only)	\??\g:	etjorygh.exe
File opened (read-only)	\??\h:	inbqvpmshi.exe
File opened (read-only)	\??\s:	inbqvpmshi.exe
File opened (read-only)	\??\e:	etjorygh.exe
File opened (read-only)	\??\y:	etjorygh.exe
File opened (read-only)	\??\q:	inbqvpmshi.exe
File opened (read-only)	\??\a:	etjorygh.exe
File opened (read-only)	\??\l:	etjorygh.exe
File opened (read-only)	\??\a:	etjorygh.exe
File opened (read-only)	\??\x:	inbqvpmshi.exe
File opened (read-only)	\??\h:	etjorygh.exe
File opened (read-only)	\??\u:	etjorygh.exe
File opened (read-only)	\??\r:	inbqvpmshi.exe
File opened (read-only)	\??\k:	etjorygh.exe
File opened (read-only)	\??\v:	etjorygh.exe
File opened (read-only)	\??\q:	etjorygh.exe
File opened (read-only)	\??\h:	etjorygh.exe
File opened (read-only)	\??\z:	etjorygh.exe
File opened (read-only)	\??\b:	etjorygh.exe
File opened (read-only)	\??\z:	etjorygh.exe
File opened (read-only)	\??\m:	inbqvpmshi.exe
File opened (read-only)	\??\o:	inbqvpmshi.exe
File opened (read-only)	\??\u:	etjorygh.exe
File opened (read-only)	\??\m:	etjorygh.exe
File opened (read-only)	\??\s:	etjorygh.exe
File opened (read-only)	\??\b:	inbqvpmshi.exe
File opened (read-only)	\??\w:	inbqvpmshi.exe
File opened (read-only)	\??\b:	etjorygh.exe
File opened (read-only)	\??\g:	etjorygh.exe
File opened (read-only)	\??\m:	etjorygh.exe
File opened (read-only)	\??\o:	etjorygh.exe
File opened (read-only)	\??\v:	etjorygh.exe
File opened (read-only)	\??\l:	inbqvpmshi.exe
File opened (read-only)	\??\p:	inbqvpmshi.exe
File opened (read-only)	\??\v:	inbqvpmshi.exe
File opened (read-only)	\??\s:	etjorygh.exe
File opened (read-only)	\??\t:	etjorygh.exe
File opened (read-only)	\??\x:	etjorygh.exe
File opened (read-only)	\??\i:	etjorygh.exe
File opened (read-only)	\??\k:	inbqvpmshi.exe
File opened (read-only)	\??\p:	etjorygh.exe
File opened (read-only)	\??\p:	etjorygh.exe
File opened (read-only)	\??\r:	etjorygh.exe
File opened (read-only)	\??\w:	etjorygh.exe
File opened (read-only)	\??\x:	etjorygh.exe
File opened (read-only)	\??\i:	inbqvpmshi.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	inbqvpmshi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	inbqvpmshi.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2180-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000600000001945c-9.dat	autoit_exe
behavioral1/files/0x000a00000001225e-17.dat	autoit_exe
behavioral1/files/0x00070000000193e6-25.dat	autoit_exe
behavioral1/files/0x000600000001948d-39.dat	autoit_exe
behavioral1/files/0x0002000000003d25-59.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\etjorygh.exe	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inbqvpmshi.exe	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\otkheuvhfcxibag.exe	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\otkheuvhfcxibag.exe	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\gxbriozkrapsz.exe	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	inbqvpmshi.exe
File opened for modification	C:\Windows\SysWOW64\inbqvpmshi.exe	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\etjorygh.exe	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gxbriozkrapsz.exe	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	etjorygh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	etjorygh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	etjorygh.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	etjorygh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	etjorygh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	etjorygh.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	etjorygh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	etjorygh.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	etjorygh.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	etjorygh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	etjorygh.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	etjorygh.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	etjorygh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	etjorygh.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	etjorygh.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	etjorygh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gxbriozkrapsz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	etjorygh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inbqvpmshi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	otkheuvhfcxibag.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFC8F485D82139131D7287EE6BDE6E630594666476246D69E"	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	inbqvpmshi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	inbqvpmshi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	inbqvpmshi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	inbqvpmshi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	inbqvpmshi.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAF9B0F966F19183753A44819D3999B089028C4260034BE1CC429A08D4"	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	inbqvpmshi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	inbqvpmshi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352C769C5282276D4377D070542DDD7D8664AB"	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C67914E0DBBEB9CE7CE5ED9334CD"	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	inbqvpmshi.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B02E47E439ED52CCB9A23292D7CE"	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	inbqvpmshi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	inbqvpmshi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	inbqvpmshi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	inbqvpmshi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F36BB9FE6A22D0D209D0A98A0E9110"	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2612	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2800	otkheuvhfcxibag.exe
2800	otkheuvhfcxibag.exe
2800	otkheuvhfcxibag.exe
2800	otkheuvhfcxibag.exe
2800	otkheuvhfcxibag.exe
2684	etjorygh.exe
2684	etjorygh.exe
2684	etjorygh.exe
2684	etjorygh.exe
2760	inbqvpmshi.exe
2760	inbqvpmshi.exe
2760	inbqvpmshi.exe
2760	inbqvpmshi.exe
2760	inbqvpmshi.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2556	etjorygh.exe
2556	etjorygh.exe
2556	etjorygh.exe
2556	etjorygh.exe
2800	otkheuvhfcxibag.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2800	otkheuvhfcxibag.exe
2800	otkheuvhfcxibag.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2800	otkheuvhfcxibag.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2800	otkheuvhfcxibag.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2800	otkheuvhfcxibag.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2800	otkheuvhfcxibag.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2800	otkheuvhfcxibag.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2800	otkheuvhfcxibag.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2800	otkheuvhfcxibag.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2800	otkheuvhfcxibag.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2800	otkheuvhfcxibag.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2888	explorer.exe
Token: SeShutdownPrivilege	2888	explorer.exe
Token: SeShutdownPrivilege	2888	explorer.exe
Token: SeShutdownPrivilege	2888	explorer.exe
Token: SeShutdownPrivilege	2888	explorer.exe
Token: SeShutdownPrivilege	2888	explorer.exe
Token: SeShutdownPrivilege	2888	explorer.exe
Token: SeShutdownPrivilege	2888	explorer.exe
Token: SeShutdownPrivilege	2888	explorer.exe
Token: SeShutdownPrivilege	2888	explorer.exe
Token: SeShutdownPrivilege	2888	explorer.exe
Token: SeShutdownPrivilege	2888	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2800	otkheuvhfcxibag.exe
2684	etjorygh.exe
2800	otkheuvhfcxibag.exe
2800	otkheuvhfcxibag.exe
2684	etjorygh.exe
2684	etjorygh.exe
2760	inbqvpmshi.exe
2760	inbqvpmshi.exe
2760	inbqvpmshi.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2556	etjorygh.exe
2556	etjorygh.exe
2556	etjorygh.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
2800	otkheuvhfcxibag.exe
2684	etjorygh.exe
2800	otkheuvhfcxibag.exe
2800	otkheuvhfcxibag.exe
2684	etjorygh.exe
2684	etjorygh.exe
2760	inbqvpmshi.exe
2760	inbqvpmshi.exe
2760	inbqvpmshi.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2172	gxbriozkrapsz.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2612	WINWORD.EXE
2612	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2760	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2760	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2760	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2760	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2800	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2800	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2800	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2800	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2684	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	32
PID 2180 wrote to memory of 2684	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	32
PID 2180 wrote to memory of 2684	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	32
PID 2180 wrote to memory of 2684	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	32
PID 2180 wrote to memory of 2172	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	33
PID 2180 wrote to memory of 2172	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	33
PID 2180 wrote to memory of 2172	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	33
PID 2180 wrote to memory of 2172	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	33
PID 2180 wrote to memory of 2612	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	34
PID 2180 wrote to memory of 2612	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	34
PID 2180 wrote to memory of 2612	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	34
PID 2180 wrote to memory of 2612	2180	d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe	34
PID 2760 wrote to memory of 2556	2760	inbqvpmshi.exe	35
PID 2760 wrote to memory of 2556	2760	inbqvpmshi.exe	35
PID 2760 wrote to memory of 2556	2760	inbqvpmshi.exe	35
PID 2760 wrote to memory of 2556	2760	inbqvpmshi.exe	35
PID 2612 wrote to memory of 2072	2612	WINWORD.EXE	38
PID 2612 wrote to memory of 2072	2612	WINWORD.EXE	38
PID 2612 wrote to memory of 2072	2612	WINWORD.EXE	38
PID 2612 wrote to memory of 2072	2612	WINWORD.EXE	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d538e33e460f736d6748f866ee31fdc6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\inbqvpmshi.exe
  inbqvpmshi.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\etjorygh.exe
    C:\Windows\system32\etjorygh.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2556
- C:\Windows\SysWOW64\otkheuvhfcxibag.exe
  otkheuvhfcxibag.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2800
- C:\Windows\SysWOW64\etjorygh.exe
  etjorygh.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2684
- C:\Windows\SysWOW64\gxbriozkrapsz.exe
  gxbriozkrapsz.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2172
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2072

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
7d880fcd2c1f03036ee0d2bea33f4e17

SHA1
470d9547470bb61f9b3370d0f7e0e1086b9b8587

SHA256
db08f527bc92c22e25664daef3fe02a94b6a362b5918d94a992030375870f603

SHA512
c9c38b7326604de21840560ae543445ed7d177b9a8c54827ea4dd9185ebc819398876240a83e1c36fb1973e2b11c3f0649e177c2bdb23c36c8c8dda11fb245db

Download Submit
C:\Windows\SysWOW64\etjorygh.exe

Filesize
512KB

MD5
442644d06f6c8b29c7ef3479a613c697

SHA1
159709bfe8633f1f549bdc05eac17a4c0d02f724

SHA256
8ef090f95c3148f5519aa8c631d3a856c211e6e5881abced3cdf198b01f71ff7

SHA512
9d22cf2d702c2fce26da16d71de550f3302382139bdd38134e60206dadaf20f37c010a1b40183d2c657ad26d890e3fefc3eae1aa0102940b8ae898f833fb394a

Download Submit
C:\Windows\SysWOW64\gxbriozkrapsz.exe

Filesize
512KB

MD5
2e24b972042cd67cc7dfda862be80253

SHA1
c162076bfe837f9720e35de73edd10746ddcd31f

SHA256
ed6ca99926d4767f94e344bce2a81b07d47ea121834cff8eb488f3c28c95885e

SHA512
ac8889376e0f41a58688a8fc8e28d9a845309ef19bcaf236b25f35ce0a84def66fc6e639d4dc3040dabd73e4671a7f72656bd67558d88b8dfd29cc81727896ee

Download Submit
C:\Windows\SysWOW64\otkheuvhfcxibag.exe

Filesize
512KB

MD5
22efd2b7023efb38fd1200d09c12301f

SHA1
d350ec41f062f9c96260a3581edfb2eaab53c3f4

SHA256
dfbaedb3e149a69ef36ee09b34c42afacfa89b9dd3d6716f0ee3d92f017bd44d

SHA512
3c05d4ed742377ad1427bcdeb891fbf4550c7731ddda3d919db1aec103e4418074795425a1e955bb6027dd3a308c2353676ac04b717afac403ad10af24508135

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\inbqvpmshi.exe

Filesize
512KB

MD5
d946b7b617951396d3f85dbb6ac1f803

SHA1
b9a577339456600c1a40119db3ecc5c4d16d6fde

SHA256
36db5f6e56035ecabb5799c4f3a90cd2f7695b8f88482b6f6ec6b24dd2746d58

SHA512
d6e2514e6eb82f3d63928683232ee09650f5c12f8ffd601b7816ebed340d620d7f7601ff1df32c96885f3ea75efe4a8c12910c3e2d8d49507c9b933bb027e8fa

Download Submit
memory/2180-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2612-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2888-82-0x0000000003CF0000-0x0000000003D00000-memory.dmp

Filesize
64KB

Download