0f29f56c758f31c8b6e9b8a0fcef131cdafb15b2043668c8d9ff78232e4b8687

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
Size

512KB
MD5

e1a8522da7f5ba70e6e1f9027f8e378c
SHA1

4932e47d861af95d0c35993976e210e324c03b24
SHA256

0f29f56c758f31c8b6e9b8a0fcef131cdafb15b2043668c8d9ff78232e4b8687
SHA512

153e5416c97a284047a123f950d87cebb4bb89ee39cda85240f05486c0b8530661dc5ab872f537d8fa8fea80f11af058ae1b441460ba518f32f697827d08f2e2
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6b:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hntmyehtfz.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hntmyehtfz.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	hntmyehtfz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	hntmyehtfz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	hntmyehtfz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	hntmyehtfz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	hntmyehtfz.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hntmyehtfz.exe

Executes dropped EXE 5 IoCs

pid	Process
2696	hntmyehtfz.exe
2892	laewcgehfcxhsuw.exe
2944	wykfvfhv.exe
2868	pprgjxypswymv.exe
2316	wykfvfhv.exe

Loads dropped DLL 5 IoCs

pid	Process
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
2696	hntmyehtfz.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	hntmyehtfz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	hntmyehtfz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	hntmyehtfz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	hntmyehtfz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	hntmyehtfz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	hntmyehtfz.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\emwbcmzp = "hntmyehtfz.exe"	laewcgehfcxhsuw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgevixrn = "laewcgehfcxhsuw.exe"	laewcgehfcxhsuw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pprgjxypswymv.exe"	laewcgehfcxhsuw.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\m:	wykfvfhv.exe
File opened (read-only)	\??\k:	hntmyehtfz.exe
File opened (read-only)	\??\l:	hntmyehtfz.exe
File opened (read-only)	\??\p:	hntmyehtfz.exe
File opened (read-only)	\??\q:	wykfvfhv.exe
File opened (read-only)	\??\u:	wykfvfhv.exe
File opened (read-only)	\??\a:	wykfvfhv.exe
File opened (read-only)	\??\o:	wykfvfhv.exe
File opened (read-only)	\??\q:	wykfvfhv.exe
File opened (read-only)	\??\a:	hntmyehtfz.exe
File opened (read-only)	\??\k:	wykfvfhv.exe
File opened (read-only)	\??\y:	wykfvfhv.exe
File opened (read-only)	\??\w:	wykfvfhv.exe
File opened (read-only)	\??\z:	wykfvfhv.exe
File opened (read-only)	\??\o:	hntmyehtfz.exe
File opened (read-only)	\??\v:	wykfvfhv.exe
File opened (read-only)	\??\j:	hntmyehtfz.exe
File opened (read-only)	\??\a:	wykfvfhv.exe
File opened (read-only)	\??\o:	wykfvfhv.exe
File opened (read-only)	\??\w:	wykfvfhv.exe
File opened (read-only)	\??\n:	hntmyehtfz.exe
File opened (read-only)	\??\w:	hntmyehtfz.exe
File opened (read-only)	\??\b:	wykfvfhv.exe
File opened (read-only)	\??\g:	wykfvfhv.exe
File opened (read-only)	\??\e:	wykfvfhv.exe
File opened (read-only)	\??\n:	wykfvfhv.exe
File opened (read-only)	\??\v:	wykfvfhv.exe
File opened (read-only)	\??\u:	hntmyehtfz.exe
File opened (read-only)	\??\n:	wykfvfhv.exe
File opened (read-only)	\??\r:	wykfvfhv.exe
File opened (read-only)	\??\v:	hntmyehtfz.exe
File opened (read-only)	\??\x:	hntmyehtfz.exe
File opened (read-only)	\??\z:	hntmyehtfz.exe
File opened (read-only)	\??\t:	wykfvfhv.exe
File opened (read-only)	\??\h:	wykfvfhv.exe
File opened (read-only)	\??\x:	wykfvfhv.exe
File opened (read-only)	\??\p:	wykfvfhv.exe
File opened (read-only)	\??\r:	hntmyehtfz.exe
File opened (read-only)	\??\i:	wykfvfhv.exe
File opened (read-only)	\??\s:	wykfvfhv.exe
File opened (read-only)	\??\k:	wykfvfhv.exe
File opened (read-only)	\??\y:	wykfvfhv.exe
File opened (read-only)	\??\m:	hntmyehtfz.exe
File opened (read-only)	\??\s:	hntmyehtfz.exe
File opened (read-only)	\??\t:	hntmyehtfz.exe
File opened (read-only)	\??\y:	hntmyehtfz.exe
File opened (read-only)	\??\b:	wykfvfhv.exe
File opened (read-only)	\??\e:	wykfvfhv.exe
File opened (read-only)	\??\j:	wykfvfhv.exe
File opened (read-only)	\??\l:	wykfvfhv.exe
File opened (read-only)	\??\p:	wykfvfhv.exe
File opened (read-only)	\??\g:	wykfvfhv.exe
File opened (read-only)	\??\j:	wykfvfhv.exe
File opened (read-only)	\??\s:	wykfvfhv.exe
File opened (read-only)	\??\g:	hntmyehtfz.exe
File opened (read-only)	\??\b:	hntmyehtfz.exe
File opened (read-only)	\??\q:	hntmyehtfz.exe
File opened (read-only)	\??\l:	wykfvfhv.exe
File opened (read-only)	\??\h:	wykfvfhv.exe
File opened (read-only)	\??\z:	wykfvfhv.exe
File opened (read-only)	\??\x:	wykfvfhv.exe
File opened (read-only)	\??\e:	hntmyehtfz.exe
File opened (read-only)	\??\h:	hntmyehtfz.exe
File opened (read-only)	\??\i:	wykfvfhv.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	hntmyehtfz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	hntmyehtfz.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/3020-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0008000000016ce1-9.dat	autoit_exe
behavioral1/files/0x0008000000016c8c-21.dat	autoit_exe
behavioral1/files/0x0005000000010300-20.dat	autoit_exe
behavioral1/files/0x0007000000016d36-41.dat	autoit_exe
behavioral1/files/0x0002000000003d25-63.dat	autoit_exe
behavioral1/files/0x0002000000003d26-69.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hntmyehtfz.exe	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\laewcgehfcxhsuw.exe	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\laewcgehfcxhsuw.exe	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	hntmyehtfz.exe
File created	C:\Windows\SysWOW64\hntmyehtfz.exe	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wykfvfhv.exe	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wykfvfhv.exe	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pprgjxypswymv.exe	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\pprgjxypswymv.exe	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wykfvfhv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wykfvfhv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wykfvfhv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	wykfvfhv.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wykfvfhv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	wykfvfhv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wykfvfhv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wykfvfhv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	wykfvfhv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wykfvfhv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wykfvfhv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	wykfvfhv.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wykfvfhv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wykfvfhv.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hntmyehtfz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	laewcgehfcxhsuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wykfvfhv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pprgjxypswymv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wykfvfhv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FACCF913F2E783083B46869E3999B089028C42600348E2CD459E09D4"	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC60F15E7DBC4B8CD7F95ECE734C7"	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	hntmyehtfz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	hntmyehtfz.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	hntmyehtfz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	hntmyehtfz.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	hntmyehtfz.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFCFE4F5D856F9132D62F7E9CBC94E6315840664E6333D6E9"	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F46BB8FF1A21DAD273D0A38B08906A"	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	hntmyehtfz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	hntmyehtfz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	hntmyehtfz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	hntmyehtfz.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C769D2D83526D3576D5702E2DDA7DF165AA"	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B05847E5399D52C8BAD4329DD4B9"	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	hntmyehtfz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	hntmyehtfz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	hntmyehtfz.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1732	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
2892	laewcgehfcxhsuw.exe
2892	laewcgehfcxhsuw.exe
2892	laewcgehfcxhsuw.exe
2892	laewcgehfcxhsuw.exe
2892	laewcgehfcxhsuw.exe
2696	hntmyehtfz.exe
2696	hntmyehtfz.exe
2696	hntmyehtfz.exe
2696	hntmyehtfz.exe
2696	hntmyehtfz.exe
2944	wykfvfhv.exe
2944	wykfvfhv.exe
2944	wykfvfhv.exe
2944	wykfvfhv.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2316	wykfvfhv.exe
2316	wykfvfhv.exe
2316	wykfvfhv.exe
2316	wykfvfhv.exe
2892	laewcgehfcxhsuw.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2892	laewcgehfcxhsuw.exe
2892	laewcgehfcxhsuw.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2892	laewcgehfcxhsuw.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2892	laewcgehfcxhsuw.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2892	laewcgehfcxhsuw.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2892	laewcgehfcxhsuw.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2892	laewcgehfcxhsuw.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2892	laewcgehfcxhsuw.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2892	laewcgehfcxhsuw.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2892	laewcgehfcxhsuw.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2892	laewcgehfcxhsuw.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1468	explorer.exe
Token: SeShutdownPrivilege	1468	explorer.exe
Token: SeShutdownPrivilege	1468	explorer.exe
Token: SeShutdownPrivilege	1468	explorer.exe
Token: SeShutdownPrivilege	1468	explorer.exe
Token: SeShutdownPrivilege	1468	explorer.exe
Token: SeShutdownPrivilege	1468	explorer.exe
Token: SeShutdownPrivilege	1468	explorer.exe
Token: SeShutdownPrivilege	1468	explorer.exe
Token: SeShutdownPrivilege	1468	explorer.exe
Token: SeShutdownPrivilege	1468	explorer.exe
Token: SeShutdownPrivilege	1468	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
2696	hntmyehtfz.exe
2696	hntmyehtfz.exe
2696	hntmyehtfz.exe
2892	laewcgehfcxhsuw.exe
2892	laewcgehfcxhsuw.exe
2892	laewcgehfcxhsuw.exe
2944	wykfvfhv.exe
2944	wykfvfhv.exe
2944	wykfvfhv.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2316	wykfvfhv.exe
2316	wykfvfhv.exe
2316	wykfvfhv.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
2696	hntmyehtfz.exe
2696	hntmyehtfz.exe
2696	hntmyehtfz.exe
2892	laewcgehfcxhsuw.exe
2892	laewcgehfcxhsuw.exe
2892	laewcgehfcxhsuw.exe
2944	wykfvfhv.exe
2944	wykfvfhv.exe
2944	wykfvfhv.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
2868	pprgjxypswymv.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1732	WINWORD.EXE
1732	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2696	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	30
PID 3020 wrote to memory of 2696	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	30
PID 3020 wrote to memory of 2696	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	30
PID 3020 wrote to memory of 2696	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	30
PID 3020 wrote to memory of 2892	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	31
PID 3020 wrote to memory of 2892	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	31
PID 3020 wrote to memory of 2892	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	31
PID 3020 wrote to memory of 2892	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	31
PID 3020 wrote to memory of 2944	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	32
PID 3020 wrote to memory of 2944	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	32
PID 3020 wrote to memory of 2944	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	32
PID 3020 wrote to memory of 2944	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	32
PID 3020 wrote to memory of 2868	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	33
PID 3020 wrote to memory of 2868	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	33
PID 3020 wrote to memory of 2868	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	33
PID 3020 wrote to memory of 2868	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	33
PID 2696 wrote to memory of 2316	2696	hntmyehtfz.exe	34
PID 2696 wrote to memory of 2316	2696	hntmyehtfz.exe	34
PID 2696 wrote to memory of 2316	2696	hntmyehtfz.exe	34
PID 2696 wrote to memory of 2316	2696	hntmyehtfz.exe	34
PID 3020 wrote to memory of 1732	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	35
PID 3020 wrote to memory of 1732	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	35
PID 3020 wrote to memory of 1732	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	35
PID 3020 wrote to memory of 1732	3020	e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe	35
PID 1732 wrote to memory of 2376	1732	WINWORD.EXE	38
PID 1732 wrote to memory of 2376	1732	WINWORD.EXE	38
PID 1732 wrote to memory of 2376	1732	WINWORD.EXE	38
PID 1732 wrote to memory of 2376	1732	WINWORD.EXE	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1a8522da7f5ba70e6e1f9027f8e378c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\SysWOW64\hntmyehtfz.exe
  hntmyehtfz.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\wykfvfhv.exe
    C:\Windows\system32\wykfvfhv.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2316
- C:\Windows\SysWOW64\laewcgehfcxhsuw.exe
  laewcgehfcxhsuw.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2892
- C:\Windows\SysWOW64\wykfvfhv.exe
  wykfvfhv.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2944
- C:\Windows\SysWOW64\pprgjxypswymv.exe
  pprgjxypswymv.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2868
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2376

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
3032614e5596f699856d978d17590a1f

SHA1
61ba739808833049433697214d34730bd7619e30

SHA256
e4b59f01cadcaa43a0b0de8841dc28d765ef96a96d69a81d40b8aaeae31e7c8f

SHA512
019523a552e80ddf32c05e3ce8679470727d981bb8b90125fd6d19362adbc307d7a62b92145f059c56515f89c012daaf13199221f5804fb2dba741e4065edd94

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
5fb1495b4c653ca7744c129197111aa7

SHA1
fd7439920c0dac092aa702eae8ccc511cabe3f23

SHA256
4e3fb885eb7dc1f001548cd744e0da1ec106f215e06c3323ef9e9590b6b03a69

SHA512
7429f356f6ae5c642a0ac0f4cf5032d0705c96d9cd0d6c42f4c51493cd9d2d8e6368389d0e8dc1114f8b60e25e60d233ff1141b033959e0aafa719e5c48e40fb

Download Submit
C:\Windows\SysWOW64\hntmyehtfz.exe

Filesize
512KB

MD5
fa9de63f77f3d2dcf880c7c140c64b8b

SHA1
37b9c8cabead65efeabd57effd44a314148d48ee

SHA256
7685d3646aa9356cdd8c9437ee9472e7ac660dd5444933650edf3fdb4e21bd95

SHA512
8a61275258d369d30c33c23a43a2ca52f2752ab9e11588ca8b418266a5a65e257100d9d760ac705839dec6d0fb45e12c234531055c64ae6455c5e742d77fd127

Download Submit
C:\Windows\SysWOW64\pprgjxypswymv.exe

Filesize
512KB

MD5
12440a2e01f64a13e62531ab83c7f333

SHA1
aa4b50574952bedc524147ecd137fc2cadf3cfb5

SHA256
489eb680d3cd6d58f103866655bc12e19a6cdc3c90b5c5e71d6c94b57cdaad69

SHA512
524a57e42d14b21e8b6e081ee5678b2cecd4b730e85f63ce4fc638f2540fb09a046f3bce017e917895b385b80e06414e43530195879821cf02d6d01cbdf72eba

Download Submit
C:\Windows\SysWOW64\wykfvfhv.exe

Filesize
512KB

MD5
fdf32bed1f5caf0cf09df2aa65bc2530

SHA1
af93243a6ac1072c8fd593fedaf72e2dc03931de

SHA256
8dc8150dab2ce9afdb8b86f82e1edd98ff08fcf8c87612cdf6956e91851fb5df

SHA512
a3f50086433c7c75efc9d21ed792488da43ece4115bab494f05a6f962c1e0fde8479faea695794821d9574160b05a2510636a35a67bb9d78179bed18d115068b

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\laewcgehfcxhsuw.exe

Filesize
512KB

MD5
748939b73ba51a728cc341be803b474d

SHA1
73fff256f141256bfd921dd4325b6fd69d38f83b

SHA256
ff64511751ef363089588cafaeff9910a4d4f60b2766ddbc553960f6465c76c2

SHA512
1fe6988c28813bd3802aa903d45fa108bfdce334fb75dd2ac3cc96f9661dd1abcdc707dd9223c41e5a89c875203f515300dc163aa92497b55d82764f1f1f0dcb

Download Submit
memory/1468-76-0x0000000003130000-0x0000000003140000-memory.dmp

Filesize
64KB

Download
memory/1732-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3020-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download