f9f84e12379fc963416655b06293ad85ef36d2119b5ee9ead55e8de0d437c93b

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
Size

512KB
MD5

d5077e9ee2b6c67379407036ceb842e9
SHA1

959beddb1063c86c18cbb81c70ddf527c05dc4c2
SHA256

f9f84e12379fc963416655b06293ad85ef36d2119b5ee9ead55e8de0d437c93b
SHA512

787a6145b231b3c608ad46a4afbd0a2d978be2df8956f392e831efb71f03204001d9c8f3bea59e7c275f6fc492f793805ffcd3bf5d1133f307ac790813ef135d
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj63:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Y

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	bxafrmgymw.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bxafrmgymw.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bxafrmgymw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	bxafrmgymw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bxafrmgymw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bxafrmgymw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bxafrmgymw.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bxafrmgymw.exe

Executes dropped EXE 5 IoCs

pid	Process
2052	bxafrmgymw.exe
2800	pkltjflhvrhnaqh.exe
2872	aalcbcom.exe
2856	axgezaqgbkqfv.exe
2652	aalcbcom.exe

Loads dropped DLL 5 IoCs

pid	Process
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
2052	bxafrmgymw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	bxafrmgymw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bxafrmgymw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	bxafrmgymw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bxafrmgymw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bxafrmgymw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bxafrmgymw.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\djzucyqf = "bxafrmgymw.exe"	pkltjflhvrhnaqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pwydajnz = "pkltjflhvrhnaqh.exe"	pkltjflhvrhnaqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "axgezaqgbkqfv.exe"	pkltjflhvrhnaqh.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\y:	aalcbcom.exe
File opened (read-only)	\??\s:	bxafrmgymw.exe
File opened (read-only)	\??\u:	bxafrmgymw.exe
File opened (read-only)	\??\y:	bxafrmgymw.exe
File opened (read-only)	\??\x:	aalcbcom.exe
File opened (read-only)	\??\q:	aalcbcom.exe
File opened (read-only)	\??\p:	bxafrmgymw.exe
File opened (read-only)	\??\s:	aalcbcom.exe
File opened (read-only)	\??\u:	aalcbcom.exe
File opened (read-only)	\??\n:	aalcbcom.exe
File opened (read-only)	\??\e:	bxafrmgymw.exe
File opened (read-only)	\??\i:	bxafrmgymw.exe
File opened (read-only)	\??\a:	aalcbcom.exe
File opened (read-only)	\??\q:	aalcbcom.exe
File opened (read-only)	\??\t:	aalcbcom.exe
File opened (read-only)	\??\e:	aalcbcom.exe
File opened (read-only)	\??\k:	aalcbcom.exe
File opened (read-only)	\??\u:	aalcbcom.exe
File opened (read-only)	\??\j:	bxafrmgymw.exe
File opened (read-only)	\??\z:	bxafrmgymw.exe
File opened (read-only)	\??\g:	aalcbcom.exe
File opened (read-only)	\??\i:	aalcbcom.exe
File opened (read-only)	\??\m:	aalcbcom.exe
File opened (read-only)	\??\p:	aalcbcom.exe
File opened (read-only)	\??\a:	aalcbcom.exe
File opened (read-only)	\??\k:	bxafrmgymw.exe
File opened (read-only)	\??\l:	aalcbcom.exe
File opened (read-only)	\??\y:	aalcbcom.exe
File opened (read-only)	\??\h:	aalcbcom.exe
File opened (read-only)	\??\o:	bxafrmgymw.exe
File opened (read-only)	\??\q:	bxafrmgymw.exe
File opened (read-only)	\??\n:	aalcbcom.exe
File opened (read-only)	\??\l:	bxafrmgymw.exe
File opened (read-only)	\??\m:	aalcbcom.exe
File opened (read-only)	\??\w:	aalcbcom.exe
File opened (read-only)	\??\r:	bxafrmgymw.exe
File opened (read-only)	\??\x:	bxafrmgymw.exe
File opened (read-only)	\??\w:	aalcbcom.exe
File opened (read-only)	\??\i:	aalcbcom.exe
File opened (read-only)	\??\t:	aalcbcom.exe
File opened (read-only)	\??\x:	aalcbcom.exe
File opened (read-only)	\??\v:	bxafrmgymw.exe
File opened (read-only)	\??\r:	aalcbcom.exe
File opened (read-only)	\??\z:	aalcbcom.exe
File opened (read-only)	\??\b:	aalcbcom.exe
File opened (read-only)	\??\b:	bxafrmgymw.exe
File opened (read-only)	\??\w:	bxafrmgymw.exe
File opened (read-only)	\??\k:	aalcbcom.exe
File opened (read-only)	\??\g:	aalcbcom.exe
File opened (read-only)	\??\l:	aalcbcom.exe
File opened (read-only)	\??\a:	bxafrmgymw.exe
File opened (read-only)	\??\o:	aalcbcom.exe
File opened (read-only)	\??\r:	aalcbcom.exe
File opened (read-only)	\??\v:	aalcbcom.exe
File opened (read-only)	\??\p:	aalcbcom.exe
File opened (read-only)	\??\s:	aalcbcom.exe
File opened (read-only)	\??\v:	aalcbcom.exe
File opened (read-only)	\??\h:	bxafrmgymw.exe
File opened (read-only)	\??\n:	bxafrmgymw.exe
File opened (read-only)	\??\j:	aalcbcom.exe
File opened (read-only)	\??\o:	aalcbcom.exe
File opened (read-only)	\??\z:	aalcbcom.exe
File opened (read-only)	\??\b:	aalcbcom.exe
File opened (read-only)	\??\e:	aalcbcom.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	bxafrmgymw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	bxafrmgymw.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/3044-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0007000000018705-9.dat	autoit_exe
behavioral1/files/0x000a000000012233-17.dat	autoit_exe
behavioral1/files/0x00230000000186b7-25.dat	autoit_exe
behavioral1/files/0x000600000001870b-38.dat	autoit_exe
behavioral1/files/0x0005000000018faa-63.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bxafrmgymw.exe	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bxafrmgymw.exe	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\aalcbcom.exe	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\aalcbcom.exe	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\axgezaqgbkqfv.exe	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pkltjflhvrhnaqh.exe	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\pkltjflhvrhnaqh.exe	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\axgezaqgbkqfv.exe	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	bxafrmgymw.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	aalcbcom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	aalcbcom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	aalcbcom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	aalcbcom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	aalcbcom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	aalcbcom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	aalcbcom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	aalcbcom.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	aalcbcom.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	aalcbcom.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	aalcbcom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	aalcbcom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	aalcbcom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	aalcbcom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	aalcbcom.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxafrmgymw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pkltjflhvrhnaqh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aalcbcom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axgezaqgbkqfv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aalcbcom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412D0B9C5783596D3E76DD70212DD77D8365DE"	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	bxafrmgymw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	bxafrmgymw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	bxafrmgymw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	bxafrmgymw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5FABFF961F2E2837A3B4786973999B389038F4360034EE1CF459A08A2"	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FC8F4827856D9032D75F7E94BD95E130593566466341D6E9"	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BC6FF6E22DDD273D1A78B789117"	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	bxafrmgymw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	bxafrmgymw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	bxafrmgymw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	bxafrmgymw.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB12B47E2399A53CCBAD1329AD7CB"	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	bxafrmgymw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	bxafrmgymw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC70F1490DABFB8BC7C97ED9037BC"	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	bxafrmgymw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	bxafrmgymw.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2724	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
2800	pkltjflhvrhnaqh.exe
2800	pkltjflhvrhnaqh.exe
2800	pkltjflhvrhnaqh.exe
2800	pkltjflhvrhnaqh.exe
2800	pkltjflhvrhnaqh.exe
2052	bxafrmgymw.exe
2052	bxafrmgymw.exe
2052	bxafrmgymw.exe
2052	bxafrmgymw.exe
2052	bxafrmgymw.exe
2872	aalcbcom.exe
2872	aalcbcom.exe
2872	aalcbcom.exe
2872	aalcbcom.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2800	pkltjflhvrhnaqh.exe
2652	aalcbcom.exe
2652	aalcbcom.exe
2652	aalcbcom.exe
2652	aalcbcom.exe
2800	pkltjflhvrhnaqh.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2800	pkltjflhvrhnaqh.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2800	pkltjflhvrhnaqh.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2800	pkltjflhvrhnaqh.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2800	pkltjflhvrhnaqh.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2800	pkltjflhvrhnaqh.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2800	pkltjflhvrhnaqh.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2800	pkltjflhvrhnaqh.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2800	pkltjflhvrhnaqh.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2800	pkltjflhvrhnaqh.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2800	pkltjflhvrhnaqh.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
2800	pkltjflhvrhnaqh.exe
2052	bxafrmgymw.exe
2800	pkltjflhvrhnaqh.exe
2800	pkltjflhvrhnaqh.exe
2052	bxafrmgymw.exe
2052	bxafrmgymw.exe
2872	aalcbcom.exe
2872	aalcbcom.exe
2872	aalcbcom.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2652	aalcbcom.exe
2652	aalcbcom.exe
2652	aalcbcom.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
2800	pkltjflhvrhnaqh.exe
2800	pkltjflhvrhnaqh.exe
2052	bxafrmgymw.exe
2800	pkltjflhvrhnaqh.exe
2052	bxafrmgymw.exe
2052	bxafrmgymw.exe
2872	aalcbcom.exe
2872	aalcbcom.exe
2872	aalcbcom.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2856	axgezaqgbkqfv.exe
2652	aalcbcom.exe
2652	aalcbcom.exe
2652	aalcbcom.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2724	WINWORD.EXE
2724	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2052	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2052	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2052	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2052	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2800	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2800	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2800	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2800	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2872	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2872	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2872	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2872	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2856	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	32
PID 3044 wrote to memory of 2856	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	32
PID 3044 wrote to memory of 2856	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	32
PID 3044 wrote to memory of 2856	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	32
PID 2052 wrote to memory of 2652	2052	bxafrmgymw.exe	33
PID 2052 wrote to memory of 2652	2052	bxafrmgymw.exe	33
PID 2052 wrote to memory of 2652	2052	bxafrmgymw.exe	33
PID 2052 wrote to memory of 2652	2052	bxafrmgymw.exe	33
PID 3044 wrote to memory of 2724	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	34
PID 3044 wrote to memory of 2724	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	34
PID 3044 wrote to memory of 2724	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	34
PID 3044 wrote to memory of 2724	3044	d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe	34
PID 2724 wrote to memory of 1460	2724	WINWORD.EXE	36
PID 2724 wrote to memory of 1460	2724	WINWORD.EXE	36
PID 2724 wrote to memory of 1460	2724	WINWORD.EXE	36
PID 2724 wrote to memory of 1460	2724	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5077e9ee2b6c67379407036ceb842e9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\bxafrmgymw.exe
  bxafrmgymw.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\aalcbcom.exe
    C:\Windows\system32\aalcbcom.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2652
- C:\Windows\SysWOW64\pkltjflhvrhnaqh.exe
  pkltjflhvrhnaqh.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2800
- C:\Windows\SysWOW64\aalcbcom.exe
  aalcbcom.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2872
- C:\Windows\SysWOW64\axgezaqgbkqfv.exe
  axgezaqgbkqfv.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2856
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
6db3deb1a29a46ed10d2819934c49a62

SHA1
90efaec094c73161e57a4cdd938503f30a5da7dc

SHA256
6d5ae02f51bfa777a2bb08bf1e92eb1a71c25d6eadf8c9a020d4dc5831773c66

SHA512
f11bdc706ae2104276fd086a54f29b1e06bd16876b6bbc84e0df812d599c85e0c483e2a96ea83f2d348ca9088e50c2f3d065c91abd4b5c8d36d9fbb42b945d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
3edb0b520ebd30d416b7fdcdf923afe8

SHA1
1ff58d76e5e52d8d8f5f993e3c09af247aabb4e3

SHA256
cb4c6c6fc7ef661295db2841f1518c99304885fd4c1c19cccc61fca3eea60455

SHA512
478e02f17be658a26276f798140bc02e1536276f548693be12f2db861ff15ac9da6db2c494c5a96d40039b05631139c0117bfe5a88449343e59650f722785272

Download Submit
C:\Windows\SysWOW64\aalcbcom.exe

Filesize
512KB

MD5
8fc01478eaab138bde4fb0eee5a3d6aa

SHA1
2e21220d0a66ae414b593faf58d86d7b50951e3d

SHA256
f6d3b0c8b4a81f2414d5a9bf626e25935f68d9d1e1af5747ab1912f8d21e4349

SHA512
71efb53e5c523e20e5a4e61e441a78470e40867f08842d17d8a5e92ed15b0c70e820a1f0db31fd74a25e5a0ced64bd0066e1e4433025b608badd78cd5ad938fe

Download Submit
C:\Windows\SysWOW64\axgezaqgbkqfv.exe

Filesize
512KB

MD5
270565203520f1d5a96b0b304f75dda0

SHA1
b0bf91884d5942bc45599842391bd53792785afd

SHA256
d7d267bd1618c973a72de7f3ab01715e600d288dddbb77dc2504394f0dde823a

SHA512
28d518ecf371a576558dc9c14e763f7a65e7907f8cbd4f804f31ed07629277af068e9c3dc2f97ec0b9e950ecaabd6a65c4547804bdea19f99bf651c2516ecf15

Download Submit
C:\Windows\SysWOW64\pkltjflhvrhnaqh.exe

Filesize
512KB

MD5
a095c3274e61a60708f7b81d8d78ba8c

SHA1
74bf1838032fa27bff677f09de6ff48a695d01c3

SHA256
2a3298e7baeefb79915a2d23adbfe21bd8e72bc5149039fb95acbe4ad7f188a0

SHA512
031e6105749026c4b06e4facb63dfdd6dad17e139f3aa36f3b344725df7d00548e573d7e92e475b6d4f85f69eb7848d20a6867bc624ce4bc7856dc958c1e9b8f

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\bxafrmgymw.exe

Filesize
512KB

MD5
f621e721f565b8635b4419afa35d6571

SHA1
6c90cbc2c9fa7b62c69248755406dc3168bde208

SHA256
d858638e76aa32ad93261b976b89e2e602fb358e686cbcb4f7cdff6f908f4255

SHA512
644b74f42871d545641c93994caeee420ce827c2cef1bf26deed7858d487123701a0709adba6aa62aee5d7f1af44bfc168526cea84973b48b5ee9e33f49527ef

Download Submit
memory/2724-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2724-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3044-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download