e826ff5437728e84f7c12ba6a28d527bb45e2a8d5ef3e88933a9c99425d2aee0

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
Size

512KB
MD5

db53214997f3f8f0ab3925730ef560aa
SHA1

831e75721a64692f52c56ba7ef8c94b09e84a927
SHA256

e826ff5437728e84f7c12ba6a28d527bb45e2a8d5ef3e88933a9c99425d2aee0
SHA512

d291e04f0e89f6e2b543793bd11a10ebf5d86a0a577a5ec11f3a05e02fd9bc9bd4ec5411cb2cbd665f2e35fe074534f72947e627de32cdc655cd2d7c13bd1424
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6X:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5m

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ttfndoeyhz.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ttfndoeyhz.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ttfndoeyhz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ttfndoeyhz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ttfndoeyhz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ttfndoeyhz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ttfndoeyhz.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ttfndoeyhz.exe

Executes dropped EXE 5 IoCs

pid	Process
2672	ttfndoeyhz.exe
2700	zrtkvbsokonyvcl.exe
2920	kohrgoxo.exe
2712	xrbwxjyotlisz.exe
2392	kohrgoxo.exe

Loads dropped DLL 5 IoCs

pid	Process
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2672	ttfndoeyhz.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ttfndoeyhz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ttfndoeyhz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ttfndoeyhz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ttfndoeyhz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ttfndoeyhz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	ttfndoeyhz.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aqitfegy = "ttfndoeyhz.exe"	zrtkvbsokonyvcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\shxljyjx = "zrtkvbsokonyvcl.exe"	zrtkvbsokonyvcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xrbwxjyotlisz.exe"	zrtkvbsokonyvcl.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\v:	kohrgoxo.exe
File opened (read-only)	\??\h:	ttfndoeyhz.exe
File opened (read-only)	\??\r:	ttfndoeyhz.exe
File opened (read-only)	\??\p:	kohrgoxo.exe
File opened (read-only)	\??\y:	kohrgoxo.exe
File opened (read-only)	\??\e:	ttfndoeyhz.exe
File opened (read-only)	\??\n:	ttfndoeyhz.exe
File opened (read-only)	\??\h:	kohrgoxo.exe
File opened (read-only)	\??\q:	kohrgoxo.exe
File opened (read-only)	\??\l:	kohrgoxo.exe
File opened (read-only)	\??\q:	ttfndoeyhz.exe
File opened (read-only)	\??\t:	kohrgoxo.exe
File opened (read-only)	\??\u:	kohrgoxo.exe
File opened (read-only)	\??\a:	kohrgoxo.exe
File opened (read-only)	\??\b:	kohrgoxo.exe
File opened (read-only)	\??\j:	kohrgoxo.exe
File opened (read-only)	\??\m:	kohrgoxo.exe
File opened (read-only)	\??\r:	kohrgoxo.exe
File opened (read-only)	\??\o:	kohrgoxo.exe
File opened (read-only)	\??\v:	ttfndoeyhz.exe
File opened (read-only)	\??\g:	kohrgoxo.exe
File opened (read-only)	\??\a:	ttfndoeyhz.exe
File opened (read-only)	\??\i:	ttfndoeyhz.exe
File opened (read-only)	\??\o:	ttfndoeyhz.exe
File opened (read-only)	\??\z:	ttfndoeyhz.exe
File opened (read-only)	\??\v:	kohrgoxo.exe
File opened (read-only)	\??\l:	kohrgoxo.exe
File opened (read-only)	\??\x:	kohrgoxo.exe
File opened (read-only)	\??\g:	kohrgoxo.exe
File opened (read-only)	\??\t:	ttfndoeyhz.exe
File opened (read-only)	\??\u:	ttfndoeyhz.exe
File opened (read-only)	\??\y:	ttfndoeyhz.exe
File opened (read-only)	\??\j:	kohrgoxo.exe
File opened (read-only)	\??\p:	kohrgoxo.exe
File opened (read-only)	\??\p:	ttfndoeyhz.exe
File opened (read-only)	\??\w:	ttfndoeyhz.exe
File opened (read-only)	\??\w:	kohrgoxo.exe
File opened (read-only)	\??\s:	kohrgoxo.exe
File opened (read-only)	\??\j:	ttfndoeyhz.exe
File opened (read-only)	\??\m:	ttfndoeyhz.exe
File opened (read-only)	\??\s:	ttfndoeyhz.exe
File opened (read-only)	\??\x:	ttfndoeyhz.exe
File opened (read-only)	\??\a:	kohrgoxo.exe
File opened (read-only)	\??\o:	kohrgoxo.exe
File opened (read-only)	\??\i:	kohrgoxo.exe
File opened (read-only)	\??\y:	kohrgoxo.exe
File opened (read-only)	\??\l:	ttfndoeyhz.exe
File opened (read-only)	\??\e:	kohrgoxo.exe
File opened (read-only)	\??\k:	kohrgoxo.exe
File opened (read-only)	\??\n:	kohrgoxo.exe
File opened (read-only)	\??\q:	kohrgoxo.exe
File opened (read-only)	\??\w:	kohrgoxo.exe
File opened (read-only)	\??\z:	kohrgoxo.exe
File opened (read-only)	\??\s:	kohrgoxo.exe
File opened (read-only)	\??\b:	ttfndoeyhz.exe
File opened (read-only)	\??\b:	kohrgoxo.exe
File opened (read-only)	\??\e:	kohrgoxo.exe
File opened (read-only)	\??\m:	kohrgoxo.exe
File opened (read-only)	\??\r:	kohrgoxo.exe
File opened (read-only)	\??\t:	kohrgoxo.exe
File opened (read-only)	\??\u:	kohrgoxo.exe
File opened (read-only)	\??\h:	kohrgoxo.exe
File opened (read-only)	\??\k:	kohrgoxo.exe
File opened (read-only)	\??\g:	ttfndoeyhz.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	ttfndoeyhz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	ttfndoeyhz.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2648-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0006000000018687-9.dat	autoit_exe
behavioral1/files/0x000b00000001227d-17.dat	autoit_exe
behavioral1/files/0x000f00000001866e-26.dat	autoit_exe
behavioral1/files/0x0007000000018c1a-37.dat	autoit_exe
behavioral1/files/0x000700000001903b-64.dat	autoit_exe
behavioral1/files/0x00080000000190ce-66.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xrbwxjyotlisz.exe	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ttfndoeyhz.exe	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zrtkvbsokonyvcl.exe	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\kohrgoxo.exe	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xrbwxjyotlisz.exe	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ttfndoeyhz.exe	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zrtkvbsokonyvcl.exe	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\kohrgoxo.exe	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	ttfndoeyhz.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	kohrgoxo.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	kohrgoxo.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	kohrgoxo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	kohrgoxo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	kohrgoxo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	kohrgoxo.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	kohrgoxo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	kohrgoxo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	kohrgoxo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	kohrgoxo.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	kohrgoxo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	kohrgoxo.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	kohrgoxo.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	kohrgoxo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	kohrgoxo.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrbwxjyotlisz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kohrgoxo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kohrgoxo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ttfndoeyhz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zrtkvbsokonyvcl.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	ttfndoeyhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	ttfndoeyhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F068B4FE6D22DCD209D0D28A7E9063"	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	ttfndoeyhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	ttfndoeyhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	ttfndoeyhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	ttfndoeyhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472D7C9C5683516A4176A670232DD77D8665AA"	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC6791493DAB7B8CE7F92ED9437BA"	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	ttfndoeyhz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	ttfndoeyhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	ttfndoeyhz.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFF9CDFE10F192840F3B43819839E5B0FB02FB4366024BE2C8429C08A6"	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B15A47E6389953C9BADD339DD7C9"	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	ttfndoeyhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF9FCFC485D826F9030D72D7E9CBDE2E636594B674E6246D69E"	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	ttfndoeyhz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	ttfndoeyhz.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1332	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2672	ttfndoeyhz.exe
2672	ttfndoeyhz.exe
2672	ttfndoeyhz.exe
2672	ttfndoeyhz.exe
2672	ttfndoeyhz.exe
2700	zrtkvbsokonyvcl.exe
2700	zrtkvbsokonyvcl.exe
2700	zrtkvbsokonyvcl.exe
2700	zrtkvbsokonyvcl.exe
2700	zrtkvbsokonyvcl.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2920	kohrgoxo.exe
2920	kohrgoxo.exe
2920	kohrgoxo.exe
2920	kohrgoxo.exe
2700	zrtkvbsokonyvcl.exe
2392	kohrgoxo.exe
2392	kohrgoxo.exe
2392	kohrgoxo.exe
2392	kohrgoxo.exe
2700	zrtkvbsokonyvcl.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2700	zrtkvbsokonyvcl.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2700	zrtkvbsokonyvcl.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2700	zrtkvbsokonyvcl.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2700	zrtkvbsokonyvcl.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2700	zrtkvbsokonyvcl.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2700	zrtkvbsokonyvcl.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2700	zrtkvbsokonyvcl.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2700	zrtkvbsokonyvcl.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2700	zrtkvbsokonyvcl.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2700	zrtkvbsokonyvcl.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2672	ttfndoeyhz.exe
2672	ttfndoeyhz.exe
2672	ttfndoeyhz.exe
2700	zrtkvbsokonyvcl.exe
2700	zrtkvbsokonyvcl.exe
2700	zrtkvbsokonyvcl.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2920	kohrgoxo.exe
2920	kohrgoxo.exe
2920	kohrgoxo.exe
2392	kohrgoxo.exe
2392	kohrgoxo.exe
2392	kohrgoxo.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
2672	ttfndoeyhz.exe
2672	ttfndoeyhz.exe
2672	ttfndoeyhz.exe
2700	zrtkvbsokonyvcl.exe
2700	zrtkvbsokonyvcl.exe
2700	zrtkvbsokonyvcl.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2712	xrbwxjyotlisz.exe
2920	kohrgoxo.exe
2920	kohrgoxo.exe
2920	kohrgoxo.exe
2392	kohrgoxo.exe
2392	kohrgoxo.exe
2392	kohrgoxo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1332	WINWORD.EXE
1332	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2672	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2672	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2672	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2672	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2700	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2700	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2700	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2700	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2920	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2920	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2920	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2920	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2712	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	33
PID 2648 wrote to memory of 2712	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	33
PID 2648 wrote to memory of 2712	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	33
PID 2648 wrote to memory of 2712	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	33
PID 2700 wrote to memory of 2560	2700	zrtkvbsokonyvcl.exe	34
PID 2700 wrote to memory of 2560	2700	zrtkvbsokonyvcl.exe	34
PID 2700 wrote to memory of 2560	2700	zrtkvbsokonyvcl.exe	34
PID 2700 wrote to memory of 2560	2700	zrtkvbsokonyvcl.exe	34
PID 2672 wrote to memory of 2392	2672	ttfndoeyhz.exe	36
PID 2672 wrote to memory of 2392	2672	ttfndoeyhz.exe	36
PID 2672 wrote to memory of 2392	2672	ttfndoeyhz.exe	36
PID 2672 wrote to memory of 2392	2672	ttfndoeyhz.exe	36
PID 2648 wrote to memory of 1332	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	37
PID 2648 wrote to memory of 1332	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	37
PID 2648 wrote to memory of 1332	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	37
PID 2648 wrote to memory of 1332	2648	db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe	37
PID 1332 wrote to memory of 2176	1332	WINWORD.EXE	39
PID 1332 wrote to memory of 2176	1332	WINWORD.EXE	39
PID 1332 wrote to memory of 2176	1332	WINWORD.EXE	39
PID 1332 wrote to memory of 2176	1332	WINWORD.EXE	39

C:\Users\Admin\AppData\Local\Temp\db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db53214997f3f8f0ab3925730ef560aa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\ttfndoeyhz.exe
  ttfndoeyhz.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\kohrgoxo.exe
    C:\Windows\system32\kohrgoxo.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2392
- C:\Windows\SysWOW64\zrtkvbsokonyvcl.exe
  zrtkvbsokonyvcl.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c xrbwxjyotlisz.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
- C:\Windows\SysWOW64\kohrgoxo.exe
  kohrgoxo.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2920
- C:\Windows\SysWOW64\xrbwxjyotlisz.exe
  xrbwxjyotlisz.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2712
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
9e63186dbf08447df27196f5023480b6

SHA1
2fd62e4864b53b04e0fe717515abfac2b2113d1b

SHA256
00e3ab31e1a01ed7f0797532840fe977542e3630921a5e320dd1716d9728000a

SHA512
12eae0ad8940b4fa96715f592bedb6bcce2342c5106dff1294bc6f953f42343cddc7902b55d126312fb4547429b1c7903e2a1b524a8d507c638bd081c6fa5d7f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
0b5b2af81f3eb23247614c47a957ca25

SHA1
42eed20bf764ae3eec13991d383cc85752cedfa8

SHA256
e7425be937df883f1d005cdb2aad08acb4860b2c9f7015f7088b1c83f0c04dd5

SHA512
86a6d9b0cc1f7ff0e1cb52b30e20e89b43705adfe2207da92008fce2ba947d36cc2ac31f09ac158cea691181308784dabdef25d23f41dd678e1429ce8b3ce409

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
907cf5bea434483263549ca667b5bf57

SHA1
a6de4ea57574f89fca2f307929e5396c10766b09

SHA256
4499121e3704dcdad43a9c9586b06495a2d9a49bb235800792ad7f081527d75e

SHA512
b5357a4ab03ea4e5263dc4f03ce9356c2eccdf7f6c1a06d29a79b63d81487119ce1d2f8997f24e44f2948f5636805a852b9c89d7931c64903928ef62addbbb66

Download Submit
C:\Windows\SysWOW64\kohrgoxo.exe

Filesize
512KB

MD5
361a6ea7d8d9678109b583ed6d0f24f7

SHA1
83d65550f5481536fe75242341f8338ea74584da

SHA256
cd6aab0ab38b936a4b34960e1644c3cf1a5282e793cd9636a93e4658cd632679

SHA512
67ea7d7a9eb5281faff447026b5ff13d4297d5f3eb4be3a90e262f95f47506f09efed88031416cfbc669230aed97882e3a820568d1f815cb8915c869e4bf667b

Download Submit
C:\Windows\SysWOW64\xrbwxjyotlisz.exe

Filesize
512KB

MD5
7365ae04a6591200f1364e9e147328a4

SHA1
dd5499c4ca84080953365d81615cb010f7400ff3

SHA256
25d4f3d6b7e9fe91219b01943416ebd54aa9a31a5434c6e22d8c56ae11acb12d

SHA512
6902caaee2714ef00cd52626e214de2e458eb3ad6ee8e0865fa11f218a38fb8a8987c7137e92baebd242d3064beecefb315d82bf46590b1ab97519572f2a7fac

Download Submit
C:\Windows\SysWOW64\zrtkvbsokonyvcl.exe

Filesize
512KB

MD5
f52b484b214e5d97d95887abd2ba9804

SHA1
3f3bc546b432ae5e27ad9fb6d084ef61d8ed3bda

SHA256
e5715e6cf5b86b6a28c92e49e834bc181078e2169b85dee85ecef6e773d0ba7f

SHA512
9e393bf2f832d9d9f6a383dce3d445a0495f1c401adbc6a8a61581a338a304aede1988e0e45513839c8657c08faa34d8426bffd96bfb1255f79275289c9f1ed0

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\ttfndoeyhz.exe

Filesize
512KB

MD5
9d7c7ec29ace7c35fc47688b902c79c0

SHA1
2b042b259204cb28635de6b18940ec0bcba12897

SHA256
f7b666bb49b0fe643f976481676d23ad1ff958fa9b5c5f4f18e405090dd50aa8

SHA512
134888ee0b1e71d5a39e25bf7727f2c5d8020e15758c53b1c097f5efe7185b9d0f888faac4cd92ffa05feb32063e65cbf1c909664fcc05a0a99304819410b60b

Download Submit
memory/1332-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1332-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2648-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download